github.com/quay/claircore@v1.5.28/aws/internal/alas/testdata/test_updateinfo.xml (about) 1 <?xml version="1.0" ?> 2 <updates><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-1</id><title>Amazon Linux AMI 2011.09 - ALAS-2011-1: medium priority package update for httpd</title><issued date="2011-09-27 22:46" /><updated date="2014-09-14 14:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3 CVE-2011-3192: 4 A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. 5 The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086. 6 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192" id="CVE-2011-3192" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1245.html" id="RHSA-2011:1245" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="i686" epoch="0" name="httpd-devel" release="1.18.amzn1" version="2.2.21"><filename>Packages/httpd-devel-2.2.21-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-debuginfo" release="1.18.amzn1" version="2.2.21"><filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd" release="1.18.amzn1" version="2.2.21"><filename>Packages/httpd-2.2.21-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-tools" release="1.18.amzn1" version="2.2.21"><filename>Packages/httpd-tools-2.2.21-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod_ssl" release="1.18.amzn1" version="2.2.21"><filename>Packages/mod_ssl-2.2.21-1.18.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="1" name="mod_ssl" release="1.18.amzn1" version="2.2.21"><filename>Packages/mod_ssl-2.2.21-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-tools" release="1.18.amzn1" version="2.2.21"><filename>Packages/httpd-tools-2.2.21-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd" release="1.18.amzn1" version="2.2.21"><filename>Packages/httpd-2.2.21-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-devel" release="1.18.amzn1" version="2.2.21"><filename>Packages/httpd-devel-2.2.21-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.18.amzn1" version="2.2.21"><filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd-manual" release="1.18.amzn1" version="2.2.21"><filename>Packages/httpd-manual-2.2.21-1.18.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-2</id><title>Amazon Linux - ALAS-2011-2: important priority package update for cyrus-imapd</title><issued date="2011-10-10 22:29" /><updated date="2014-09-14 14:25" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 7 CVE-2011-3208: 8 Stack-based buffer overflow in the split_wildmats function in nntpd.c in nntpd in Cyrus IMAP Server before 2.3.17 and 2.4.x before 2.4.11 allows remote attackers to execute arbitrary code via a crafted NNTP command. 9 A buffer overflow flaw was found in the cyrus-imapd NNTP server, nntpd. A remote user able to use the nntpd service could use this flaw to crash the nntpd child process or, possibly, execute arbitrary code with the privileges of the cyrus user. 10 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3208" id="CVE-2011-3208" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1317.html" id="RHSA-2011:1317" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="cyrus-imapd-debuginfo" release="6.4.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-debuginfo-2.3.16-6.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-imapd-utils" release="6.4.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-utils-2.3.16-6.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-imapd-devel" release="6.4.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-devel-2.3.16-6.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-imapd" release="6.4.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-2.3.16-6.4.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-imapd-debuginfo" release="6.4.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-debuginfo-2.3.16-6.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-imapd-devel" release="6.4.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-devel-2.3.16-6.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-imapd" release="6.4.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-2.3.16-6.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-imapd-utils" release="6.4.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-utils-2.3.16-6.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-3</id><title>Amazon Linux - ALAS-2011-3: medium priority package update for ca-certificates</title><issued date="2011-10-10 22:31" /><updated date="2014-09-14 14:25" /><severity>medium</severity><description /><references><reference href="https://rhn.redhat.com/errata/RHSA-2011:1248.html" id="RHSA-2011:1248" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="ca-certificates" release="3.7.amzn1" version="2010.63"><filename>Packages/ca-certificates-2010.63-3.7.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-4</id><title>Amazon Linux - ALAS-2011-4: medium priority package update for openssl</title><issued date="2011-10-10 23:40" /><updated date="2014-09-14 14:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 11 CVE-2011-3207: 12 An uninitialized variable use flaw was found in OpenSSL. This flaw could cause an application using the OpenSSL Certificate Revocation List (CRL) checking functionality to incorrectly accept a CRL that has a nextUpdate date in the past. 13 crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past. 14 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3207" id="CVE-2011-3207" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="openssl-static" release="2.16.amzn1" version="1.0.0e"><filename>Packages/openssl-static-1.0.0e-2.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-devel" release="2.16.amzn1" version="1.0.0e"><filename>Packages/openssl-devel-1.0.0e-2.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl" release="2.16.amzn1" version="1.0.0e"><filename>Packages/openssl-1.0.0e-2.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-debuginfo" release="2.16.amzn1" version="1.0.0e"><filename>Packages/openssl-debuginfo-1.0.0e-2.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-perl" release="2.16.amzn1" version="1.0.0e"><filename>Packages/openssl-perl-1.0.0e-2.16.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-perl" release="2.16.amzn1" version="1.0.0e"><filename>Packages/openssl-perl-1.0.0e-2.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-debuginfo" release="2.16.amzn1" version="1.0.0e"><filename>Packages/openssl-debuginfo-1.0.0e-2.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-devel" release="2.16.amzn1" version="1.0.0e"><filename>Packages/openssl-devel-1.0.0e-2.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl" release="2.16.amzn1" version="1.0.0e"><filename>Packages/openssl-1.0.0e-2.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-static" release="2.16.amzn1" version="1.0.0e"><filename>Packages/openssl-static-1.0.0e-2.16.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-5</id><title>Amazon Linux - ALAS-2011-5: medium priority package update for perl-FCGI</title><issued date="2011-10-10 23:48" /><updated date="2014-09-14 14:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 15 CVE-2011-2766: 16 The FCGI (aka Fast CGI) module 0.70 through 0.73 for Perl, as used by CGI::Fast, uses environment variable values from one request during processing of a later request, which allows remote attackers to bypass authentication via crafted HTTP headers. 17 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2766" id="CVE-2011-2766" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="1" name="perl-FCGI-debuginfo" release="1.0.amzn1" version="0.74"><filename>Packages/perl-FCGI-debuginfo-0.74-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-FCGI" release="1.0.amzn1" version="0.74"><filename>Packages/perl-FCGI-0.74-1.0.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-FCGI-debuginfo" release="1.0.amzn1" version="0.74"><filename>Packages/perl-FCGI-debuginfo-0.74-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-FCGI" release="1.0.amzn1" version="0.74"><filename>Packages/perl-FCGI-0.74-1.0.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-6</id><title>Amazon Linux - ALAS-2011-6: medium priority package update for openswan</title><issued date="2011-10-10 23:54" /><updated date="2014-09-14 14:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 18 CVE-2011-3380: 19 A NULL pointer dereference flaw was found in the way Openswan's pluto IKE daemon handled certain error conditions. A remote, unauthenticated attacker could send a specially-crafted IKE packet that would crash the pluto daemon. 20 Openswan 2.6.29 through 2.6.35 allows remote attackers to cause a denial of service (NULL pointer dereference and pluto IKE daemon crash) via an ISAKMP message with an invalid KEY_LENGTH attribute, which is not properly handled by the error handling function. 21 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3380" id="CVE-2011-3380" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1356.html" id="RHSA-2011:1356" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="openswan-debuginfo" release="1.12.amzn1" version="2.6.36"><filename>Packages/openswan-debuginfo-2.6.36-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openswan" release="1.12.amzn1" version="2.6.36"><filename>Packages/openswan-2.6.36-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openswan-doc" release="1.12.amzn1" version="2.6.36"><filename>Packages/openswan-doc-2.6.36-1.12.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="openswan" release="1.12.amzn1" version="2.6.36"><filename>Packages/openswan-2.6.36-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openswan-debuginfo" release="1.12.amzn1" version="2.6.36"><filename>Packages/openswan-debuginfo-2.6.36-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openswan-doc" release="1.12.amzn1" version="2.6.36"><filename>Packages/openswan-doc-2.6.36-1.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-7</id><title>Amazon Linux - ALAS-2011-7: important priority package update for php</title><issued date="2011-10-11 00:07" /><updated date="2014-09-14 14:25" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 22 CVE-2011-3379: 23 The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the __autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders. 24 php: changes to is_a() in 5.3.7 may allow arbitrary code execution with certain code 25 26 CVE-2011-3182: 27 PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function. 28 29 CVE-2011-2483: 30 A signedness issue was found in the way the PHP crypt() function handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value. 31 A signedness issue was found in the way the crypt() function in the PostgreSQL pgcrypto module handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value. 32 crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash. 33 34 CVE-2011-2202: 35 The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability." 36 An off-by-one flaw was found in PHP. If an attacker uploaded a file with a specially-crafted file name it could cause a PHP script to attempt to write a file to the root (/) directory. By default, PHP runs as the "apache" user, preventing it from writing to the root directory. 37 The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a 'file path injection vulnerability.' 