Docker amazonlinux:2.0.20180622.1

Vulnerabilities

130 via 130 paths

Dependencies

105

Source

Group 6 Copy Created with Sketch. Docker

Target OS

amzn:2
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 30
  • 87
  • 13
Status
  • 130
  • 0
  • 0

high severity

ALAS2-2019-1175

  • Vulnerable module: filesystem
  • Introduced through: filesystem@3.2-21.amzn2
  • Fixed in: 3.2-25.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* filesystem@3.2-21.amzn2

Overview

None

References

high severity

ALAS2-2019-1190

  • Vulnerable module: filesystem
  • Introduced through: filesystem@3.2-21.amzn2
  • Fixed in: 3.2-25.amzn2.0.4

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* filesystem@3.2-21.amzn2

Overview

None

References

high severity
new

ALAS2-2021-1599

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-27.amzn2.0.5
  • Fixed in: 2.26-40.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1599. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding

Remediation

Upgrade glibc to version or higher.

References

high severity
new

ALAS2-2021-1605

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-27.amzn2.0.5
  • Fixed in: 2.26-41.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1605. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6096: 1820331: CVE-2020-6096 glibc: signed comparison vulnerability in the ARMv7 memcpy function A signed comparison vulnerability was found in GNU libc in the ARMv7 implementation of memcpy(). The flaw affects the third argument to memcpy() that specifies the number of bytes to copy. An underflow on the third argument could lead to undefined behavior such as out-of-bounds memory write and potentially remote code execution. CVE-2020-29562: A denial of service flaw was found in the way glibc's iconv function handled UCS4 text containing an irreversible character. This flaw causes an application compiled with glibc and using the vulnerable function to terminate with an assertion, resulting in a denial of service. The highest threat from this vulnerability is to system availability. 1905217: CVE-2020-29562 glibc: assertion failure in iconv when converting invalid UCS4 CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding CVE-2016-10228: 1428290: CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Remediation

Upgrade glibc to version or higher.

References

high severity
new

ALAS2-2021-1599

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-27.amzn2.0.5
  • Fixed in: 2.26-40.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-common@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1599. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding

Remediation

Upgrade glibc-common to version or higher.

References

high severity
new

ALAS2-2021-1605

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-27.amzn2.0.5
  • Fixed in: 2.26-41.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-common@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1605. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6096: 1820331: CVE-2020-6096 glibc: signed comparison vulnerability in the ARMv7 memcpy function A signed comparison vulnerability was found in GNU libc in the ARMv7 implementation of memcpy(). The flaw affects the third argument to memcpy() that specifies the number of bytes to copy. An underflow on the third argument could lead to undefined behavior such as out-of-bounds memory write and potentially remote code execution. CVE-2020-29562: A denial of service flaw was found in the way glibc's iconv function handled UCS4 text containing an irreversible character. This flaw causes an application compiled with glibc and using the vulnerable function to terminate with an assertion, resulting in a denial of service. The highest threat from this vulnerability is to system availability. 1905217: CVE-2020-29562 glibc: assertion failure in iconv when converting invalid UCS4 CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding CVE-2016-10228: 1428290: CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Remediation

Upgrade glibc-common to version or higher.

References

high severity
new

ALAS2-2021-1599

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-27.amzn2.0.5
  • Fixed in: 2.26-40.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-langpack-en@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1599. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding

Remediation

Upgrade glibc-langpack-en to version or higher.

References

high severity
new

ALAS2-2021-1605

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-27.amzn2.0.5
  • Fixed in: 2.26-41.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-langpack-en@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1605. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6096: 1820331: CVE-2020-6096 glibc: signed comparison vulnerability in the ARMv7 memcpy function A signed comparison vulnerability was found in GNU libc in the ARMv7 implementation of memcpy(). The flaw affects the third argument to memcpy() that specifies the number of bytes to copy. An underflow on the third argument could lead to undefined behavior such as out-of-bounds memory write and potentially remote code execution. CVE-2020-29562: A denial of service flaw was found in the way glibc's iconv function handled UCS4 text containing an irreversible character. This flaw causes an application compiled with glibc and using the vulnerable function to terminate with an assertion, resulting in a denial of service. The highest threat from this vulnerability is to system availability. 1905217: CVE-2020-29562 glibc: assertion failure in iconv when converting invalid UCS4 CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding CVE-2016-10228: 1428290: CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Remediation

Upgrade glibc-langpack-en to version or higher.

References

high severity
new

ALAS2-2021-1599

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-27.amzn2.0.5
  • Fixed in: 2.26-40.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-minimal-langpack@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1599. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding

Remediation

Upgrade glibc-minimal-langpack to version or higher.

References

high severity
new

ALAS2-2021-1605

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-27.amzn2.0.5
  • Fixed in: 2.26-41.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-minimal-langpack@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1605. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6096: 1820331: CVE-2020-6096 glibc: signed comparison vulnerability in the ARMv7 memcpy function A signed comparison vulnerability was found in GNU libc in the ARMv7 implementation of memcpy(). The flaw affects the third argument to memcpy() that specifies the number of bytes to copy. An underflow on the third argument could lead to undefined behavior such as out-of-bounds memory write and potentially remote code execution. CVE-2020-29562: A denial of service flaw was found in the way glibc's iconv function handled UCS4 text containing an irreversible character. This flaw causes an application compiled with glibc and using the vulnerable function to terminate with an assertion, resulting in a denial of service. The highest threat from this vulnerability is to system availability. 1905217: CVE-2020-29562 glibc: assertion failure in iconv when converting invalid UCS4 CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding CVE-2016-10228: 1428290: CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Remediation

Upgrade glibc-minimal-langpack to version or higher.

References

high severity

ALAS2-2018-1045

  • Vulnerable module: gnupg2
  • Introduced through: gnupg2@2.0.22-4.amzn2
  • Fixed in: 2.0.22-5.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* gnupg2@2.0.22-4.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-12020: A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have other unintended consequences if applications take action(s) based on parsed verbose gnupg output. 1589620: CVE-2018-12020 gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification

References

high severity
new

ALAS2-2021-1599

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-27.amzn2.0.5
  • Fixed in: 2.26-40.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libcrypt@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1599. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding

Remediation

Upgrade libcrypt to version or higher.

References

high severity
new

ALAS2-2021-1605

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-27.amzn2.0.5
  • Fixed in: 2.26-41.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libcrypt@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1605. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6096: 1820331: CVE-2020-6096 glibc: signed comparison vulnerability in the ARMv7 memcpy function A signed comparison vulnerability was found in GNU libc in the ARMv7 implementation of memcpy(). The flaw affects the third argument to memcpy() that specifies the number of bytes to copy. An underflow on the third argument could lead to undefined behavior such as out-of-bounds memory write and potentially remote code execution. CVE-2020-29562: A denial of service flaw was found in the way glibc's iconv function handled UCS4 text containing an irreversible character. This flaw causes an application compiled with glibc and using the vulnerable function to terminate with an assertion, resulting in a denial of service. The highest threat from this vulnerability is to system availability. 1905217: CVE-2020-29562 glibc: assertion failure in iconv when converting invalid UCS4 CVE-2019-25013: A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability. 1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding CVE-2016-10228: 1428290: CVE-2016-10228 glibc: iconv program can hang when invoked with the -c option The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.

Remediation

Upgrade libcrypt to version or higher.

References

high severity

ALAS2-2019-1298

  • Vulnerable module: libnghttp2
  • Introduced through: libnghttp2@1.31.1-1.amzn2
  • Fixed in: 1.39.2-1.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libnghttp2@1.31.1-1.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-9513: Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. 1735741: CVE-2019-9513 HTTP/2: flood using PRIORITY frames results in excessive resource consumption CVE-2019-9511: Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. 1741860: CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service

References

high severity

ALAS2-2020-1445

  • Vulnerable module: libnghttp2
  • Introduced through: libnghttp2@1.31.1-1.amzn2
  • Fixed in: 1.41.0-1.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libnghttp2@1.31.1-1.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1445. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-11080: In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. 1844929: CVE-2020-11080 nghttp2: overly large SETTINGS frames can lead to DoS

Remediation

Upgrade libnghttp2 to version or higher.

