Docker amazonlinux:2018.03.0.20200602.1

Vulnerabilities

22 via 22 paths

Dependencies

103

Source

Group 6 Copy Created with Sketch. Docker

Target OS

amzn:2018.03
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 4
  • 16
  • 2
Status
  • 22
  • 0
  • 0

high severity

ALAS-2020-1404

  • Vulnerable module: libnghttp2
  • Introduced through: libnghttp2@1.31.1-2.5.amzn1
  • Fixed in: 1.33.0-1.1.6.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* libnghttp2@1.31.1-2.5.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1404. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-11080: In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. 1844929: CVE-2020-11080 nghttp2: overly large SETTINGS frames can lead to DoS

Remediation

Upgrade libnghttp2 to version or higher.

References

high severity

ALAS-2020-1415

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.3.52.amzn1
  • Fixed in: 2.9.1-6.4.40.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* libxml2@2.9.1-6.3.52.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1415. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2018-14567: libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251. 1619875: CVE-2018-14567 libxml2: Infinite loop caused by incorrect error detection during LZMA decompression CVE-2018-14404: 1595985: CVE-2018-14404 libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. CVE-2017-18258: The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. 1566749: CVE-2017-18258 libxml2: Unrestricted memory usage in xz_head() function in xzlib.c CVE-2017-15412: Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1523128: CVE-2017-15412 libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c CVE-2016-5131: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. 1358641: CVE-2016-5131 libxml2: Use after free triggered by XPointer paths beginning with range-to CVE-2015-8035: 1277146: CVE-2015-8035 libxml2: DoS caused by incorrect error detection during XZ decompression The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.

Remediation

Upgrade libxml2 to version or higher.

References

high severity

ALAS-2020-1415

  • Vulnerable module: libxml2-python27
  • Introduced through: libxml2-python27@2.9.1-6.3.52.amzn1
  • Fixed in: 2.9.1-6.4.40.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* libxml2-python27@2.9.1-6.3.52.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1415. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2018-14567: libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251. 1619875: CVE-2018-14567 libxml2: Infinite loop caused by incorrect error detection during LZMA decompression CVE-2018-14404: 1595985: CVE-2018-14404 libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application. CVE-2017-18258: The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. 1566749: CVE-2017-18258 libxml2: Unrestricted memory usage in xz_head() function in xzlib.c CVE-2017-15412: Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. 1523128: CVE-2017-15412 libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c CVE-2016-5131: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. 1358641: CVE-2016-5131 libxml2: Use after free triggered by XPointer paths beginning with range-to CVE-2015-8035: 1277146: CVE-2015-8035 libxml2: DoS caused by incorrect error detection during XZ decompression The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.

Remediation

Upgrade libxml2-python27 to version or higher.

References

high severity

ALAS-2020-1456

  • Vulnerable module: openssl
  • Introduced through: openssl@1:1.0.2k-16.151.amzn1
  • Fixed in: 1:1.0.2k-16.152.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* openssl@1:1.0.2k-16.151.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1456. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-1971: 1903409: CVE-2020-1971 openssl: EDIPARTYNAME NULL pointer de-reference A null pointer dereference flaw was found in openssl. A remote attacker, able to control the arguments of the GENERAL_NAME_cmp function, could cause the application, compiled with openssl to crash resulting in a denial of service. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade openssl to version or higher.

References

medium severity

ALAS-2020-1379

  • Vulnerable module: bash
  • Introduced through: bash@4.2.46-28.37.amzn1
  • Fixed in: 4.2.46-34.43.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* bash@4.2.46-28.37.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1379. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-9924: 1691774: CVE-2019-9924 bash: BASH_CMD is writable in restricted bash shells rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

Remediation

Upgrade bash to version or higher.

References

medium severity

ALAS-2020-1411

  • Vulnerable module: curl
  • Introduced through: curl@7.61.1-12.93.amzn1
  • Fixed in: 7.61.1-12.94.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* curl@7.61.1-12.93.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1411. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-8177: No description is available for this CVE. 1847915: CVE-2020-8177 curl: command line arguments lead to local file overwrite

Remediation

Upgrade curl to version or higher.