38 39 CVE-2011-1938: 40 A stack-based buffer overflow flaw was found in the way the PHP socket extension handled long AF_UNIX socket addresses. An attacker able to make a PHP script connect to a long AF_UNIX socket address could use this flaw to crash the PHP interpreter. 41 Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket. 42 43 CVE-2011-1148: 44 Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments. 45 A use-after-free flaw was found in the PHP substr_replace() function. If a PHP script used the same variable as multiple function arguments, a remote attacker could possibly use this to crash the PHP interpreter or, possibly, execute arbitrary code. 46 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3182" id="CVE-2011-3182" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3379" id="CVE-2011-3379" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483" id="CVE-2011-2483" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938" id="CVE-2011-1938" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2202" id="CVE-2011-2202" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1148" id="CVE-2011-1148" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="php-cli" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-cli-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-debuginfo" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-debuginfo-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xml" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-xml-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-soap" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-soap-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-process" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-process-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pspell" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-pspell-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysql" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-mysql-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mssql" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-mssql-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-ldap" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-ldap-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-gd" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-gd-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-fpm" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-fpm-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-devel" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-devel-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pgsql" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-pgsql-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-dba" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-dba-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-odbc" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-odbc-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-common" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-common-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mcrypt" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-mcrypt-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xmlrpc" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-xmlrpc-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-tidy" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-tidy-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-bcmath" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-bcmath-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mbstring" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-mbstring-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pdo" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-pdo-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-intl" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-intl-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-snmp" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-snmp-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-zts" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-zts-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-imap" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-imap-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-embedded" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-embedded-5.3.8-3.19.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php-dba" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-dba-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-debuginfo" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-debuginfo-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-odbc" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-odbc-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-process" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-process-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-zts" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-zts-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-common" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-common-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pdo" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-pdo-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mssql" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-mssql-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mbstring" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-mbstring-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-devel" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-devel-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-cli" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-cli-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pspell" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-pspell-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-snmp" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-snmp-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pgsql" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-pgsql-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-soap" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-soap-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mcrypt" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-mcrypt-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xmlrpc" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-xmlrpc-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xml" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-xml-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-ldap" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-ldap-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-embedded" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-embedded-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysql" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-mysql-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-intl" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-intl-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-bcmath" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-bcmath-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-tidy" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-tidy-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-gd" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-gd-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-fpm" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-fpm-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-imap" release="3.19.amzn1" version="5.3.8"><filename>Packages/php-imap-5.3.8-3.19.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-8</id><title>Amazon Linux - ALAS-2011-8: important priority package update for freetype</title><issued date="2011-10-31 18:18" /><updated date="2014-09-14 14:26" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 47 CVE-2011-3256: 48 Multiple input validation flaws were found in the way FreeType processed bitmap font files. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 49 FreeType 2 before 2.4.7, as used in CoreGraphics in Apple iOS before 5, Mandriva Enterprise Server 5, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font, a different vulnerability than CVE-2011-0226. 50 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3256" id="CVE-2011-3256" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1402.html" id="RHSA-2011:1402" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="freetype-devel" release="6.10.amzn1" version="2.3.11"><filename>Packages/freetype-devel-2.3.11-6.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype" release="6.10.amzn1" version="2.3.11"><filename>Packages/freetype-2.3.11-6.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype-demos" release="6.10.amzn1" version="2.3.11"><filename>Packages/freetype-demos-2.3.11-6.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype-debuginfo" release="6.10.amzn1" version="2.3.11"><filename>Packages/freetype-debuginfo-2.3.11-6.10.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype" release="6.10.amzn1" version="2.3.11"><filename>Packages/freetype-2.3.11-6.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype-debuginfo" release="6.10.amzn1" version="2.3.11"><filename>Packages/freetype-debuginfo-2.3.11-6.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype-demos" release="6.10.amzn1" version="2.3.11"><filename>Packages/freetype-demos-2.3.11-6.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype-devel" release="6.10.amzn1" version="2.3.11"><filename>Packages/freetype-devel-2.3.11-6.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-9</id><title>Amazon Linux - ALAS-2011-9: medium priority package update for httpd</title><issued date="2011-10-31 18:19" /><updated date="2014-09-14 14:26" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 51 CVE-2011-3368: 52 It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. 53 The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. 54 55 CVE-2011-3348: 56 It was discovered that mod_proxy_ajp incorrectly returned an "Internal Server Error" response when processing certain malformed HTTP requests, which caused the back-end server to be marked as failed in configurations where mod_proxy was used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period or until all back-end servers were marked as failed. 57 The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request. 58 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368" id="CVE-2011-3368" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3348" id="CVE-2011-3348" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1391.html" id="RHSA-2011:1391" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="httpd-devel" release="1.19.amzn1" version="2.2.21"><filename>Packages/httpd-devel-2.2.21-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-tools" release="1.19.amzn1" version="2.2.21"><filename>Packages/httpd-tools-2.2.21-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd" release="1.19.amzn1" version="2.2.21"><filename>Packages/httpd-2.2.21-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod_ssl" release="1.19.amzn1" version="2.2.21"><filename>Packages/mod_ssl-2.2.21-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-debuginfo" release="1.19.amzn1" version="2.2.21"><filename>Packages/httpd-debuginfo-2.2.21-1.19.