References

high severity

ALAS2-2019-1199

  • Vulnerable module: libssh2
  • Introduced through: libssh2@1.4.3-10.amzn2.1
  • Fixed in: 1.4.3-12.amzn2.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libssh2@1.4.3-10.amzn2.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-3863: A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error. 1687313: CVE-2019-3863 libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes CVE-2019-3857: An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. 1687305: CVE-2019-3857 libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write CVE-2019-3856: An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. 1687304: CVE-2019-3856 libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write CVE-2019-3855: 1687303: CVE-2019-3855 libssh2: Integer overflow in transport read resulting in out of bounds write An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

References

high severity

ALAS2-2020-1466

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.3
  • Fixed in: 2.9.1-6.amzn2.4.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libxml2@2.9.1-6.amzn2.3

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1466. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-14567: libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251. 1619875: CVE-2018-14567 libxml2: Infinite loop caused by incorrect error detection during LZMA decompression CVE-2018-14404: 1595985: CVE-2018-14404 libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. CVE-2017-18258: The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. 1566749: CVE-2017-18258 libxml2: Unrestricted memory usage in xz_head() function in xzlib.c CVE-2017-15412: Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1523128: CVE-2017-15412 libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c CVE-2016-5131: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. 1358641: CVE-2016-5131 libxml2: Use after free triggered by XPointer paths beginning with range-to CVE-2015-8035: 1277146: CVE-2015-8035 libxml2: DoS caused by incorrect error detection during XZ decompression The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.

Remediation

Upgrade libxml2 to version or higher.

References

high severity

ALAS2-2020-1384

  • Vulnerable module: nss
  • Introduced through: nss@3.28.4-15.1.amzn2
  • Fixed in: 3.44.0-7.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss@3.28.4-15.1.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-11745: 99999: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well. CVE-2019-11729: 99999: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

References

high severity

ALAS2-2020-1384

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.28.4-15.1.amzn2
  • Fixed in: 3.44.0-7.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss-sysinit@3.28.4-15.1.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-11745: 99999: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well. CVE-2019-11729: 99999: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

References

high severity

ALAS2-2020-1384

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.28.4-15.1.amzn2
  • Fixed in: 3.44.0-7.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss-tools@3.28.4-15.1.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-11745: 99999: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well. CVE-2019-11729: 99999: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

References

high severity

ALAS2-2020-1406

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-12.amzn2.0.1
  • Fixed in: 1:1.0.2k-19.amzn2.0.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* openssl-libs@1:1.0.2k-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-1563: In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). 1752100: CVE-2019-1563 openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey CVE-2019-1547: Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). 1752090: CVE-2019-1547 openssl: side-channel weak encryption vulnerability

References

high severity

ALAS2-2020-1573

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-12.amzn2.0.1
  • Fixed in: 1:1.0.2k-19.amzn2.0.4

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* openssl-libs@1:1.0.2k-12.amzn2.0.1

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1573. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-1971: 1903409: CVE-2020-1971 openssl: EDIPARTYNAME NULL pointer de-reference A null pointer dereference flaw was found in openssl. A remote attacker, able to control the arguments of the GENERAL_NAME_cmp function, could cause the application, compiled with openssl to crash resulting in a denial of service. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade openssl-libs to version or higher.

References

high severity

ALAS2-2019-1230

  • Vulnerable module: python
  • Introduced through: python@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.16-1.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python@2.7.14-58.amzn2.0.2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-9636: 1688543: CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. CVE-2019-5010: 1666519: CVE-2019-5010 python: NULL pointer dereference using a specially crafted X509 certificate A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities. CVE-2018-20406: 1664509: CVE-2018-20406 python: Integer overflow in Modules/_pickle.c allows for memory exhaustion if serializing gigabytes of data Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. CVE-2018-1061: 1549192: CVE-2018-1061 python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib A flaw was found in the way catastrophic backtracking was implemented in python's difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service. CVE-2018-1060: A flaw was found in the way catastrophic backtracking was implemented in python's pop3lib's apop() method. An attacker could use this flaw to cause denial of service. 1549191: CVE-2018-1060 python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib

References

high severity

ALAS2-2019-1258

  • Vulnerable module: python
  • Introduced through: python@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.16-2.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python@2.7.14-58.amzn2.0.2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-10160: A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. 1718388: CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc

References

high severity

ALAS2-2019-1230

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.16-1.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python-libs@2.7.14-58.amzn2.0.2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-9636: 1688543: CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. CVE-2019-5010: 1666519: CVE-2019-5010 python: NULL pointer dereference using a specially crafted X509 certificate A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities. CVE-2018-20406: 1664509: CVE-2018-20406 python: Integer overflow in Modules/_pickle.c allows for memory exhaustion if serializing gigabytes of data Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. CVE-2018-1061: 1549192: CVE-2018-1061 python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib A flaw was found in the way catastrophic backtracking was implemented in python's difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service. CVE-2018-1060: A flaw was found in the way catastrophic backtracking was implemented in python's pop3lib's apop() method. An attacker could use this flaw to cause denial of service. 1549191: CVE-2018-1060 python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib

References

high severity

ALAS2-2019-1258

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.16-2.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python-libs@2.7.14-58.amzn2.0.2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-10160: A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. 1718388: CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc

References

high severity

ALAS2-2020-1394

  • Vulnerable module: sqlite
  • Introduced through: sqlite@3.7.17-8.amzn2
  • Fixed in: 3.7.17-8.amzn2.1.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* sqlite@3.7.17-8.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-13734: 1781980: CVE-2019-13734 sqlite: fts3: improve shadow table corruption detection Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

References

high severity

ALAS2-2019-1239

  • Vulnerable module: vim-minimal
  • Introduced through: vim-minimal@2:7.4.160-2.amzn2
  • Fixed in: 2:8.1.1602-1.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* vim-minimal@2:7.4.160-2.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-12735: 1718308: CVE-2019-12735 vim/neovim: ':source!' command allows arbitrary command execution via modelines It was found that the :source! command was not restricted by the sandbox mode. If modeline was explicitly enabled, opening a specially crafted text file in vim could result in arbitrary command execution.

References

high severity

ALAS2-2018-1063

  • Vulnerable module: yum-plugin-ovl
  • Introduced through: yum-plugin-ovl@1.1.31-45.amzn2.0.1
  • Fixed in: 1.1.31-46.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* yum-plugin-ovl@1.1.31-45.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-10897: A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. 1600221: CVE-2018-10897 yum-utils: reposync: improper path validation may lead to directory traversal

References

high severity

ALAS2-2018-1063

  • Vulnerable module: yum-plugin-priorities
  • Introduced through: yum-plugin-priorities@1.1.31-45.amzn2.0.1
  • Fixed in: 1.1.31-46.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* yum-plugin-priorities@1.1.31-45.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-10897: A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. 1600221: CVE-2018-10897 yum-utils: reposync: improper path validation may lead to directory traversal

References

medium severity

ALAS2-2020-1503

  • Vulnerable module: bash
  • Introduced through: bash@4.2.46-29.amzn2
  • Fixed in: 4.2.46-34.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* bash@4.2.46-29.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1503. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-9924: 1691774: CVE-2019-9924 bash: BASH_CMD is writable in restricted bash shells rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

Remediation

Upgrade bash to version or higher.

References

medium severity

ALAS2-2020-1505

  • Vulnerable module: cpio
  • Introduced through: cpio@2.11-25.amzn2
  • Fixed in: 2.11-28.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* cpio@2.11-25.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1505. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-14866: 1765511: CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpect tar generation It was discovered cpio does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.

