Vulnerabilities |
10 via 10 paths |
---|---|
Dependencies |
114 |
Source |
Docker |
Target OS |
amzn:2 |
high severity
new
- Vulnerable module: glibc
- Introduced through: glibc@2.26-63.amzn2.0.1
- Fixed in: 0:2.26-64.amzn2.0.1
Detailed paths
-
Introduced through: amazoncorretto@11-al2-jdk › glibc@2.26-63.amzn2.0.1
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc
package and not the glibc
package as distributed by Amazon-Linux
.
See How to fix?
for Amazon-Linux:2
relevant fixed versions and status.
The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.
Remediation
Upgrade Amazon-Linux:2
glibc
to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521
.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2961
- https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/
- http://www.openwall.com/lists/oss-security/2024/04/24/2
- http://www.openwall.com/lists/oss-security/2024/04/17/9
- http://www.openwall.com/lists/oss-security/2024/04/18/4
high severity
new
- Vulnerable module: glibc-common
- Introduced through: glibc-common@2.26-63.amzn2.0.1
- Fixed in: 0:2.26-64.amzn2.0.1
Detailed paths
-
Introduced through: amazoncorretto@11-al2-jdk › glibc-common@2.26-63.amzn2.0.1
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc-common
package and not the glibc-common
package as distributed by Amazon-Linux
.
See How to fix?
for Amazon-Linux:2
relevant fixed versions and status.
The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.
Remediation
Upgrade Amazon-Linux:2
glibc-common
to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521
.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2961
- https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/
- http://www.openwall.com/lists/oss-security/2024/04/24/2
- http://www.openwall.com/lists/oss-security/2024/04/17/9
- http://www.openwall.com/lists/oss-security/2024/04/18/4
high severity
new
- Vulnerable module: glibc-langpack-en
- Introduced through: glibc-langpack-en@2.26-63.amzn2.0.1
- Fixed in: 0:2.26-64.amzn2.0.1
Detailed paths
-
Introduced through: amazoncorretto@11-al2-jdk › glibc-langpack-en@2.26-63.amzn2.0.1
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc-langpack-en
package and not the glibc-langpack-en
package as distributed by Amazon-Linux
.
See How to fix?
for Amazon-Linux:2
relevant fixed versions and status.
The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.
Remediation
Upgrade Amazon-Linux:2
glibc-langpack-en
to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521
.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2961
- https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/
- http://www.openwall.com/lists/oss-security/2024/04/24/2
- http://www.openwall.com/lists/oss-security/2024/04/17/9
- http://www.openwall.com/lists/oss-security/2024/04/18/4
high severity
new
- Vulnerable module: glibc-minimal-langpack
- Introduced through: glibc-minimal-langpack@2.26-63.amzn2.0.1
- Fixed in: 0:2.26-64.amzn2.0.1
Detailed paths
-
Introduced through: amazoncorretto@11-al2-jdk › glibc-minimal-langpack@2.26-63.amzn2.0.1
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc-minimal-langpack
package and not the glibc-minimal-langpack
package as distributed by Amazon-Linux
.
See How to fix?
for Amazon-Linux:2
relevant fixed versions and status.
The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.
Remediation
Upgrade Amazon-Linux:2
glibc-minimal-langpack
to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521
.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2961
- https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/
- http://www.openwall.com/lists/oss-security/2024/04/24/2
- http://www.openwall.com/lists/oss-security/2024/04/17/9
- http://www.openwall.com/lists/oss-security/2024/04/18/4
high severity
new
- Vulnerable module: libcrypt
- Introduced through: libcrypt@2.26-63.amzn2.0.1
- Fixed in: 0:2.26-64.amzn2.0.1
Detailed paths
-
Introduced through: amazoncorretto@11-al2-jdk › libcrypt@2.26-63.amzn2.0.1
NVD Description
Note: Versions mentioned in the description apply only to the upstream libcrypt
package and not the libcrypt
package as distributed by Amazon-Linux
.
See How to fix?
for Amazon-Linux:2
relevant fixed versions and status.
The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.