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="1" name="mod_ssl" release="1.19.amzn1" version="2.2.21"><filename>Packages/mod_ssl-2.2.21-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.19.amzn1" version="2.2.21"><filename>Packages/httpd-debuginfo-2.2.21-1.19.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd-manual" release="1.19.amzn1" version="2.2.21"><filename>Packages/httpd-manual-2.2.21-1.19.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-tools" release="1.19.amzn1" version="2.2.21"><filename>Packages/httpd-tools-2.2.21-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-devel" release="1.19.amzn1" version="2.2.21"><filename>Packages/httpd-devel-2.2.21-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd" release="1.19.amzn1" version="2.2.21"><filename>Packages/httpd-2.2.21-1.19.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-10</id><title>Amazon Linux - ALAS-2011-10: critical priority package update for java-1.6.0-openjdk</title><issued date="2011-10-31 18:22" /><updated date="2014-09-14 14:26" /><severity>critical</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 59 CVE-2011-3560: 60 It was found that HttpsURLConnection did not perform SecurityManager checks in the setSSLSocketFactory method. An untrusted Java application or applet running in a sandbox could use this flaw to bypass connection restrictions defined in the policy. 61 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity, related to JSSE. 62 63 CVE-2011-3558: 64 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to HotSpot. 65 A flaw was found in the Java HotSpot virtual machine. An untrusted Java application or applet could use this flaw to disclose portions of the VM memory, or cause it to crash. 66 67 CVE-2011-3557: 68 A flaw was found in the Java RMI registry implementation. A remote RMI client could use this flaw to execute code on the RMI server with unrestricted privileges. 69 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI. 70 71 CVE-2011-3556: 72 A flaw was found in the Java RMI (Remote Method Invocation) registry implementation. A remote RMI client could use this flaw to execute arbitrary code on the RMI server running the registry. 73 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI. 74 75 CVE-2011-3554: 76 An insufficient error checking flaw was found in the unpacker for JAR files in pack200 format. A specially-crafted JAR file could use this flaw to crash the Java Virtual Machine (JVM) or, possibly, execute arbitrary code with JVM privileges. 77 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors. 78 79 CVE-2011-3553: 80 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote authenticated users to affect confidentiality, related to JAXWS. 81 The Java API for XML Web Services (JAX-WS) implementation in OpenJDK was configured to include the stack trace in error messages sent to clients. A remote client could possibly use this flaw to obtain sensitive information. 82 83 CVE-2011-3552: 84 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote attackers to affect integrity via unknown vectors related to Networking. 85 It was found that Java applications running with SecurityManager restrictions were allowed to use too many UDP sockets by default. If multiple instances of a malicious application were started at the same time, they could exhaust all available UDP sockets on the system. 86 87 CVE-2011-3551: 88 An integer overflow flaw, leading to a heap-based buffer overflow, was found in the Java2D code used to perform transformations of graphic shapes and images. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. 89 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. 90 91 CVE-2011-3548: 92 A flaw was found in the AWTKeyStroke implementation. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. 93 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT. 94 95 CVE-2011-3547: 96 An information leak flaw was found in the InputStream.skip implementation. An untrusted Java application or applet could possibly use this flaw to obtain bytes skipped by other threads. 97 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking. 98 99 CVE-2011-3544: 100 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting. 101 It was found that the Java ScriptingEngine did not properly restrict the privileges of sandboxed applications. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions. 102 103 CVE-2011-3521: 104 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE, 7, 6 Update 27 and earlier, and 5.0 Update 31 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deserialization. 105 A flaw was found in the IIOP (Internet Inter-Orb Protocol) deserialization code. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions by deserializing specially-crafted input. 106 107 CVE-2011-3389: 108 This update fixes several vulnerabilities in the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. 109 The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. 110 This update fixes several vulnerabilities in the IBM Java 1.4.2 Runtime Environment and the IBM Java 1.4.2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. 111 This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. 112 This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch page, listed in the References section. 113 A flaw was found in the way the SSL 3 and TLS 1.0 protocols used block ciphers in cipher-block chaining (CBC) mode. An attacker able to perform a chosen plain text attack against a connection mixing trusted and untrusted data could use this flaw to recover portions of the trusted data sent over the connection. 114 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3521" id="CVE-2011-3521" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3554" id="CVE-2011-3554" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556" id="CVE-2011-3556" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548" id="CVE-2011-3548" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3551" id="CVE-2011-3551" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552" id="CVE-2011-3552" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3553" id="CVE-2011-3553" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389" id="CVE-2011-3389" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547" id="CVE-2011-3547" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3558" id="CVE-2011-3558" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560" id="CVE-2011-3560" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544" id="CVE-2011-3544" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557" id="CVE-2011-3557" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1380.html" id="RHSA-2011:1380" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="52.1.9.10.40.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.9.10.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="52.1.9.10.40.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.9.10.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="52.1.9.10.40.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.9.10.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="52.1.9.10.40.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.9.10.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="52.1.9.10.40.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.9.10.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="52.1.9.10.40.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.9.10.40.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="52.1.9.10.40.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.9.10.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="52.1.9.10.40.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.9.10.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="52.1.9.10.40.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.9.10.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="52.1.9.10.40.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.9.10.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="52.1.9.10.40.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.9.10.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="52.1.9.10.40.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.9.10.40.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-11</id><title>Amazon Linux - ALAS-2011-11: medium priority package update for puppet</title><issued date="2011-10-31 18:22" /><updated date="2014-09-14 14:31" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 115 CVE-2011-3871: 116 Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files. 117 118 CVE-2011-3870: 119 Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file. 120 121 CVE-2011-3869: 122 Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file. 123 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3871" id="CVE-2011-3871" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3870" id="CVE-2011-3870" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3869" id="CVE-2011-3869" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="puppet" release="3.2.amzn1" version="2.6.6"><filename>Packages/puppet-2.6.6-3.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet-server" release="3.2.amzn1" version="2.6.6"><filename>Packages/puppet-server-2.6.6-3.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet-debuginfo" release="3.2.amzn1" version="2.6.6"><filename>Packages/puppet-debuginfo-2.6.6-3.2.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet-debuginfo" release="3.2.amzn1" version="2.6.6"><filename>Packages/puppet-debuginfo-2.6.6-3.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet" release="3.2.amzn1" version="2.6.6"><filename>Packages/puppet-2.6.6-3.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet-server" release="3.2.amzn1" version="2.6.6"><filename>Packages/puppet-server-2.6.6-3.2.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-12</id><title>Amazon Linux - ALAS-2011-12: medium priority package update for postgresql</title><issued date="2011-10-31 18:24" /><updated date="2014-09-14 14:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 124 CVE-2011-2483: 125 A signedness issue was found in the way the PHP crypt() function handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value. 126 A signedness issue was found in the way the crypt() function in the PostgreSQL pgcrypto module handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value. 