Remediation

Upgrade cpio to version or higher.

References

medium severity

ALAS2-2018-1052

  • Vulnerable module: curl
  • Introduced through: curl@7.55.1-12.amzn2.0.1
  • Fixed in: 7.55.1-12.amzn2.0.5

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* curl@7.55.1-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-0500: 1597101: CVE-2018-0500 curl: Heap-based buffer overflow in Curl_smtp_escape_eob() when uploading data over SMTP A heap-based buffer overflow has been found in the Curl_smtp_escape_eob() function of curl. An attacker could exploit this by convincing a user to use curl to upload data over SMTP with a reduced buffer to cause a crash or corrupt memory.

References

medium severity

ALAS2-2019-1162

  • Vulnerable module: curl
  • Introduced through: curl@7.55.1-12.amzn2.0.1
  • Fixed in: 7.61.1-9.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* curl@7.55.1-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-3823: libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to smtp_endofresp() isn't NUL terminated and contains no character ending the parsed number, and len is set to 5, then the strtol() call reads beyond the allocated buffer. The read contents will not be returned to the caller. 1670256: CVE-2019-3823 curl: SMTP end-of-response out-of-bounds read CVE-2019-3822: 1670254: CVE-2019-3822 curl: NTLMv2 type-3 header stack buffer overflow libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header. CVE-2018-20483: 1662705: CVE-2018-20483 wget: Information exposure in set_file_metadata function in xattr.c set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl. CVE-2018-16890: libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds. 1670252: CVE-2018-16890 curl: NTLM type-2 heap out-of-bounds buffer read CVE-2018-16842: Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service. 1644124: CVE-2018-16842 curl: Heap-based buffer over-read in the curl tool warning formatting CVE-2018-16840: 1642203: CVE-2018-16840 curl: Use-after-free when closing "easy" handle in Curl_close() A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the Curl_close() function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct. CVE-2018-16839: Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service. 1642201: CVE-2018-16839 curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message() CVE-2017-8818: 1517691: CVE-2017-8818 curl: Out-of-bound access in SSL related cleanup code curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library. CVE-2017-8817: The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character. 1515760: CVE-2017-8817 curl: FTP wildcard out of bounds read CVE-2017-8816: 1515757: CVE-2017-8816 curl: NTLM buffer overflow via integer overflow The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields. CVE-2017-1000257: A buffer overrun flaw was found in the IMAP handler of libcurl. By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application. 1503705: CVE-2017-1000257 curl: IMAP FETCH response out of bounds read CVE-2017-1000254: 1495541: CVE-2017-1000254 curl: FTP PWD response parser out of bounds read libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the PWD command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit 415d2e7cb7, March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.

References

medium severity

ALAS2-2019-1340

  • Vulnerable module: curl
  • Introduced through: curl@7.55.1-12.amzn2.0.1
  • Fixed in: 7.61.1-12.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* curl@7.55.1-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-5482: Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. 99999: CVE-2019-5482 curl: heap buffer overflow in function tftp_receive_packet() CVE-2019-5481: 99999: CVE-2019-5481 curl: double free due to subsequent call of realloc() Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.

References

medium severity

ALAS2-2020-1451

  • Vulnerable module: curl
  • Introduced through: curl@7.55.1-12.amzn2.0.1
  • Fixed in: 7.61.1-12.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* curl@7.55.1-12.amzn2.0.1

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1451. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-8177: No description is available for this CVE. 1847915: CVE-2020-8177 curl: command line arguments lead to local file overwrite

Remediation

Upgrade curl to version or higher.

References

medium severity

ALAS2-2020-1513

  • Vulnerable module: expat
  • Introduced through: expat@2.1.0-10.amzn2
  • Fixed in: 2.1.0-12.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* expat@2.1.0-10.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1513. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-15903: In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. 1752592: CVE-2019-15903 expat: heap-based buffer over-read via crafted XML input CVE-2018-20843: It was discovered that the "setElementTypePrefix()" function incorrectly extracted XML namespace prefixes. By tricking an application into processing a specially crafted XML file, an attacker could cause unusually high consumption of memory resources and possibly lead to a denial of service. 1723723: CVE-2018-20843 expat: large number of colons in input makes parser consume high amount of resources, leading to DoS

Remediation

Upgrade expat to version or higher.

References

medium severity

ALAS2-2019-1370

  • Vulnerable module: file-libs
  • Introduced through: file-libs@5.11-33.amzn2
  • Fixed in: 5.11-35.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* file-libs@5.11-33.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-18218: 1765272: CVE-2019-18218 file: heap-based buffer overflow in cdf_read_property_info in cdf.c cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).

References

medium severity

ALAS2-2019-1289

  • Vulnerable module: glib2
  • Introduced through: glib2@2.50.3-3.amzn2
  • Fixed in: 2.56.1-4.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glib2@2.50.3-3.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-12450: file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. 1719141: CVE-2019-12450 glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress

References

medium severity

ALAS2-2020-1553

  • Vulnerable module: glib2
  • Introduced through: glib2@2.50.3-3.amzn2
  • Fixed in: 2.56.1-7.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glib2@2.50.3-3.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1553. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-12450: file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. 1719141: CVE-2019-12450 glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress 1719141: CVE-2019-12450 glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress

Remediation

Upgrade glib2 to version or higher.

References

medium severity

ALAS2-2018-1048

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-27.amzn2.0.5
  • Fixed in: 2.26-28.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-11236: stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. 1581269: CVE-2018-11236 glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow CVE-2017-18269: 1580924: CVE-2017-18269 glibc: memory corruption in memcpy-sse2-unaligned.S An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution. CVE-2017-15804: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator. 1505298: CVE-2017-15804 glibc: Buffer overflow during unescaping of user names with the ~ operator CVE-2017-15670: 1504804: CVE-2017-15670 glibc: Buffer overflow in glob with GLOB_TILDE The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.

References

medium severity

ALAS2-2018-1131

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-27.amzn2.0.5
  • Fixed in: 2.26-30.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-11237: A buffer overflow has been discovered in the GNU C Library (aka glibc or libc6) in the __mempcpy_avx512_no_vzeroupper function when particular conditions are met. An attacker could use this vulnerability to cause a denial of service or potentially execute code. 1581274: CVE-2018-11237 glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper

References

medium severity

ALAS2-2019-1140

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-27.amzn2.0.5
  • Fixed in: 2.26-32.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-19591: 1653993: CVE-2018-19591 glibc: file descriptor leak in if_nametoindex() in sysdeps/unix/sysv/linux/if_index.c In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.

References

medium severity

ALAS2-2020-1382

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-27.amzn2.0.5
  • Fixed in: 2.26-33.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 99999: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

References

medium severity

ALAS2-2020-1517

  • Vulnerable module: glibc
  • Introduced through: glibc@2.26-27.amzn2.0.5
  • Fixed in: 2.26-36.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1517. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 1347549: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

Remediation

Upgrade glibc to version or higher.

References

medium severity

ALAS2-2018-1048

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-27.amzn2.0.5
  • Fixed in: 2.26-28.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-common@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-11236: stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. 1581269: CVE-2018-11236 glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow CVE-2017-18269: 1580924: CVE-2017-18269 glibc: memory corruption in memcpy-sse2-unaligned.S An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution. CVE-2017-15804: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator. 1505298: CVE-2017-15804 glibc: Buffer overflow during unescaping of user names with the ~ operator CVE-2017-15670: 1504804: CVE-2017-15670 glibc: Buffer overflow in glob with GLOB_TILDE The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.

