Vulnerabilities |
3 via 3 paths |
|---|---|
Dependencies |
103 |
Source |
Docker |
Target OS |
amzn:2018.03 |
high severity
new
- Vulnerable module: glib2
- Introduced through: glib2@2.36.3-5.26.amzn1
- Fixed in: 0:2.36.3-5.27.amzn1
Detailed paths
-
Introduced through: amazonlinux@2018.03 › glib2@2.36.3-5.26.amzn1
NVD Description
Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by Amazon-Linux.
See How to fix? for Amazon-Linux:2018.03 relevant fixed versions and status.
GNOME GLib before 2.65.3 has an integer overflow, that might lead to an out-of-bounds write, in g_option_group_add_entries. NOTE: the vendor's position is "Realistically this is not a security issue. The standard pattern is for callers to provide a static list of option entries in a fixed number of calls to g_option_group_add_entries()." The researcher states that this pattern is undocumented
Remediation
Upgrade Amazon-Linux:2018.03 glib2 to version 0:2.36.3-5.27.amzn1 or higher.
This issue was patched in ALAS-2024-1929.
References
medium severity
- Vulnerable module: nss-softokn
- Introduced through: nss-softokn@3.53.1-6.48.amzn1
- Fixed in: 0:3.53.1-6.49.amzn1
Detailed paths
-
Introduced through: amazonlinux@2018.03 › nss-softokn@3.53.1-6.48.amzn1
NVD Description
Note: Versions mentioned in the description apply only to the upstream nss-softokn package and not the nss-softokn package as distributed by Amazon-Linux.
See How to fix? for Amazon-Linux:2018.03 relevant fixed versions and status.
NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.
Remediation
Upgrade Amazon-Linux:2018.03 nss-softokn to version 0:3.53.1-6.49.amzn1 or higher.
This issue was patched in ALAS-2024-1907.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5388
- https://bugzilla.mozilla.org/show_bug.cgi?id=1780432
- https://www.mozilla.org/security/advisories/mfsa2024-12/
- https://www.mozilla.org/security/advisories/mfsa2024-13/
- https://www.mozilla.org/security/advisories/mfsa2024-14/
- https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html
- https://lists.debian.org/debian-lts-announce/2024/03/msg00028.html
medium severity
- Vulnerable module: nss-softokn-freebl
- Introduced through: nss-softokn-freebl@3.53.1-6.48.amzn1
- Fixed in: 0:3.53.1-6.49.amzn1
Detailed paths
-
Introduced through: amazonlinux@2018.03 › nss-softokn-freebl@3.53.1-6.48.amzn1
NVD Description
Note: Versions mentioned in the description apply only to the upstream nss-softokn-freebl package and not the nss-softokn-freebl package as distributed by Amazon-Linux.
See How to fix? for Amazon-Linux:2018.03 relevant fixed versions and status.
NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.
Remediation
Upgrade Amazon-Linux:2018.03 nss-softokn-freebl to version 0:3.53.1-6.49.amzn1 or higher.
This issue was patched in ALAS-2024-1907.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5388
- https://bugzilla.mozilla.org/show_bug.cgi?id=1780432
- https://www.mozilla.org/security/advisories/mfsa2024-12/
- https://www.mozilla.org/security/advisories/mfsa2024-13/
- https://www.mozilla.org/security/advisories/mfsa2024-14/
- https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html
- https://lists.debian.org/debian-lts-announce/2024/03/msg00028.html