127 crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash. 128 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483" id="CVE-2011-2483" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1377.html" id="RHSA-2011:1377" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="postgresql-plperl" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-plperl-8.4.9-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql-libs" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-libs-8.4.9-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql-devel" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-devel-8.4.9-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql-docs" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-docs-8.4.9-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql-contrib" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-contrib-8.4.9-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql-pltcl" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-pltcl-8.4.9-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-8.4.9-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql-server" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-server-8.4.9-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql-plpython" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-plpython-8.4.9-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql-debuginfo" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-debuginfo-8.4.9-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql-test" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-test-8.4.9-1.13.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql-pltcl" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-pltcl-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql-plpython" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-plpython-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql-docs" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-docs-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql-contrib" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-contrib-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql-plperl" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-plperl-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql-devel" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-devel-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql-server" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-server-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql-libs" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-libs-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql-test" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-test-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql-debuginfo" release="1.13.amzn1" version="8.4.9"><filename>Packages/postgresql-debuginfo-8.4.9-1.13.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-13</id><title>Amazon Linux - ALAS-2011-13: medium priority package update for xorg-x11-server</title><issued date="2011-10-31 18:25" /><updated date="2014-09-14 14:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 129 CVE-2010-4819: 130 An input sanitization flaw was found in the X.Org Render extension. A malicious, authorized client could use this flaw to leak arbitrary memory from the X.Org server process, or possibly crash the X.Org server. 131 132 CVE-2010-4818: 133 Multiple input sanitization flaws were found in the X.Org GLX (OpenGL extension to the X Window System) extension. A malicious, authorized client could use these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges. 134 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4819" id="CVE-2010-4819" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4818" id="CVE-2010-4818" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1359.html" id="RHSA-2011:1359" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="xorg-x11-server-Xvfb" release="29.10.amzn1" version="1.7.7"><filename>Packages/xorg-x11-server-Xvfb-1.7.7-29.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xephyr" release="29.10.amzn1" version="1.7.7"><filename>Packages/xorg-x11-server-Xephyr-1.7.7-29.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-common" release="29.10.amzn1" version="1.7.7"><filename>Packages/xorg-x11-server-common-1.7.7-29.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xnest" release="29.10.amzn1" version="1.7.7"><filename>Packages/xorg-x11-server-Xnest-1.7.7-29.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-debuginfo" release="29.10.amzn1" version="1.7.7"><filename>Packages/xorg-x11-server-debuginfo-1.7.7-29.10.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xvfb" release="29.10.amzn1" version="1.7.7"><filename>Packages/xorg-x11-server-Xvfb-1.7.7-29.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-debuginfo" release="29.10.amzn1" version="1.7.7"><filename>Packages/xorg-x11-server-debuginfo-1.7.7-29.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xnest" release="29.10.amzn1" version="1.7.7"><filename>Packages/xorg-x11-server-Xnest-1.7.7-29.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-common" release="29.10.amzn1" version="1.7.7"><filename>Packages/xorg-x11-server-common-1.7.7-29.10.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="xorg-x11-server-source" release="29.10.amzn1" version="1.7.7"><filename>Packages/xorg-x11-server-source-1.7.7-29.10.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xephyr" release="29.10.amzn1" version="1.7.7"><filename>Packages/xorg-x11-server-Xephyr-1.7.7-29.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-14</id><title>Amazon Linux - ALAS-2011-14: medium priority package update for rpm</title><issued date="2011-10-31 18:25" /><updated date="2014-09-14 14:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 135 CVE-2011-3378: 136 Multiple flaws were found in the way the RPM library parsed package headers. An attacker could create a specially-crafted RPM package that, when queried or installed, would cause rpm to crash or, potentially, execute arbitrary code. 137 RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via an rpm package with crafted headers and offsets that are not properly handled when a package is queried or installed, related to (1) the regionSwab function, (2) the headerLoad function, and (3) multiple functions in rpmio/rpmpgp.c. 138 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3378" id="CVE-2011-3378" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1349.html" id="RHSA-2011:1349" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="rpm-devel" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-devel-4.8.0-16.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-libs" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-libs-4.8.0-16.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-apidocs" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-apidocs-4.8.0-16.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-4.8.0-16.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-python" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-python-4.8.0-16.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-cron" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-cron-4.8.0-16.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-build" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-build-4.8.0-16.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-debuginfo" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-debuginfo-4.8.0-16.36.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-devel" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-devel-4.8.0-16.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-python" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-python-4.8.0-16.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-debuginfo" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-debuginfo-4.8.0-16.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-libs" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-libs-4.8.0-16.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-apidocs" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-apidocs-4.8.0-16.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-4.8.0-16.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-build" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-build-4.8.0-16.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-cron" release="16.36.amzn1" version="4.8.0"><filename>Packages/rpm-cron-4.8.0-16.36.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-15</id><title>Amazon Linux - ALAS-2011-15: medium priority package update for krb5</title><issued date="2011-10-31 18:26" /><updated date="2014-09-14 14:34" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 139 CVE-2011-1527: 140 The kdb_ldap plugin in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a kinit operation with incorrect string case for the realm, related to the is_principal_in_realm, krb5_set_error_message, krb5_ldap_get_principal, and process_as_req functions. 141 Multiple NULL pointer dereference and assertion failure flaws were found in the MIT Kerberos KDC when it was configured to use an LDAP (Lightweight Directory Access Protocol) or Berkeley Database (Berkeley DB) back end. A remote attacker could use these flaws to crash the KDC. 142 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1527" id="CVE-2011-1527" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1379.html" id="RHSA-2011:1379" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="krb5-devel" release="9.19.amzn1" version="1.9"><filename>Packages/krb5-devel-1.9-9.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server-ldap" release="9.19.amzn1" version="1.9"><filename>Packages/krb5-server-ldap-1.9-9.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server" release="9.19.amzn1" version="1.9"><filename>Packages/krb5-server-1.9-9.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-pkinit-openssl" release="9.19.amzn1" version="1.9"><filename>Packages/krb5-pkinit-openssl-1.9-9.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-libs" release="9.19.amzn1" version="1.9"><filename>Packages/krb5-libs-1.9-9.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-workstation" release="9.19.amzn1" version="1.9"><filename>Packages/krb5-workstation-1.9-9.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-debuginfo" release="9.19.amzn1" version="1.9"><filename>Packages/krb5-debuginfo-1.9-9.19.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-libs" release="9.19.amzn1" version="1.9"><filename>Packages/krb5-libs-1.9-9.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server" release="9.19.amzn1" version="1.9"><filename>Packages/krb5-server-1.9-9.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-debuginfo" release="9.19.amzn1" version="1.9"><filename>Packages/krb5-debuginfo-1.9-9.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server-ldap" release="9.19.amzn1" version="1.9"><filename>Packages/krb5-server-ldap-1.9-9.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-workstation" release="9.19.amzn1" version="1.9"><filename>Packages/krb5-workstation-1.9-9.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-devel" release="9.19.amzn1" version="1.9"><filename>Packages/krb5-devel-1.9-9.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-pkinit-openssl" release="9.19.amzn1" version="1.9"><filename>Packages/krb5-pkinit-openssl-1.9-9.19.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-16</id><title>Amazon Linux - ALAS-2011-16: medium priority package update for kernel</title><issued date="2011-10-31 18:26" /><updated date="2014-09-14 14:40" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 143 CVE-2011-3191: 144 * A malicious CIFS (Common Internet File System) server could send a specially-crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. 145 * A signedness issue was found in the Linux kernel's CIFS (Common Internet File System) implementation. A malicious CIFS server could send a specially-crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. 