References

medium severity

ALAS-2021-1459

  • Vulnerable module: expat
  • Introduced through: expat@2.1.0-11.22.amzn1
  • Fixed in: 2.1.0-12.24.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* expat@2.1.0-11.22.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2021-1459. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-15903: In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. 1752592: CVE-2019-15903 expat: heap-based buffer over-read via crafted XML input CVE-2018-20843: It was discovered that the "setElementTypePrefix()" function incorrectly extracted XML namespace prefixes. By tricking an application into processing a specially crafted XML file, an attacker could cause unusually high consumption of memory resources and possibly lead to a denial of service. 1723723: CVE-2018-20843 expat: large number of colons in input makes parser consume high amount of resources, leading to DoS

Remediation

Upgrade expat to version or higher.

References

medium severity

ALAS-2021-1458

  • Vulnerable module: libcom_err
  • Introduced through: libcom_err@1.43.5-2.43.amzn1
  • Fixed in: 1.43.5-2.44.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* libcom_err@1.43.5-2.43.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2021-1458. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-5188: 1790048: CVE-2019-5188 e2fsprogs: Out-of-bounds write in e2fsck/rehash.c A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. CVE-2019-5094: 1768555: CVE-2019-5094 e2fsprogs: Crafted ext4 partition leads to out-of-bounds write An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Remediation

Upgrade libcom_err to version or higher.

References

medium severity

ALAS-2020-1411

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.61.1-12.93.amzn1
  • Fixed in: 7.61.1-12.94.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* libcurl@7.61.1-12.93.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1411. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-8177: No description is available for this CVE. 1847915: CVE-2020-8177 curl: command line arguments lead to local file overwrite

Remediation

Upgrade libcurl to version or higher.

References

medium severity

ALAS-2020-1438

  • Vulnerable module: libxml2
  • Introduced through: libxml2@2.9.1-6.3.52.amzn1
  • Fixed in: 2.9.1-6.4.41.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* libxml2@2.9.1-6.3.52.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1438. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-7595: 1799786: CVE-2020-7595 libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. CVE-2019-20388: 1799734: CVE-2019-20388 libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. System availability is the highest threat from this vulnerability. CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. 1788856: CVE-2019-19956 libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c

Remediation

Upgrade libxml2 to version or higher.

References

medium severity

ALAS-2020-1438

  • Vulnerable module: libxml2-python27
  • Introduced through: libxml2-python27@2.9.1-6.3.52.amzn1
  • Fixed in: 2.9.1-6.4.41.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* libxml2-python27@2.9.1-6.3.52.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1438. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-7595: 1799786: CVE-2020-7595 libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. CVE-2019-20388: 1799734: CVE-2019-20388 libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. System availability is the highest threat from this vulnerability. CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. 1788856: CVE-2019-19956 libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c

Remediation

Upgrade libxml2-python27 to version or higher.

References

medium severity
new

ALAS-2021-1482

  • Vulnerable module: openssl
  • Introduced through: openssl@1:1.0.2k-16.151.amzn1
  • Fixed in: 1:1.0.2k-16.153.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* openssl@1:1.0.2k-16.151.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2021-1482. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2021-23841: The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. 1930310: CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash() CVE-2021-23840: 1930324: CVE-2021-23840 openssl: integer overflow in CipherUpdate Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissible length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Remediation

Upgrade openssl to version or higher.

References

medium severity

ALAS-2020-1407

  • Vulnerable module: python27
  • Introduced through: python27@2.7.18-1.137.amzn1
  • Fixed in: 2.7.18-1.138.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* python27@2.7.18-1.137.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1407. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-8492: 1809065: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Remediation

Upgrade python27 to version or higher.