References

medium severity

ALAS2-2018-1131

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-27.amzn2.0.5
  • Fixed in: 2.26-30.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-common@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-11237: A buffer overflow has been discovered in the GNU C Library (aka glibc or libc6) in the __mempcpy_avx512_no_vzeroupper function when particular conditions are met. An attacker could use this vulnerability to cause a denial of service or potentially execute code. 1581274: CVE-2018-11237 glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper

References

medium severity

ALAS2-2019-1140

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-27.amzn2.0.5
  • Fixed in: 2.26-32.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-common@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-19591: 1653993: CVE-2018-19591 glibc: file descriptor leak in if_nametoindex() in sysdeps/unix/sysv/linux/if_index.c In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.

References

medium severity

ALAS2-2020-1382

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-27.amzn2.0.5
  • Fixed in: 2.26-33.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-common@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 99999: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

References

medium severity

ALAS2-2020-1517

  • Vulnerable module: glibc-common
  • Introduced through: glibc-common@2.26-27.amzn2.0.5
  • Fixed in: 2.26-36.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-common@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1517. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 1347549: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

Remediation

Upgrade glibc-common to version or higher.

References

medium severity

ALAS2-2018-1048

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-27.amzn2.0.5
  • Fixed in: 2.26-28.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-langpack-en@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-11236: stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. 1581269: CVE-2018-11236 glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow CVE-2017-18269: 1580924: CVE-2017-18269 glibc: memory corruption in memcpy-sse2-unaligned.S An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution. CVE-2017-15804: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator. 1505298: CVE-2017-15804 glibc: Buffer overflow during unescaping of user names with the ~ operator CVE-2017-15670: 1504804: CVE-2017-15670 glibc: Buffer overflow in glob with GLOB_TILDE The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.

References

medium severity

ALAS2-2018-1131

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-27.amzn2.0.5
  • Fixed in: 2.26-30.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-langpack-en@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-11237: A buffer overflow has been discovered in the GNU C Library (aka glibc or libc6) in the __mempcpy_avx512_no_vzeroupper function when particular conditions are met. An attacker could use this vulnerability to cause a denial of service or potentially execute code. 1581274: CVE-2018-11237 glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper

References

medium severity

ALAS2-2019-1140

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-27.amzn2.0.5
  • Fixed in: 2.26-32.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-langpack-en@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-19591: 1653993: CVE-2018-19591 glibc: file descriptor leak in if_nametoindex() in sysdeps/unix/sysv/linux/if_index.c In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.

References

medium severity

ALAS2-2020-1382

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-27.amzn2.0.5
  • Fixed in: 2.26-33.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-langpack-en@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 99999: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

References

medium severity

ALAS2-2020-1517

  • Vulnerable module: glibc-langpack-en
  • Introduced through: glibc-langpack-en@2.26-27.amzn2.0.5
  • Fixed in: 2.26-36.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-langpack-en@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1517. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 1347549: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

Remediation

Upgrade glibc-langpack-en to version or higher.

References

medium severity

ALAS2-2018-1048

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-27.amzn2.0.5
  • Fixed in: 2.26-28.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-minimal-langpack@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-11236: stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. 1581269: CVE-2018-11236 glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow CVE-2017-18269: 1580924: CVE-2017-18269 glibc: memory corruption in memcpy-sse2-unaligned.S An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution. CVE-2017-15804: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator. 1505298: CVE-2017-15804 glibc: Buffer overflow during unescaping of user names with the ~ operator CVE-2017-15670: 1504804: CVE-2017-15670 glibc: Buffer overflow in glob with GLOB_TILDE The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.

References

medium severity

ALAS2-2018-1131

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-27.amzn2.0.5
  • Fixed in: 2.26-30.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-minimal-langpack@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-11237: A buffer overflow has been discovered in the GNU C Library (aka glibc or libc6) in the __mempcpy_avx512_no_vzeroupper function when particular conditions are met. An attacker could use this vulnerability to cause a denial of service or potentially execute code. 1581274: CVE-2018-11237 glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper

References

medium severity

ALAS2-2019-1140

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-27.amzn2.0.5
  • Fixed in: 2.26-32.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-minimal-langpack@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-19591: 1653993: CVE-2018-19591 glibc: file descriptor leak in if_nametoindex() in sysdeps/unix/sysv/linux/if_index.c In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.

References

medium severity

ALAS2-2020-1382

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-27.amzn2.0.5
  • Fixed in: 2.26-33.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-minimal-langpack@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 99999: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

References

medium severity

ALAS2-2020-1517

  • Vulnerable module: glibc-minimal-langpack
  • Introduced through: glibc-minimal-langpack@2.26-27.amzn2.0.5
  • Fixed in: 2.26-36.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* glibc-minimal-langpack@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1517. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 1347549: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

Remediation

Upgrade glibc-minimal-langpack to version or higher.

References

medium severity

ALAS2-2019-1203

  • Vulnerable module: gnupg2
  • Introduced through: gnupg2@2.0.22-4.amzn2
  • Fixed in: 2.0.22-5.amzn2.0.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* gnupg2@2.0.22-4.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2014-4617: 1112509: CVE-2014-4617 gnupg: infinite loop when decompressing data packets The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.

References

medium severity

ALAS2-2020-1509

  • Vulnerable module: libcom_err
  • Introduced through: libcom_err@1.42.9-10.amzn2
  • Fixed in: 1.42.9-19.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libcom_err@1.42.9-10.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1509. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-5188: 1790048: CVE-2019-5188 e2fsprogs: Out-of-bounds write in e2fsck/rehash.c A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. CVE-2019-5094: 1768555: CVE-2019-5094 e2fsprogs: Crafted ext4 partition leads to out-of-bounds write An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Remediation

Upgrade libcom_err to version or higher.

References

medium severity

ALAS2-2018-1048

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-27.amzn2.0.5
  • Fixed in: 2.26-28.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libcrypt@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-11236: stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. 1581269: CVE-2018-11236 glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow CVE-2017-18269: 1580924: CVE-2017-18269 glibc: memory corruption in memcpy-sse2-unaligned.S An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution. CVE-2017-15804: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator. 1505298: CVE-2017-15804 glibc: Buffer overflow during unescaping of user names with the ~ operator CVE-2017-15670: 1504804: CVE-2017-15670 glibc: Buffer overflow in glob with GLOB_TILDE The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.

References

medium severity

ALAS2-2018-1131

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-27.amzn2.0.5
  • Fixed in: 2.26-30.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libcrypt@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-11237: A buffer overflow has been discovered in the GNU C Library (aka glibc or libc6) in the __mempcpy_avx512_no_vzeroupper function when particular conditions are met. An attacker could use this vulnerability to cause a denial of service or potentially execute code. 1581274: CVE-2018-11237 glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper

References

medium severity

ALAS2-2019-1140

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-27.amzn2.0.5
  • Fixed in: 2.26-32.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libcrypt@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-19591: 1653993: CVE-2018-19591 glibc: file descriptor leak in if_nametoindex() in sysdeps/unix/sysv/linux/if_index.c In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.

References

medium severity

ALAS2-2020-1382

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-27.amzn2.0.5
  • Fixed in: 2.26-33.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libcrypt@2.26-27.amzn2.0.5

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 99999: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

References

medium severity

ALAS2-2020-1517

  • Vulnerable module: libcrypt
  • Introduced through: libcrypt@2.26-27.amzn2.0.5
  • Fixed in: 2.26-36.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libcrypt@2.26-27.amzn2.0.5

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1517. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2016-10739: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. 1347549: CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters

Remediation

Upgrade libcrypt to version or higher.

References

medium severity

ALAS2-2018-1052

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.55.1-12.amzn2.0.1
  • Fixed in: 7.55.1-12.amzn2.0.5

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libcurl@7.55.1-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-0500: 1597101: CVE-2018-0500 curl: Heap-based buffer overflow in Curl_smtp_escape_eob() when uploading data over SMTP A heap-based buffer overflow has been found in the Curl_smtp_escape_eob() function of curl. An attacker could exploit this by convincing a user to use curl to upload data over SMTP with a reduced buffer to cause a crash or corrupt memory.