146 147 CVE-2011-3188: 148 * The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. 149 * IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence number and fragment IDs are now more random. 150 151 CVE-2011-2918: 152 * A flaw was found in the way the Linux kernel's Performance Events implementation handled PERF_COUNT_SW_CPU_CLOCK counter overflow. A local, unprivileged user could use this flaw to cause a denial of service. 153 154 CVE-2011-2723: 155 The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel before 2.6.39.4, when Generic Receive Offload (GRO) is enabled, resets certain fields in incorrect situations, which allows remote attackers to cause a denial of service (system crash) via crafted network traffic. 156 * A flaw in skb_gro_header_slow() in the Linux kernel could lead to GRO (Generic Receive Offload) fields being left in an inconsistent state. An attacker on the local network could use this flaw to trigger a denial of service. GRO is enabled by default in all network drivers that support it. 157 * GRO (Generic Receive Offload) fields could be left in an inconsistent state. An attacker on the local network could use this flaw to cause a denial of service. GRO is enabled by default in all network drivers that support it. 158 159 CVE-2011-1833: 160 * A race condition flaw was found in the Linux kernel's eCryptfs implementation. A local attacker could use the mount.ecryptfs_private utility to mount (and then access) a directory they would otherwise not have access to. Note: To correct this issue, the RHSA-2011:1241 ecryptfs-utils update, which provides the user-space part of the fix, must also be installed. 161 * A local attacker could use mount.ecryptfs_private to mount (and then access) a directory they would otherwise not have access to. Note: To correct this issue, the RHSA-2011:1241 ecryptfs-utils update must also be installed. 162 A race condition flaw was found in the way mount.ecryptfs_private checked the permissions of the directory to mount. A local attacker could use this flaw to mount (and then access) a directory they would otherwise not have access to. Note: The fix for this issue is incomplete until a kernel-space change is made. Future Red Hat Enterprise Linux 5 and 6 kernel updates will correct this issue. 163 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2723" id="CVE-2011-2723" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1833" id="CVE-2011-1833" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3188" id="CVE-2011-3188" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3191" id="CVE-2011-3191" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2918" id="CVE-2011-2918" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="kernel-doc" release="97.44.amzn1" version="2.6.35.14"><filename>Packages/kernel-doc-2.6.35.14-97.44.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="97.44.amzn1" version="2.6.35.14"><filename>Packages/perf-2.6.35.14-97.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="97.44.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-2.6.35.14-97.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="97.44.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-common-i686-2.6.35.14-97.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="97.44.amzn1" version="2.6.35.14"><filename>Packages/kernel-headers-2.6.35.14-97.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="97.44.amzn1" version="2.6.35.14"><filename>Packages/kernel-2.6.35.14-97.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="97.44.amzn1" version="2.6.35.14"><filename>Packages/kernel-devel-2.6.35.14-97.44.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="97.44.amzn1" version="2.6.35.14"><filename>Packages/kernel-2.6.35.14-97.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="97.44.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-2.6.35.14-97.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="97.44.amzn1" version="2.6.35.14"><filename>Packages/kernel-headers-2.6.35.14-97.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="97.44.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-common-x86_64-2.6.35.14-97.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="97.44.amzn1" version="2.6.35.14"><filename>Packages/perf-2.6.35.14-97.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="97.44.amzn1" version="2.6.35.14"><filename>Packages/kernel-devel-2.6.35.14-97.44.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-17</id><title>Amazon Linux - ALAS-2011-17: medium priority package update for perl-libwww-perl</title><issued date="2011-10-31 18:34" /><updated date="2014-09-14 14:40" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 164 CVE-2011-0633: 165 The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned. 166 The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned. 167 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0633" id="CVE-2011-0633" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="perl-libwww-perl" release="4.1.amzn1" version="5.837"><filename>Packages/perl-libwww-perl-5.837-4.1.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-18</id><title>Amazon Linux - ALAS-2011-18: medium priority package update for openswan</title><issued date="2011-11-09 21:34" /><updated date="2014-09-14 14:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 168 CVE-2011-4073: 169 A use-after-free flaw was found in the way Openswan's pluto IKE daemon used cryptographic helpers. A remote, authenticated attacker could send a specially-crafted IKE packet that would crash the pluto daemon. This issue only affected SMP (symmetric multiprocessing) systems that have the cryptographic helpers enabled. The helpers are disabled by default on Red Hat Enterprise Linux 5, but enabled by default on Red Hat Enterprise Linux 6. 170 Use-after-free vulnerability in the cryptographic helper handler functionality in Openswan 2.3.0 through 2.6.36 allows remote authenticated users to cause a denial of service (pluto IKE daemon crash) via vectors related to the (1) quick_outI1_continue and (2) quick_outI1 functions. 171 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4073" id="CVE-2011-4073" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1422.html" id="RHSA-2011:1422" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="openswan" release="2.15.amzn1" version="2.6.37"><filename>Packages/openswan-2.6.37-2.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openswan-doc" release="2.15.amzn1" version="2.6.37"><filename>Packages/openswan-doc-2.6.37-2.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openswan-debuginfo" release="2.15.amzn1" version="2.6.37"><filename>Packages/openswan-debuginfo-2.6.37-2.15.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="openswan" release="2.15.amzn1" version="2.6.37"><filename>Packages/openswan-2.6.37-2.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openswan-doc" release="2.15.amzn1" version="2.6.37"><filename>Packages/openswan-doc-2.6.37-2.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openswan-debuginfo" release="2.15.amzn1" version="2.6.37"><filename>Packages/openswan-debuginfo-2.6.37-2.15.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-19</id><title>Amazon Linux - ALAS-2011-19: medium priority package update for perl</title><issued date="2011-11-09 21:48" /><updated date="2014-09-14 14:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 172 CVE-2011-3597: 173 It was found that the "new" constructor of the Digest module used its argument as part of the string expression passed to the eval() function. An attacker could possibly use this flaw to execute arbitrary Perl code with the privileges of a Perl program that uses untrusted input as an argument to the constructor. 174 Eval injection in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor. 175 176 CVE-2011-2939: 177 A heap-based buffer overflow flaw was found in the way Perl decoded Unicode strings. An attacker could create a malicious Unicode string that, when decoded by a Perl program, would cause the program to crash or, potentially, execute arbitrary code with the permissions of the user running the program. 178 Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow. 179 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2939" id="CVE-2011-2939" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3597" id="CVE-2011-3597" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1424.html" id="RHSA-2011:1424" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="perl-Term-UI" release="119.12.amzn1" version="0.20"><filename>Packages/perl-Term-UI-0.20-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl-suidperl" release="119.12.amzn1" version="5.10.1"><filename>Packages/perl-suidperl-5.10.1-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Object-Accessor" release="119.12.amzn1" version="0.34"><filename>Packages/perl-Object-Accessor-0.34-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Pod-Escapes" release="119.12.amzn1" version="1.04"><filename>Packages/perl-Pod-Escapes-1.04-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Digest-SHA" release="119.12.amzn1" version="5.47"><filename>Packages/perl-Digest-SHA-5.47-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-CPAN" release="119.12.amzn1" version="1.9402"><filename>Packages/perl-CPAN-1.9402-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-ExtUtils-ParseXS" release="119.12.amzn1" version="2.2003.0"><filename>Packages/perl-ExtUtils-ParseXS-2.2003.0-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-IO-Compress-Base" release="119.12.amzn1" version="2.020"><filename>Packages/perl-IO-Compress-Base-2.020-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Module-Build" release="119.12.amzn1" version="0.3500"><filename>Packages/perl-Module-Build-0.3500-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl-libs" release="119.12.amzn1" version="5.10.1"><filename>Packages/perl-libs-5.10.1-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-ExtUtils-MakeMaker" release="119.12.amzn1" version="6.55"><filename>Packages/perl-ExtUtils-MakeMaker-6.55-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Module-Load" release="119.12.amzn1" version="0.16"><filename>Packages/perl-Module-Load-0.16-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Time-Piece" release="119.12.amzn1" version="1.15"><filename>Packages/perl-Time-Piece-1.15-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl-devel" release="119.12.amzn1" version="5.10.1"><filename>Packages/perl-devel-5.10.1-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-ExtUtils-CBuilder" release="119.12.amzn1" version="0.27"><filename>Packages/perl-ExtUtils-CBuilder-0.27-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Archive-Extract" release="119.12.amzn1" version="0.38"><filename>Packages/perl-Archive-Extract-0.38-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-core" release="119.12.amzn1" version="5.10.1"><filename>Packages/perl-core-5.10.1-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-File-Fetch" release="119.12.amzn1" version="0.26"><filename>Packages/perl-File-Fetch-0.26-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="3" name="