Remediation
Upgrade Amazon-Linux:2
libcrypt
to version 0:2.26-64.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2521
.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2961
- https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/
- http://www.openwall.com/lists/oss-security/2024/04/24/2
- http://www.openwall.com/lists/oss-security/2024/04/17/9
- http://www.openwall.com/lists/oss-security/2024/04/18/4
high severity
new
- Vulnerable module: libnghttp2
- Introduced through: libnghttp2@1.41.0-1.amzn2.0.4
- Fixed in: 0:1.41.0-1.amzn2.0.5
Detailed paths
-
Introduced through: amazoncorretto@11-al2-jdk › libnghttp2@1.41.0-1.amzn2.0.4
NVD Description
Note: Versions mentioned in the description apply only to the upstream libnghttp2
package and not the libnghttp2
package as distributed by Amazon-Linux
.
See How to fix?
for Amazon-Linux:2
relevant fixed versions and status.
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
Remediation
Upgrade Amazon-Linux:2
libnghttp2
to version 0:1.41.0-1.amzn2.0.5 or higher.
This issue was patched in ALAS2-2024-2523
.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28182
- https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
- https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9
- https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/
- https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html
- http://www.openwall.com/lists/oss-security/2024/04/03/16
medium severity
new
- Vulnerable module: curl
- Introduced through: curl@8.3.0-1.amzn2.0.6
- Fixed in: 0:8.3.0-1.amzn2.0.7
Detailed paths
-
Introduced through: amazoncorretto@11-al2-jdk › curl@8.3.0-1.amzn2.0.6
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl
package and not the curl
package as distributed by Amazon-Linux
.
See How to fix?
for Amazon-Linux:2
relevant fixed versions and status.
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.
Remediation
Upgrade Amazon-Linux:2
curl
to version 0:8.3.0-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2024-2526
.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2398
- https://curl.se/docs/CVE-2024-2398.html
- https://curl.se/docs/CVE-2024-2398.json
- https://hackerone.com/reports/2402845
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
- http://www.openwall.com/lists/oss-security/2024/03/27/3
medium severity
new
- Vulnerable module: libcurl
- Introduced through: libcurl@8.3.0-1.amzn2.0.6
- Fixed in: 0:8.3.0-1.amzn2.0.7
Detailed paths
-
Introduced through: amazoncorretto@11-al2-jdk › libcurl@8.3.0-1.amzn2.0.6
NVD Description
Note: Versions mentioned in the description apply only to the upstream libcurl
package and not the libcurl
package as distributed by Amazon-Linux
.
See How to fix?
for Amazon-Linux:2
relevant fixed versions and status.
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.
Remediation
Upgrade Amazon-Linux:2
libcurl
to version 0:8.3.0-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2024-2526
.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2398
- https://curl.se/docs/CVE-2024-2398.html
- https://curl.se/docs/CVE-2024-2398.json
- https://hackerone.com/reports/2402845
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
- http://www.openwall.com/lists/oss-security/2024/03/27/3
medium severity
new
- Vulnerable module: curl
- Introduced through: curl@8.3.0-1.amzn2.0.6
- Fixed in: 0:8.3.0-1.amzn2.0.7
Detailed paths
-
Introduced through: amazoncorretto@11-al2-jdk › curl@8.3.0-1.amzn2.0.6
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl
package and not the curl
package as distributed by Amazon-Linux
.
See How to fix?
for Amazon-Linux:2
relevant fixed versions and status.
When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.
Remediation
Upgrade Amazon-Linux:2
curl
to version 0:8.3.0-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2024-2526
.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2004
- https://curl.se/docs/CVE-2024-2004.html
- https://curl.se/docs/CVE-2024-2004.json
- https://hackerone.com/reports/2384833
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
- http://www.openwall.com/lists/oss-security/2024/03/27/1
medium severity
new
- Vulnerable module: libcurl
- Introduced through: libcurl@8.3.0-1.amzn2.0.6
- Fixed in: 0:8.3.0-1.amzn2.0.7
Detailed paths
-
Introduced through: amazoncorretto@11-al2-jdk › libcurl@8.3.0-1.amzn2.0.6
NVD Description
Note: Versions mentioned in the description apply only to the upstream libcurl
package and not the libcurl
package as distributed by Amazon-Linux
.
See How to fix?
for Amazon-Linux:2
relevant fixed versions and status.
When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.
Remediation
Upgrade Amazon-Linux:2
libcurl
to version 0:8.3.0-1.amzn2.0.7 or higher.
This issue was patched in ALAS2-2024-2526
.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2004
- https://curl.se/docs/CVE-2024-2004.html
- https://curl.se/docs/CVE-2024-2004.json
- https://hackerone.com/reports/2384833
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
- http://www.openwall.com/lists/oss-security/2024/03/27/1