References

medium severity

ALAS2-2019-1162

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.55.1-12.amzn2.0.1
  • Fixed in: 7.61.1-9.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libcurl@7.55.1-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-3823: libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to smtp_endofresp() isn't NUL terminated and contains no character ending the parsed number, and len is set to 5, then the strtol() call reads beyond the allocated buffer. The read contents will not be returned to the caller. 1670256: CVE-2019-3823 curl: SMTP end-of-response out-of-bounds read CVE-2019-3822: 1670254: CVE-2019-3822 curl: NTLMv2 type-3 header stack buffer overflow libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header. CVE-2018-20483: 1662705: CVE-2018-20483 wget: Information exposure in set_file_metadata function in xattr.c set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl. CVE-2018-16890: libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds. 1670252: CVE-2018-16890 curl: NTLM type-2 heap out-of-bounds buffer read CVE-2018-16842: Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service. 1644124: CVE-2018-16842 curl: Heap-based buffer over-read in the curl tool warning formatting CVE-2018-16840: 1642203: CVE-2018-16840 curl: Use-after-free when closing "easy" handle in Curl_close() A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the Curl_close() function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct. CVE-2018-16839: Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service. 1642201: CVE-2018-16839 curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message() CVE-2017-8818: 1517691: CVE-2017-8818 curl: Out-of-bound access in SSL related cleanup code curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library. CVE-2017-8817: The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character. 1515760: CVE-2017-8817 curl: FTP wildcard out of bounds read CVE-2017-8816: 1515757: CVE-2017-8816 curl: NTLM buffer overflow via integer overflow The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields. CVE-2017-1000257: A buffer overrun flaw was found in the IMAP handler of libcurl. By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application. 1503705: CVE-2017-1000257 curl: IMAP FETCH response out of bounds read CVE-2017-1000254: 1495541: CVE-2017-1000254 curl: FTP PWD response parser out of bounds read libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the PWD command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit 415d2e7cb7, March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.

References

medium severity

ALAS2-2019-1340

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.55.1-12.amzn2.0.1
  • Fixed in: 7.61.1-12.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libcurl@7.55.1-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-5482: Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. 99999: CVE-2019-5482 curl: heap buffer overflow in function tftp_receive_packet() CVE-2019-5481: 99999: CVE-2019-5481 curl: double free due to subsequent call of realloc() Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.

References

medium severity

ALAS2-2020-1451

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.55.1-12.amzn2.0.1
  • Fixed in: 7.61.1-12.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libcurl@7.55.1-12.amzn2.0.1

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1451. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-8177: No description is available for this CVE. 1847915: CVE-2020-8177 curl: command line arguments lead to local file overwrite

Remediation

Upgrade libcurl to version or higher.

References

medium severity

ALAS2-2019-1373

  • Vulnerable module: libidn2
  • Introduced through: libidn2@2.0.4-1.amzn2
  • Fixed in: 2.3.0-1.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libidn2@2.0.4-1.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-18224: idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string. 1764780: CVE-2019-18224 libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c CVE-2019-12290: 99999:

References

medium severity

ALAS2-2019-1263

  • Vulnerable module: libssh2
  • Introduced through: libssh2@1.4.3-10.amzn2.1
  • Fixed in: 1.4.3-12.amzn2.2.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libssh2@1.4.3-10.amzn2.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-3861: 1687311: CVE-2019-3861 libssh2: Out-of-bounds reads with specially crafted SSH packets An out of bounds read flaw was discovered in libssh2 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a denial of service or read data in the client memory. CVE-2019-3858: 1687306: CVE-2019-3858 libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read An out of bounds read flaw was discovered in libssh2 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a denial of service or read data in the client memory.

References

medium severity

ALAS2-2019-1303

  • Vulnerable module: libssh2
  • Introduced through: libssh2@1.4.3-10.amzn2.1
  • Fixed in: 1.4.3-12.amzn2.2.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libssh2@1.4.3-10.amzn2.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-3862: 1687312: CVE-2019-3862 libssh2: Out-of-bounds memory comparison with specially crafted message channel request An out of bounds read flaw was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a denial of service or read data in the client memory.

References

medium severity

ALAS2-2020-1531

  • Vulnerable module: libssh2
  • Introduced through: libssh2@1.4.3-10.amzn2.1
  • Fixed in: 1.4.3-12.amzn2.2.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libssh2@1.4.3-10.amzn2.1

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1531. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-17498: 1766898: CVE-2019-17498 libssh2: integer overflow in SSH_MSG_DISCONNECT logic in packet.c In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

Remediation

Upgrade libssh2 to version or higher.

References

medium severity

ALAS2-2019-1220

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.3
  • Fixed in: 2.9.1-6.amzn2.3.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libxml2@2.9.1-6.amzn2.3

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2015-8710: 1213957: CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment It was discovered that libxml2 could access out-of-bounds memory when parsing unclosed HTML comments. A remote attacker could provide a specially crafted XML file that, when processed by an application linked against libxml2, could cause the application to disclose heap memory contents. CVE-2015-8317: 1281930: CVE-2015-8317 libxml2: Out-of-bounds heap read when parsing file with unfinished xml declaration A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to leak potentially sensitive information. CVE-2015-8242: 1281950: CVE-2015-8242 libxml2: Buffer overread with HTML parser in push mode in xmlSAX2TextNode A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to leak potentially sensitive information. CVE-2015-8241: 1281936: CVE-2015-8241 libxml2: Buffer overread with XML parser in xmlNextChar A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to leak potentially sensitive information. CVE-2015-7942: 1276297: CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections() A heap-based buffer overflow flaw was found in the way libxml2 parsed certain crafted XML input. A remote attacker could provide a specially crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash causing a denial of service. The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941. CVE-2015-7941: 1274222: CVE-2015-7941 libxml2: Out-of-bounds memory access A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to crash. libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities. CVE-2015-7500: A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to crash. 1281943: CVE-2015-7500 libxml2: Heap buffer overflow in xmlParseMisc CVE-2015-7499: 1281925: CVE-2015-7499 libxml2: Heap-based buffer overflow in xmlGROW A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to leak potentially sensitive information. CVE-2015-7498: 1281879: CVE-2015-7498 libxml2: Heap-based buffer overflow in xmlParseXmlDecl A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to crash. CVE-2015-7497: 1281862: CVE-2015-7497 libxml2: Heap-based buffer overflow in xmlDictComputeFastQKey A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to crash. CVE-2015-5312: 1276693: CVE-2015-5312 libxml2: CPU exhaustion when processing specially crafted XML input A denial of service flaw was found in libxml2. A remote attacker could provide a specially crafted XML or HTML file that, when processed by an application using libxml2, would cause that application to use an excessive amount of CPU. CVE-2015-1819: A denial of service flaw was found in the way the libxml2 library parsed certain XML files. An attacker could provide a specially crafted XML file that, when parsed by an application using libxml2, could cause that application to use an excessive amount of memory. 1211278: CVE-2015-1819 libxml2: denial of service processing a crafted XML document

References

medium severity

ALAS2-2019-1301

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.3
  • Fixed in: 2.9.1-6.amzn2.3.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libxml2@2.9.1-6.amzn2.3

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2017-16931: parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name. 1517307: CVE-2017-16931 libxml2: Mishandling parameter-entity references CVE-2016-4658: 1384424: CVE-2016-4658 libxml2: Use after free via namespace node in XPointer ranges xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.

References

medium severity

ALAS2-2020-1534

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.amzn2.3
  • Fixed in: 2.9.1-6.amzn2.5.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libxml2@2.9.1-6.amzn2.3

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1534. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-7595: 1799786: CVE-2020-7595 libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. CVE-2019-20388: 1799734: CVE-2019-20388 libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. System availability is the highest threat from this vulnerability. CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. 1788856: CVE-2019-19956 libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c

Remediation

Upgrade libxml2 to version or higher.