perl-version" release="119.12.amzn1" version="0.77"><filename>Packages/perl-version-0.77-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Archive-Tar" release="119.12.amzn1" version="1.58"><filename>Packages/perl-Archive-Tar-1.58-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Parse-CPAN-Meta" release="119.12.amzn1" version="1.40"><filename>Packages/perl-Parse-CPAN-Meta-1.40-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Params-Check" release="119.12.amzn1" version="0.26"><filename>Packages/perl-Params-Check-0.26-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Module-CoreList" release="119.12.amzn1" version="2.18"><filename>Packages/perl-Module-CoreList-2.18-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-ExtUtils-Embed" release="119.12.amzn1" version="1.28"><filename>Packages/perl-ExtUtils-Embed-1.28-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-CPANPLUS" release="119.12.amzn1" version="0.88"><filename>Packages/perl-CPANPLUS-0.88-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Module-Loaded" release="119.12.amzn1" version="0.02"><filename>Packages/perl-Module-Loaded-0.02-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Log-Message" release="119.12.amzn1" version="0.02"><filename>Packages/perl-Log-Message-0.02-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Module-Pluggable" release="119.12.amzn1" version="3.90"><filename>Packages/perl-Module-Pluggable-3.90-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Log-Message-Simple" release="119.12.amzn1" version="0.04"><filename>Packages/perl-Log-Message-Simple-0.04-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Test-Harness" release="119.12.amzn1" version="3.17"><filename>Packages/perl-Test-Harness-3.17-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-IPC-Cmd" release="119.12.amzn1" version="0.56"><filename>Packages/perl-IPC-Cmd-0.56-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-IO-Compress-Zlib" release="119.12.amzn1" version="2.020"><filename>Packages/perl-IO-Compress-Zlib-2.020-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-parent" release="119.12.amzn1" version="0.221"><filename>Packages/perl-parent-0.221-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Compress-Zlib" release="119.12.amzn1" version="2.020"><filename>Packages/perl-Compress-Zlib-2.020-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-CGI" release="119.12.amzn1" version="3.51"><filename>Packages/perl-CGI-3.51-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-IO-Zlib" release="119.12.amzn1" version="1.09"><filename>Packages/perl-IO-Zlib-1.09-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Test-Simple" release="119.12.amzn1" version="0.92"><filename>Packages/perl-Test-Simple-0.92-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Compress-Raw-Zlib" release="119.12.amzn1" version="2.023"><filename>Packages/perl-Compress-Raw-Zlib-2.023-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl-debuginfo" release="119.12.amzn1" version="5.10.1"><filename>Packages/perl-debuginfo-5.10.1-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Module-Load-Conditional" release="119.12.amzn1" version="0.30"><filename>Packages/perl-Module-Load-Conditional-0.30-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Package-Constants" release="119.12.amzn1" version="0.02"><filename>Packages/perl-Package-Constants-0.02-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl-Time-HiRes" release="119.12.amzn1" version="1.9721"><filename>Packages/perl-Time-HiRes-1.9721-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Locale-Maketext-Simple" release="119.12.amzn1" version="0.18"><filename>Packages/perl-Locale-Maketext-Simple-0.18-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl" release="119.12.amzn1" version="5.10.1"><filename>Packages/perl-5.10.1-119.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Pod-Simple" release="119.12.amzn1" version="3.13"><filename>Packages/perl-Pod-Simple-3.13-119.12.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-Time-HiRes" release="119.12.amzn1" version="1.9721"><filename>Packages/perl-Time-HiRes-1.9721-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Time-Piece" release="119.12.amzn1" version="1.15"><filename>Packages/perl-Time-Piece-1.15-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Archive-Extract" release="119.12.amzn1" version="0.38"><filename>Packages/perl-Archive-Extract-0.38-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-CPANPLUS" release="119.12.amzn1" version="0.88"><filename>Packages/perl-CPANPLUS-0.88-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-libs" release="119.12.amzn1" version="5.10.1"><filename>Packages/perl-libs-5.10.1-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-parent" release="119.12.amzn1" version="0.221"><filename>Packages/perl-parent-0.221-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-ExtUtils-CBuilder" release="119.12.amzn1" version="0.27"><filename>Packages/perl-ExtUtils-CBuilder-0.27-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-ExtUtils-Embed" release="119.12.amzn1" version="1.28"><filename>Packages/perl-ExtUtils-Embed-1.28-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Params-Check" release="119.12.amzn1" version="0.26"><filename>Packages/perl-Params-Check-0.26-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Locale-Maketext-Simple" release="119.12.amzn1" version="0.18"><filename>Packages/perl-Locale-Maketext-Simple-0.18-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-ExtUtils-ParseXS" release="119.12.amzn1" version="2.2003.0"><filename>Packages/perl-ExtUtils-ParseXS-2.2003.0-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Archive-Tar" release="119.12.amzn1" version="1.58"><filename>Packages/perl-Archive-Tar-1.58-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Pod-Escapes" release="119.12.amzn1" version="1.04"><filename>Packages/perl-Pod-Escapes-1.04-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-devel" release="119.12.amzn1" version="5.10.1"><filename>Packages/perl-devel-5.10.1-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Object-Accessor" release="119.12.amzn1" version="0.34"><filename>Packages/perl-Object-Accessor-0.34-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Log-Message" release="119.12.amzn1" version="0.02"><filename>Packages/perl-Log-Message-0.02-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl" release="119.12.amzn1" version="5.10.1"><filename>Packages/perl-5.10.1-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Module-CoreList" release="119.12.amzn1" version="2.18"><filename>Packages/perl-Module-CoreList-2.18-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Log-Message-Simple" release="119.12.amzn1" version="0.04"><filename>Packages/perl-Log-Message-Simple-0.04-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Pod-Simple" release="119.12.amzn1" version="3.13"><filename>Packages/perl-Pod-Simple-3.13-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Compress-Zlib" release="119.12.amzn1" version="2.020"><filename>Packages/perl-Compress-Zlib-2.020-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Parse-CPAN-Meta" release="119.12.amzn1" version="1.40"><filename>Packages/perl-Parse-CPAN-Meta-1.40-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Compress-Raw-Zlib" release="119.12.amzn1" version="2.023"><filename>Packages/perl-Compress-Raw-Zlib-2.023-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-ExtUtils-MakeMaker" release="119.12.amzn1" version="6.55"><filename>Packages/perl-ExtUtils-MakeMaker-6.55-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-IO-Compress-Zlib" release="119.12.amzn1" version="2.020"><filename>Packages/perl-IO-Compress-Zlib-2.020-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Module-Loaded" release="119.12.amzn1" version="0.02"><filename>Packages/perl-Module-Loaded-0.02-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Module-Load-Conditional" release="119.12.amzn1" version="0.30"><filename>Packages/perl-Module-Load-Conditional-0.30-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-IO-Compress-Base" release="119.12.amzn1" version="2.020"><filename>Packages/perl-IO-Compress-Base-2.020-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-CPAN" release="119.12.amzn1" version="1.9402"><filename>Packages/perl-CPAN-1.9402-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Module-Pluggable" release="119.12.amzn1" version="3.90"><filename>Packages/perl-Module-Pluggable-3.90-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Digest-SHA" release="119.12.amzn1" version="5.47"><filename>Packages/perl-Digest-SHA-5.47-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-File-Fetch" release="119.12.amzn1" version="0.26"><filename>Packages/perl-File-Fetch-0.26-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-CGI" release="119.12.amzn1" version="3.51"><filename>Packages/perl-CGI-3.51-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Test-Simple" release="119.12.amzn1" version="0.92"><filename>Packages/perl-Test-Simple-0.92-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Module-Build" release="119.12.amzn1" version="0.3500"><filename>Packages/perl-Module-Build-0.3500-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="3" name="perl-version" release="119.12.amzn1" version="0.77"><filename>Packages/perl-version-0.77-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-debuginfo" release="119.12.amzn1" version="5.10.1"><filename>Packages/perl-debuginfo-5.10.1-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-suidperl" release="119.12.amzn1" version="5.10.1"><filename>Packages/perl-suidperl-5.10.1-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Package-Constants" release="119.12.amzn1" version="0.02"><filename>Packages/perl-Package-Constants-0.02-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-IO-Zlib" release="119.12.amzn1" version="1.09"><filename>Packages/perl-IO-Zlib-1.09-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Term-UI" release="119.12.amzn1" version="0.20"><filename>Packages/perl-Term-UI-0.20-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-core" release="119.12.amzn1" version="5.10.1"><filename>Packages/perl-core-5.10.1-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-IPC-Cmd" release="119.12.amzn1" version="0.56"><filename>Packages/perl-IPC-Cmd-0.56-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Test-Harness" release="119.12.amzn1" version="3.17"><filename>Packages/perl-Test-Harness-3.17-119.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Module-Load" release="119.12.amzn1" version="0.16"><filename>Packages/perl-Module-Load-0.16-119.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-20</id><title>Amazon Linux - ALAS-2011-20: important priority package update for freetype</title><issued date="2011-11-19 01:18" /><updated date="2014-09-14 14:42" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 180 CVE-2011-3439: 181 Multiple input validation flaws were found in the way FreeType processed CID-keyed fonts. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 182 FreeType in CoreGraphics in Apple iOS before 5.0.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font in a document. 