References

medium severity

ALAS-2020-1427

  • Vulnerable module: python27
  • Introduced through: python27@2.7.18-1.137.amzn1
  • Fixed in: 2.7.18-2.139.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* python27@2.7.18-1.137.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1427. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. 1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive

Remediation

Upgrade python27 to version or higher.

References

medium severity

ALAS-2020-1454

  • Vulnerable module: python27
  • Introduced through: python27@2.7.18-1.137.amzn1
  • Fixed in: 2.7.18-2.140.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* python27@2.7.18-1.137.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1454. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-26116: http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. 1883014: CVE-2020-26116 python: CRLF injection via HTTP request method in httplib/http.client

Remediation

Upgrade python27 to version or higher.

References

medium severity
new

ALAS-2021-1484

  • Vulnerable module: python27
  • Introduced through: python27@2.7.18-1.137.amzn1
  • Fixed in: 2.7.18-2.141.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* python27@2.7.18-1.137.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2021-1484. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2021-3177: A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system availability. 1918168: CVE-2021-3177 python: stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c

Remediation

Upgrade python27 to version or higher.

References

medium severity

ALAS-2020-1407

  • Vulnerable module: python27-libs
  • Introduced through: python27-libs@2.7.18-1.137.amzn1
  • Fixed in: 2.7.18-1.138.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* python27-libs@2.7.18-1.137.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1407. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-8492: 1809065: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Remediation

Upgrade python27-libs to version or higher.

References

medium severity

ALAS-2020-1427

  • Vulnerable module: python27-libs
  • Introduced through: python27-libs@2.7.18-1.137.amzn1
  • Fixed in: 2.7.18-2.139.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* python27-libs@2.7.18-1.137.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1427. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. 1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive

Remediation

Upgrade python27-libs to version or higher.

References

medium severity

ALAS-2020-1454

  • Vulnerable module: python27-libs
  • Introduced through: python27-libs@2.7.18-1.137.amzn1
  • Fixed in: 2.7.18-2.140.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* python27-libs@2.7.18-1.137.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1454. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-26116: http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. 1883014: CVE-2020-26116 python: CRLF injection via HTTP request method in httplib/http.client

Remediation

Upgrade python27-libs to version or higher.

References

medium severity
new

ALAS-2021-1484

  • Vulnerable module: python27-libs
  • Introduced through: python27-libs@2.7.18-1.137.amzn1
  • Fixed in: 2.7.18-2.141.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* python27-libs@2.7.18-1.137.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2021-1484. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2021-3177: A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system availability. 1918168: CVE-2021-3177 python: stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c

Remediation

Upgrade python27-libs to version or higher.

References

low severity

ALAS-2020-1444

  • Vulnerable module: curl
  • Introduced through: curl@7.61.1-12.93.amzn1
  • Fixed in: 7.61.1-12.95.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* curl@7.61.1-12.93.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1444. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-8231: A flaw was found in libcurl from versions 7.29.0 through 7.71.1. An application that performs multiple requests with libcurl's multi API, and sets the CURLOPT_CONNECT_ONLY option, might experience libcurl using the wrong connection. The highest threat from this vulnerability is to data confidentiality. 1868032: CVE-2020-8231 curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set

Remediation

Upgrade curl to version or higher.

References

low severity

ALAS-2020-1444

  • Vulnerable module: libcurl
  • Introduced through: libcurl@7.61.1-12.93.amzn1
  • Fixed in: 7.61.1-12.95.amzn1

Detailed paths

  • Introduced through: amazonlinux:2018.03.0.20200602.1@* libcurl@7.61.1-12.93.amzn1

Overview

Affected versions of this package are vulnerable to ALAS-2020-1444. Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-8231: A flaw was found in libcurl from versions 7.29.0 through 7.71.1. An application that performs multiple requests with libcurl's multi API, and sets the CURLOPT_CONNECT_ONLY option, might experience libcurl using the wrong connection. The highest threat from this vulnerability is to data confidentiality. 1868032: CVE-2020-8231 curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set

Remediation

Upgrade libcurl to version or higher.

References