References

medium severity

ALAS2-2019-1302

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2
  • Fixed in: 6.0-8.20170212.amzn2.1.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* ncurses@6.0-8.20170212.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2017-11113: In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. 1473310: CVE-2017-11113 ncurses: Null pointer dereference vulnerability in _nc_parse_entry function CVE-2017-11112: 1473306: CVE-2017-11112 ncurses: Illegal address access in append_acs function In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. CVE-2017-10685: 1473312: CVE-2017-10685 ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. CVE-2017-10684: In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. 1473302: CVE-2017-10684 ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c

References

medium severity

ALAS2-2019-1302

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2
  • Fixed in: 6.0-8.20170212.amzn2.1.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* ncurses-base@6.0-8.20170212.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2017-11113: In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. 1473310: CVE-2017-11113 ncurses: Null pointer dereference vulnerability in _nc_parse_entry function CVE-2017-11112: 1473306: CVE-2017-11112 ncurses: Illegal address access in append_acs function In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. CVE-2017-10685: 1473312: CVE-2017-10685 ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. CVE-2017-10684: In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. 1473302: CVE-2017-10684 ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c

References

medium severity

ALAS2-2019-1302

  • Vulnerable module: ncurses-compat-libs
  • Introduced through: ncurses-compat-libs@6.0-8.20170212.amzn2
  • Fixed in: 6.0-8.20170212.amzn2.1.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* ncurses-compat-libs@6.0-8.20170212.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2017-11113: In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. 1473310: CVE-2017-11113 ncurses: Null pointer dereference vulnerability in _nc_parse_entry function CVE-2017-11112: 1473306: CVE-2017-11112 ncurses: Illegal address access in append_acs function In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. CVE-2017-10685: 1473312: CVE-2017-10685 ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. CVE-2017-10684: In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. 1473302: CVE-2017-10684 ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c

References

medium severity

ALAS2-2019-1302

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2
  • Fixed in: 6.0-8.20170212.amzn2.1.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* ncurses-libs@6.0-8.20170212.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2017-11113: In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. 1473310: CVE-2017-11113 ncurses: Null pointer dereference vulnerability in _nc_parse_entry function CVE-2017-11112: 1473306: CVE-2017-11112 ncurses: Illegal address access in append_acs function In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. CVE-2017-10685: 1473312: CVE-2017-10685 ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. CVE-2017-10684: In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. 1473302: CVE-2017-10684 ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c

References

medium severity

ALAS2-2020-1559

  • Vulnerable module: nspr
  • Introduced through: nspr@4.13.1-1.0.amzn2
  • Fixed in: 4.25.0-2.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nspr@4.13.1-1.0.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1559. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6829: 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12400: 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function A side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2019-17023: A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

Remediation

Upgrade nspr to version or higher.

References

medium severity

ALAS2-2018-1095

  • Vulnerable module: nss
  • Introduced through: nss@3.28.4-15.1.amzn2
  • Fixed in: 3.36.0-7.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss@3.28.4-15.1.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-12384: A flaw was found in the way NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. A man-in-the-middle attacker could use this flaw in a passive replay attack. 1622089: CVE-2018-12384 nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello

References

medium severity

ALAS2-2019-1305

  • Vulnerable module: nss
  • Introduced through: nss@3.28.4-15.1.amzn2
  • Fixed in: 3.44.0-4.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss@3.28.4-15.1.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-12404: 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41. CVE-2018-0495: 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. 1591163: CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries

References

medium severity

ALAS2-2020-1559

  • Vulnerable module: nss
  • Introduced through: nss@3.28.4-15.1.amzn2
  • Fixed in: 3.53.1-3.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss@3.28.4-15.1.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1559. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6829: 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12400: 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function A side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2019-17023: A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

Remediation

Upgrade nss to version or higher.

References

medium severity

ALAS2-2019-1139

  • Vulnerable module: nss-pem
  • Introduced through: nss-pem@1.0.3-4.amzn2
  • Fixed in: 1.0.3-5.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss-pem@1.0.3-4.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-1000301: curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0. 1575536: CVE-2018-1000301 curl: Out-of-bounds heap read when missing RTSP headers allows information leak of denial of service CVE-2018-1000122: 1553398: CVE-2018-1000122 curl: RTSP RTP buffer over-read A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage CVE-2018-1000121: A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply. 1552631: CVE-2018-1000121 curl: LDAP NULL pointer dereference CVE-2018-1000120: 1552628: CVE-2018-1000120 curl: FTP path trickery leads to NIL byte out of bounds write It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior. CVE-2018-1000007: 1537125: CVE-2018-1000007 curl: HTTP authentication leak in redirects It was found that curl and libcurl might send their Authentication header to a third party HTTP server upon receiving an HTTP REDIRECT reply. This could leak authentication token to external entities. libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom Authorization: headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.

References

medium severity

ALAS2-2020-1379

  • Vulnerable module: nss-softokn
  • Introduced through: nss-softokn@3.28.3-8.amzn2
  • Fixed in: 3.44.0-8.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss-softokn@3.28.3-8.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-11745: 99999: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well. CVE-2019-11729: 99999: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

References

medium severity

ALAS2-2020-1559

  • Vulnerable module: nss-softokn
  • Introduced through: nss-softokn@3.28.3-8.amzn2
  • Fixed in: 3.53.1-6.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss-softokn@3.28.3-8.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1559. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6829: 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12400: 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function A side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2019-17023: A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

Remediation

Upgrade nss-softokn to version or higher.

References

medium severity

ALAS2-2020-1379

  • Vulnerable module: nss-softokn-freebl
  • Introduced through: nss-softokn-freebl@3.28.3-8.amzn2
  • Fixed in: 3.44.0-8.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss-softokn-freebl@3.28.3-8.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-11745: 99999: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well. CVE-2019-11729: 99999: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.

References

medium severity

ALAS2-2020-1559

  • Vulnerable module: nss-softokn-freebl
  • Introduced through: nss-softokn-freebl@3.28.3-8.amzn2
  • Fixed in: 3.53.1-6.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss-softokn-freebl@3.28.3-8.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1559. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6829: 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12400: 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function A side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2019-17023: A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

Remediation

Upgrade nss-softokn-freebl to version or higher.

References

medium severity

ALAS2-2018-1095

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.28.4-15.1.amzn2
  • Fixed in: 3.36.0-7.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss-sysinit@3.28.4-15.1.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-12384: A flaw was found in the way NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. A man-in-the-middle attacker could use this flaw in a passive replay attack. 1622089: CVE-2018-12384 nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello

References

medium severity

ALAS2-2019-1305

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.28.4-15.1.amzn2
  • Fixed in: 3.44.0-4.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss-sysinit@3.28.4-15.1.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-12404: 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41. CVE-2018-0495: 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. 1591163: CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries

References

medium severity

ALAS2-2020-1559

  • Vulnerable module: nss-sysinit
  • Introduced through: nss-sysinit@3.28.4-15.1.amzn2
  • Fixed in: 3.53.1-3.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss-sysinit@3.28.4-15.1.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1559. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6829: 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12400: 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function A side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2019-17023: A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

Remediation

Upgrade nss-sysinit to version or higher.