183 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3439" id="CVE-2011-3439" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1455.html" id="RHSA-2011:1455" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="freetype-demos" release="6.11.amzn1" version="2.3.11"><filename>Packages/freetype-demos-2.3.11-6.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype-debuginfo" release="6.11.amzn1" version="2.3.11"><filename>Packages/freetype-debuginfo-2.3.11-6.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype-devel" release="6.11.amzn1" version="2.3.11"><filename>Packages/freetype-devel-2.3.11-6.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype" release="6.11.amzn1" version="2.3.11"><filename>Packages/freetype-2.3.11-6.11.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype-debuginfo" release="6.11.amzn1" version="2.3.11"><filename>Packages/freetype-debuginfo-2.3.11-6.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype-demos" release="6.11.amzn1" version="2.3.11"><filename>Packages/freetype-demos-2.3.11-6.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype-devel" release="6.11.amzn1" version="2.3.11"><filename>Packages/freetype-devel-2.3.11-6.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype" release="6.11.amzn1" version="2.3.11"><filename>Packages/freetype-2.3.11-6.11.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-21</id><title>Amazon Linux - ALAS-2011-21: medium priority package update for nss</title><issued date="2011-11-19 01:21" /><updated date="2014-09-14 14:43" /><severity>medium</severity><description /><references><reference href="https://rhn.redhat.com/errata/RHSA-2011:1444.html" id="RHSA-2011:1444" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="nss-debuginfo" release="2.23.amzn1" version="3.12.10"><filename>Packages/nss-debuginfo-3.12.10-2.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="2.23.amzn1" version="3.12.10"><filename>Packages/nss-sysinit-3.12.10-2.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="2.23.amzn1" version="3.12.10"><filename>Packages/nss-3.12.10-2.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="2.23.amzn1" version="3.12.10"><filename>Packages/nss-tools-3.12.10-2.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="2.23.amzn1" version="3.12.10"><filename>Packages/nss-devel-3.12.10-2.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="2.23.amzn1" version="3.12.10"><filename>Packages/nss-pkcs11-devel-3.12.10-2.23.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="2.23.amzn1" version="3.12.10"><filename>Packages/nss-tools-3.12.10-2.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="2.23.amzn1" version="3.12.10"><filename>Packages/nss-sysinit-3.12.10-2.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="2.23.amzn1" version="3.12.10"><filename>Packages/nss-pkcs11-devel-3.12.10-2.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="2.23.amzn1" version="3.12.10"><filename>Packages/nss-debuginfo-3.12.10-2.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="2.23.amzn1" version="3.12.10"><filename>Packages/nss-3.12.10-2.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="2.23.amzn1" version="3.12.10"><filename>Packages/nss-devel-3.12.10-2.23.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-22</id><title>Amazon Linux - ALAS-2011-22: medium priority package update for kernel</title><issued date="2011-11-19 01:22" /><updated date="2014-09-14 14:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 184 CVE-2011-4081: 185 * Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause a denial of service. 186 187 CVE-2011-4077: 188 * A buffer overflow flaw was found in the way the Linux kernel's XFS file system implementation handled links with overly long path names. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk. 189 190 CVE-2011-1083: 191 The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls. 192 * A flaw was found in the way the Linux kernel's Event Poll (epoll) subsystem handled large, nested epoll structures. A local, unprivileged user could use this flaw to cause a denial of service. 193 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4081" id="CVE-2011-4081" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1083" id="CVE-2011-1083" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4077" id="CVE-2011-4077" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="kernel-doc" release="103.47.amzn1" version="2.6.35.14"><filename>Packages/kernel-doc-2.6.35.14-103.47.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="103.47.amzn1" version="2.6.35.14"><filename>Packages/perf-2.6.35.14-103.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="103.47.amzn1" version="2.6.35.14"><filename>Packages/kernel-devel-2.6.35.14-103.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="103.47.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-2.6.35.14-103.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="103.47.amzn1" version="2.6.35.14"><filename>Packages/kernel-headers-2.6.35.14-103.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="103.47.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-common-i686-2.6.35.14-103.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="103.47.amzn1" version="2.6.35.14"><filename>Packages/kernel-2.6.35.14-103.47.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="103.47.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-2.6.35.14-103.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="103.47.amzn1" version="2.6.35.14"><filename>Packages/perf-2.6.35.14-103.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="103.47.amzn1" version="2.6.35.14"><filename>Packages/kernel-2.6.35.14-103.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="103.47.amzn1" version="2.6.35.14"><filename>Packages/kernel-headers-2.6.35.14-103.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="103.47.amzn1" version="2.6.35.14"><filename>Packages/kernel-devel-2.6.35.14-103.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="103.47.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-common-x86_64-2.6.35.14-103.47.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-23</id><title>Amazon Linux - ALAS-2011-23: important priority package update for cacti</title><issued date="2011-11-30 21:57" /><updated date="2014-09-14 15:03" /><severity>important</severity><description /><references /><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="cacti" release="1.2.amzn1" version="0.8.7h"><filename>Packages/cacti-0.8.7h-1.2.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-24</id><title>Amazon Linux - ALAS-2011-24: important priority package update for bind</title><issued date="2011-11-30 21:59" /><updated date="2014-09-14 15:03" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 194 CVE-2011-4313: 195 query.c in ISC BIND 9.0.x through 9.6.x, 9.4-ESV through 9.4-ESV-R5, 9.6-ESV through 9.6-ESV-R5, 9.7.0 through 9.7.4, 9.8.0 through 9.8.1, and 9.9.0a1 through 9.9.0b1 allows remote attackers to cause a denial of service (assertion failure and named exit) via unknown vectors related to recursive DNS queries, error logging, and the caching of an invalid record by the resolver. 196 A flaw was discovered in the way BIND handled certain DNS queries, which caused it to cache an invalid record. A remote attacker could use this flaw to send repeated queries for this invalid record, causing the resolvers to exit unexpectedly due to a failed assertion. 197 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313" id="CVE-2011-4313" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1458.html" id="RHSA-2011:1458" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="32" name="bind" release="2.11.amzn1" version="9.7.3"><filename>Packages/bind-9.7.3-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="2.11.amzn1" version="9.7.3"><filename>Packages/bind-debuginfo-9.7.3-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="2.11.amzn1" version="9.7.3"><filename>Packages/bind-utils-9.7.3-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="2.11.amzn1" version="9.7.3"><filename>Packages/bind-sdb-9.7.3-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="2.11.amzn1" version="9.7.3"><filename>Packages/bind-chroot-9.7.3-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="2.11.amzn1" version="9.7.3"><filename>Packages/bind-libs-9.7.3-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="2.11.amzn1" version="9.7.3"><filename>Packages/bind-devel-9.7.3-2.11.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="2.11.amzn1" version="9.7.3"><filename>Packages/bind-libs-9.7.3-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="2.11.amzn1" version="9.7.3"><filename>Packages/bind-devel-9.7.3-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="2.11.amzn1" version="9.7.3"><filename>Packages/bind-9.7.3-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="2.11.amzn1" version="9.7.3"><filename>Packages/bind-debuginfo-9.7.3-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="2.11.amzn1" version="9.7.3"><filename>Packages/bind-chroot-9.7.3-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="2.11.amzn1" version="9.7.3"><filename>Packages/bind-sdb-9.7.3-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="2.11.amzn1" version="9.7.3"><filename>Packages/bind-utils-9.7.3-2.11.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-25</id><title>Amazon Linux - ALAS-2011-25: important priority package update for tomcat6</title><issued date="2011-12-02 22:21" /><updated date="2014-09-14 15:04" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 198 CVE-2011-3190: 199 A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially-crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw. 200 Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request. 201 202 CVE-2011-2204: 203 A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. 204 Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file. 205 206 CVE-2011-1184: 207 Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. 208 The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values. 209 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190" id="CVE-2011-3190" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" id="CVE-2011-1184" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" id="CVE-2011-2204" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="tomcat6-el-2.1-api" release="1.26.amzn1" version="6.0.33"><filename>Packages/tomcat6-el-2.1-api-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-javadoc" release="1.26.amzn1" version="6.0.33"><filename>Packages/tomcat6-javadoc-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-lib" release="1.26.amzn1" version="6.0.33"><filename>Packages/tomcat6-lib-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-admin-webapps" release="1.26.amzn1" version="6.0.33"><filename>Packages/tomcat6-admin-webapps-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-servlet-2.5-api" release="1.26.amzn1" version="6.0.33"><filename>Packages/tomcat6-servlet-2.5-api-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6" release="1.26.amzn1" version="6.0.33"><filename>Packages/tomcat6-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-jsp-2.1-api" release="1.26.amzn1" version="6.0.33"><filename>Packages/tomcat6-jsp-2.1-api-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-webapps" release="1.26.amzn1" version="6.0.33"><filename>Packages/tomcat6-webapps-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-docs-webapp" release="1.26.amzn1" version="6.0.33"><filename>Packages/tomcat6-docs-webapp-6.0.33-1.26.