References

medium severity

ALAS2-2018-1095

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.28.4-15.1.amzn2
  • Fixed in: 3.36.0-7.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss-tools@3.28.4-15.1.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-12384: A flaw was found in the way NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. A man-in-the-middle attacker could use this flaw in a passive replay attack. 1622089: CVE-2018-12384 nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello

References

medium severity

ALAS2-2019-1305

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.28.4-15.1.amzn2
  • Fixed in: 3.44.0-4.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss-tools@3.28.4-15.1.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-12404: 1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41. CVE-2018-0495: 1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. 1591163: CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries

References

medium severity

ALAS2-2020-1559

  • Vulnerable module: nss-tools
  • Introduced through: nss-tools@3.28.4-15.1.amzn2
  • Fixed in: 3.53.1-3.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss-tools@3.28.4-15.1.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1559. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6829: 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12400: 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function A side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2019-17023: A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

Remediation

Upgrade nss-tools to version or higher.

References

medium severity

ALAS2-2020-1559

  • Vulnerable module: nss-util
  • Introduced through: nss-util@3.28.4-3.amzn2
  • Fixed in: 3.53.1-1.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* nss-util@3.28.4-3.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1559. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-6829: 1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. 1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read CVE-2020-12402: A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. 1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation CVE-2020-12401: 1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2020-12400: 1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function A side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. CVE-2019-17023: A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. 1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state CVE-2019-17006: 1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. CVE-2019-11756: A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. 1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting CVE-2019-11727: 1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. CVE-2019-11719: When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key

Remediation

Upgrade nss-util to version or higher.

References

medium severity

ALAS2-2020-1539

  • Vulnerable module: openldap
  • Introduced through: openldap@2.4.44-5.amzn2
  • Fixed in: 2.4.44-22.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* openldap@2.4.44-5.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1539. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-12243: In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash). 1833535: CVE-2020-12243 openldap: denial of service via nested boolean expressions in LDAP search filters

Remediation

Upgrade openldap to version or higher.

References

medium severity

ALAS2-2018-1102

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-12.amzn2.0.1
  • Fixed in: 1:1.0.2k-16.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* openssl-libs@1:1.0.2k-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n). 1561266: CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o). 1591100: CVE-2018-0732 openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang CVE-2018-0495: Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. 1591163: CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries CVE-2017-3735: 1486144: CVE-2017-3735 openssl: Malformed X.509 IPAdressFamily could cause OOB read While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.

References

medium severity

ALAS2-2019-1188

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-12.amzn2.0.1
  • Fixed in: 1:1.0.2k-16.amzn2.1.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* openssl-libs@1:1.0.2k-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-1559: 1683804: CVE-2019-1559 openssl: 0-byte record padding oracle If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). CVE-2018-5407: A microprocessor side-channel vulnerability was found on SMT (e.g, Hyper-Threading) architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information. 1645695: CVE-2018-5407 openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)

References

medium severity

ALAS2-2019-1362

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-12.amzn2.0.1
  • Fixed in: 1:1.0.2k-19.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* openssl-libs@1:1.0.2k-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-1559: 1683804: CVE-2019-1559 openssl: 0-byte record padding oracle If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). CVE-2018-0734: 1644364: CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).

References

medium severity
new

ALAS2-2021-1608

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-12.amzn2.0.1
  • Fixed in: 1:1.0.2k-19.amzn2.0.6

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* openssl-libs@1:1.0.2k-12.amzn2.0.1

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1608. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-23841: The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). 1930310: CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash() CVE-2021-23840: 1930324: CVE-2021-23840 openssl: integer overflow in CipherUpdate Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). CVE-2021-23839: 1930294: CVE-2021-23839 openssl: incorrect SSLv2 rollback protection OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x).

Remediation

Upgrade openssl-libs to version or higher.

References

medium severity
new

ALAS2-2021-1601

  • Vulnerable module: p11-kit
  • Introduced through: p11-kit@0.23.5-3.amzn2
  • Fixed in: 0.23.22-1.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* p11-kit@0.23.5-3.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1601. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-29363: An issue was discovered in p11-kit 0.23.6 through 0.23.21. A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value. 1903588: CVE-2020-29363 p11-kit: out-of-bounds write in p11_rpc_buffer_get_byte_array_value function in rpc-message.c CVE-2020-29362: 1903590: CVE-2020-29362 p11-kit: out-of-bounds read in p11_rpc_buffer_get_byte_array function in rpc-message.c An issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation. CVE-2020-29361: 1903592: CVE-2020-29361 p11-kit: integer overflow when allocating memory for arrays or attributes and object identifiers An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.

Remediation

Upgrade p11-kit to version or higher.

References

medium severity
new

ALAS2-2021-1601

  • Vulnerable module: p11-kit-trust
  • Introduced through: p11-kit-trust@0.23.5-3.amzn2
  • Fixed in: 0.23.22-1.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* p11-kit-trust@0.23.5-3.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1601. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-29363: An issue was discovered in p11-kit 0.23.6 through 0.23.21. A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value. 1903588: CVE-2020-29363 p11-kit: out-of-bounds write in p11_rpc_buffer_get_byte_array_value function in rpc-message.c CVE-2020-29362: 1903590: CVE-2020-29362 p11-kit: out-of-bounds read in p11_rpc_buffer_get_byte_array function in rpc-message.c An issue was discovered in p11-kit 0.21.1 through 0.23.21. A heap-based buffer over-read has been discovered in the RPC protocol used by thep11-kit server/remote commands and the client library. When the remote entity supplies a byte array through a serialized PKCS#11 function call, the receiving entity may allow the reading of up to 4 bytes of memory past the heap allocation. CVE-2020-29361: 1903592: CVE-2020-29361 p11-kit: integer overflow when allocating memory for arrays or attributes and object identifiers An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.

Remediation

Upgrade p11-kit-trust to version or higher.

References

medium severity

ALAS2-2019-1291

  • Vulnerable module: python
  • Introduced through: python@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.16-3.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python@2.7.14-58.amzn2.0.2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-9948: 1695570: CVE-2019-9948 python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

References

medium severity

ALAS2-2019-1368

  • Vulnerable module: python
  • Introduced through: python@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.16-4.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python@2.7.14-58.amzn2.0.2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-16056: 99999: CVE-2019-16056 python: email.utils.parseaddr wrongly parses email addresses An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

References

medium severity

ALAS2-2020-1432

  • Vulnerable module: python
  • Introduced through: python@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.18-1.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python@2.7.14-58.amzn2.0.2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1432. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-8492: 1809065: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. CVE-2018-20852: http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. 1740347: CVE-2018-20852 python: Cookie domain check returns incorrect results

Remediation

Upgrade python to version or higher.

References

medium severity

ALAS2-2020-1471

  • Vulnerable module: python
  • Introduced through: python@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.18-1.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python@2.7.14-58.amzn2.0.2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1471. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-8492: 1809065: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Remediation

Upgrade python to version or higher.

References

medium severity

ALAS2-2020-1483

  • Vulnerable module: python
  • Introduced through: python@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.18-1.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python@2.7.14-58.amzn2.0.2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1483. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. 1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive

Remediation

Upgrade python to version or higher.

References

medium severity
new

ALAS2-2021-1611

  • Vulnerable module: python
  • Introduced through: python@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.18-1.amzn2.0.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python@2.7.14-58.amzn2.0.2

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1611. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3177: A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system availability. 1918168: CVE-2021-3177 python: stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c

Remediation

Upgrade python to version or higher.

References

medium severity

ALAS2-2019-1291

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.16-3.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python-libs@2.7.14-58.amzn2.0.2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-9948: 1695570: CVE-2019-9948 python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.

References

medium severity

ALAS2-2019-1368

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.16-4.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python-libs@2.7.14-58.amzn2.0.2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-16056: 99999: CVE-2019-16056 python: email.utils.parseaddr wrongly parses email addresses An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

References

medium severity

ALAS2-2020-1432

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.18-1.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python-libs@2.7.14-58.amzn2.0.2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1432. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-8492: 1809065: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. CVE-2018-20852: http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. 1740347: CVE-2018-20852 python: Cookie domain check returns incorrect results

Remediation

Upgrade python-libs to version or higher.

References

medium severity

ALAS2-2020-1471

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.18-1.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python-libs@2.7.14-58.amzn2.0.2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1471. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-8492: 1809065: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Remediation

Upgrade python-libs to version or higher.

References

medium severity

ALAS2-2020-1483

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.18-1.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python-libs@2.7.14-58.amzn2.0.2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1483. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. 1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive

Remediation

Upgrade python-libs to version or higher.

References

medium severity
new

ALAS2-2021-1611

  • Vulnerable module: python-libs
  • Introduced through: python-libs@2.7.14-58.amzn2.0.2
  • Fixed in: 2.7.18-1.amzn2.0.3

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* python-libs@2.7.14-58.amzn2.0.2

Overview

Affected versions of this package are vulnerable to ALAS2-2021-1611. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2021-3177: A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system availability. 1918168: CVE-2021-3177 python: stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c

Remediation

Upgrade python-libs to version or higher.

References

low severity

ALAS2-2018-1135

  • Vulnerable module: curl
  • Introduced through: curl@7.55.1-12.amzn2.0.1
  • Fixed in: 7.55.1-12.amzn2.0.7

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* curl@7.55.1-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-14618: 1622707: CVE-2018-14618 curl: NTLM password overflow via integer overflow curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)

References

low severity

ALAS2-2019-1233

  • Vulnerable module: curl
  • Introduced through: curl@7.55.1-12.amzn2.0.1
  • Fixed in: 7.61.1-11.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* curl@7.55.1-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-5436: A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. 1710620: CVE-2019-5436 curl: TFTP receive heap buffer overflow in tftp_receive_packet() function CVE-2019-5435: An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1. 1710609: CVE-2019-5435 curl: Integer overflows in curl_url_set() function

References

low severity

ALAS2-2019-1337

  • Vulnerable module: elfutils-libelf
  • Introduced through: elfutils-libelf@0.168-8.amzn2
  • Fixed in: 0.176-2.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* elfutils-libelf@0.168-8.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-7665: 99999: CVE-2019-7665 elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes. CVE-2019-7664: 99999: CVE-2019-7664 elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash). CVE-2019-7150: 99999: CVE-2019-7150 elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack. CVE-2019-7149: 99999: CVE-2019-7149 elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm. CVE-2018-18521: 99999: CVE-2018-18521 elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled. CVE-2018-18520: An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file. 99999: CVE-2018-18520 elfutils: eu-size cannot handle recursive ar files CVE-2018-18310: 99999: CVE-2018-18310 elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes. CVE-2018-16403: libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash. 99999: CVE-2018-16403 elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash CVE-2018-16402: libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice. 99999: CVE-2018-16402 elfutils: Double-free due to double decompression of sections in crafted ELF causes crash CVE-2018-16062: 99999: CVE-2018-16062 elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file An out-of-bounds read was discovered in elfutils in the way it reads DWARF address ranges information. Function dwarf_getaranges() in dwarf_getaranges.c does not properly check whether it reads beyond the limits of the ELF section. An attacker could use this flaw to cause a denial of service via a crafted file.

References

low severity

ALAS2-2020-1452

  • Vulnerable module: file-libs
  • Introduced through: file-libs@5.11-33.amzn2
  • Fixed in: 5.11-36.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* file-libs@5.11-33.amzn2

Overview

Affected versions of this package are vulnerable to ALAS2-2020-1452. Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-10360: The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. 1590000: CVE-2018-10360 file: out-of-bounds read via a crafted ELF file

Remediation

Upgrade file-libs to version or higher.

References

low severity

ALAS2-2018-1129

  • Vulnerable module: krb5-libs
  • Introduced through: krb5-libs@1.15.1-19.amzn2.0.1
  • Fixed in: 1.15.1-20.amzn2.0.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* krb5-libs@1.15.1-19.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-5730: 1551082: CVE-2018-5730 krb5: DN container check bypass by supplying special crafted data MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN. CVE-2018-5729: 1551083: CVE-2018-5729 krb5: null dereference in kadmind or DN container check bypass by supplying special crafted data MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module.

References

low severity

ALAS2-2018-1135

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.55.1-12.amzn2.0.1
  • Fixed in: 7.55.1-12.amzn2.0.7

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libcurl@7.55.1-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-14618: 1622707: CVE-2018-14618 curl: NTLM password overflow via integer overflow curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)

References

low severity

ALAS2-2019-1233

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.55.1-12.amzn2.0.1
  • Fixed in: 7.61.1-11.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* libcurl@7.55.1-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-5436: A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. 1710620: CVE-2019-5436 curl: TFTP receive heap buffer overflow in tftp_receive_packet() function CVE-2019-5435: An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1. 1710609: CVE-2019-5435 curl: Integer overflows in curl_url_set() function

References

low severity

ALAS2-2018-1053

  • Vulnerable module: ncurses
  • Introduced through: ncurses@6.0-8.20170212.amzn2
  • Fixed in: 6.0-8.20170212.amzn2.1.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* ncurses@6.0-8.20170212.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-10754: A NULL pointer dereference was found in the way the _nc_parse_entry function parses terminfo data for compilation. An attacker able to provide specially crafted terminfo data could use this flaw to crash the application parsing it. 1576119: CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.

References

low severity

ALAS2-2018-1053

  • Vulnerable module: ncurses-base
  • Introduced through: ncurses-base@6.0-8.20170212.amzn2
  • Fixed in: 6.0-8.20170212.amzn2.1.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* ncurses-base@6.0-8.20170212.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-10754: A NULL pointer dereference was found in the way the _nc_parse_entry function parses terminfo data for compilation. An attacker able to provide specially crafted terminfo data could use this flaw to crash the application parsing it. 1576119: CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.

References

low severity

ALAS2-2018-1053

  • Vulnerable module: ncurses-compat-libs
  • Introduced through: ncurses-compat-libs@6.0-8.20170212.amzn2
  • Fixed in: 6.0-8.20170212.amzn2.1.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* ncurses-compat-libs@6.0-8.20170212.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-10754: A NULL pointer dereference was found in the way the _nc_parse_entry function parses terminfo data for compilation. An attacker able to provide specially crafted terminfo data could use this flaw to crash the application parsing it. 1576119: CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.

References

low severity

ALAS2-2018-1053

  • Vulnerable module: ncurses-libs
  • Introduced through: ncurses-libs@6.0-8.20170212.amzn2
  • Fixed in: 6.0-8.20170212.amzn2.1.1

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* ncurses-libs@6.0-8.20170212.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-10754: A NULL pointer dereference was found in the way the _nc_parse_entry function parses terminfo data for compilation. An attacker able to provide specially crafted terminfo data could use this flaw to crash the application parsing it. 1576119: CVE-2018-10754 ncurses: NULL Pointer Dereference in _nc_parse_entry function in tinfo/parse_entry.c.

References

low severity

ALAS2-2019-1153

  • Vulnerable module: openssl-libs
  • Introduced through: openssl-libs@1:1.0.2k-12.amzn2.0.1
  • Fixed in: 1:1.0.2k-16.amzn2.0.2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* openssl-libs@1:1.0.2k-12.amzn2.0.1

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-0734: 1644364: CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).

References

low severity

ALAS2-2019-1158

  • Vulnerable module: setup
  • Introduced through: setup@2.8.71-7.amzn2
  • Fixed in: 2.8.71-10.amzn2

Detailed paths

  • Introduced through: amazonlinux:2.0.20180622.1@* setup@2.8.71-7.amzn2

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-1113: Setup in Fedora and Red Hat Enterprise Linux added /sbin/nologin and /usr/sbin/nologin to /etc/shells. This violates security assumptions made by pam_shells and some daemons which allow access based on a user's shell being listed in /etc/shells. Under some circumstances, users which had their shell changed to /sbin/nologin could still access the system. 1571094: CVE-2018-1113 setup: nologin listed in /etc/shells violates security expectations

References