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-26</id><title>Amazon Linux - ALAS-2011-26: medium priority package update for kernel</title><issued date="2011-12-02 22:23" /><updated date="2014-09-14 15:06" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 210 CVE-2011-4326: 211 * A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on. A remote attacker could use this flaw to cause a denial of service. 212 213 CVE-2011-4132: 214 * A flaw was found in the Linux kernel's Journaling Block Device (JBD). A local, unprivileged user could use this flaw to crash the system by mounting a specially-crafted ext3 or ext4 disk. 215 * A flaw was found in the Linux kernel's Journaling Block Device (JBD). A local attacker could use this flaw to crash the system by mounting a specially-crafted ext3 or ext4 disk. 216 217 CVE-2011-4110: 218 * A NULL pointer dereference flaw was found in the way the Linux kernel's key management facility handled user-defined key types. A local, unprivileged user could use the keyctl utility to cause a denial of service. 219 220 CVE-2011-3593: 221 * A flaw was found in the way the Linux kernel handled VLAN 0 frames with the priority tag set. When using certain network drivers, an attacker on the local network could use this flaw to cause a denial of service. 222 223 CVE-2011-3363: 224 * A flaw was found in the way CIFS shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. 225 * A flaw was found in the way CIFS (Common Internet File System) shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. 226 227 CVE-2011-3359: 228 * A flaw was found in the b43 driver in the Linux kernel. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially-crafted frame to that interface could cause a denial of service. 229 230 CVE-2011-3353: 231 * A buffer overflow flaw was found in the Linux kernel's FUSE (Filesystem in Userspace) implementation. A local user in the fuse group who has access to mount a FUSE file system could use this flaw to cause a denial of service. 232 233 CVE-2011-3191: 234 * A malicious CIFS (Common Internet File System) server could send a specially-crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. 235 * A signedness issue was found in the Linux kernel's CIFS (Common Internet File System) implementation. A malicious CIFS server could send a specially-crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. 236 237 CVE-2011-3188: 238 * The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. 239 * IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence number and fragment IDs are now more random. 240 241 CVE-2011-2905: 242 * It was found that the perf tool, a part of the Linux kernel's Performance Events implementation, could load its configuration file from the current working directory. If a local user with access to the perf tool were tricked into running perf in a directory that contains a specially-crafted configuration file, it could cause perf to overwrite arbitrary files and directories accessible to that user. 243 244 CVE-2011-2699: 245 * IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services. 246 247 CVE-2011-2494: 248 * The I/O statistics from the taskstats subsystem could be read without any restrictions. A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process. 249 250 CVE-2011-1577: 251 * A heap overflow flaw was found in the Linux kernel's EFI GUID Partition Table (GPT) implementation. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains specially-crafted partition tables. 252 * A heap overflow flaw in the Linux kernel's EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk that contains specially-crafted partition tables. 253 Heap-based buffer overflow in the is_gpt_valid function in fs/partitions/efi.c in the Linux kernel 2.6.38 and earlier allows physically proximate attackers to cause a denial of service (OOPS) or possibly have unspecified other impact via a crafted size of the EFI GUID partition-table header on removable media. 254 255 CVE-2011-1162: 256 * A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. 257 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3593" id="CVE-2011-3593" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2699" id="CVE-2011-2699" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3188" id="CVE-2011-3188" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2905" id="CVE-2011-2905" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3363" id="CVE-2011-3363" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2494" id="CVE-2011-2494" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4326" id="CVE-2011-4326" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3353" id="CVE-2011-3353" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1577" id="CVE-2011-1577" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4110" id="CVE-2011-4110" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3359" id="CVE-2011-3359" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1162" id="CVE-2011-1162" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3191" id="CVE-2011-3191" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4132" id="CVE-2011-4132" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1465.html" id="RHSA-2011:1465" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="kernel-doc" release="106.49.amzn1" version="2.6.35.14"><filename>Packages/kernel-doc-2.6.35.14-106.49.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="106.49.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-2.6.35.14-106.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="106.49.amzn1" version="2.6.35.14"><filename>Packages/kernel-headers-2.6.35.14-106.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="106.49.amzn1" version="2.6.35.14"><filename>Packages/perf-2.6.35.14-106.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="106.49.amzn1" version="2.6.35.14"><filename>Packages/kernel-2.6.35.14-106.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="106.49.amzn1" version="2.6.35.14"><filename>Packages/kernel-devel-2.6.35.14-106.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="106.49.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-common-i686-2.6.35.14-106.49.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="106.49.amzn1" version="2.6.35.14"><filename>Packages/kernel-devel-2.6.35.14-106.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="106.49.amzn1" version="2.6.35.14"><filename>Packages/kernel-2.6.35.14-106.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="106.49.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-common-x86_64-2.6.35.14-106.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="106.49.amzn1" version="2.6.35.14"><filename>Packages/kernel-headers-2.6.35.14-106.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="106.49.amzn1" version="2.6.35.14"><filename>Packages/perf-2.6.35.14-106.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="106.49.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-2.6.35.14-106.49.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-27</id><title>Amazon Linux - ALAS-2011-27: medium priority package update for cyrus-imapd</title><issued date="2011-12-09 11:17" /><updated date="2014-09-14 15:06" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 258 CVE-2011-3481: 259 A NULL pointer dereference flaw was found in the cyrus-imapd IMAP server, imapd. A remote attacker could send a specially-crafted mail message to a victim that would possibly prevent them from accessing their mail normally, if they were using an IMAP client that relies on the server threading IMAP feature. 260 The index_get_ids function in index.c in imapd in Cyrus IMAP Server before 2.4.11, when server-side threading is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted References header in an e-mail message. 261 262 CVE-2011-3372: 263 imap/nntpd.c in the NNTP server (nntpd) for Cyrus IMAPd 2.4.x before 2.4.12 allows remote attackers to bypass authentication by sending an AUTHINFO USER command without sending an additional AUTHINFO PASS command. 264 An authentication bypass flaw was found in the cyrus-imapd NNTP server, nntpd. A remote user able to use the nntpd service could use this flaw to read or post newsgroup messages on an NNTP server configured to require user authentication, without providing valid authentication credentials. 265 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3372" id="CVE-2011-3372" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3481" id="CVE-2011-3481" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1508.html" id="RHSA-2011:1508" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="cyrus-imapd" release="6.5.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-2.3.16-6.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-imapd-devel" release="6.5.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-devel-2.3.16-6.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-imapd-utils" release="6.5.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-utils-2.3.16-6.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-imapd-debuginfo" release="6.5.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-debuginfo-2.3.16-6.5.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-imapd" release="6.5.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-2.3.16-6.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-imapd-utils" release="6.5.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-utils-2.3.16-6.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-imapd-devel" release="6.5.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-devel-2.3.16-6.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-imapd-debuginfo" release="6.5.amzn1" version="2.3.16"><filename>Packages/cyrus-imapd-debuginfo-2.3.16-6.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-28</id><title>Amazon Linux - ALAS-2011-28: medium priority package update for krb5</title><issued date="2011-12-09 16:12" /><updated date="2014-09-14 15:07" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 266 CVE-2011-1530: 267 The process_tgs_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.2 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS request that triggers an error other than the KRB5_KDB_NOENTRY error. 268 A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially-crafted TGS request. 269 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1530" id="CVE-2011-1530" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1790.html" id="RHSA-2011:1790" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="krb5-server" release="22.20.amzn1" version="1.9"><filename>Packages/krb5-server-1.9-22.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-devel" release="22.20.amzn1" version="1.9"><filename>Packages/krb5-devel-1.9-22.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-workstation" release="22.20.amzn1" version="1.9"><filename>Packages/krb5-workstation-1.9-22.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server-ldap" release="22.20.amzn1" version="1.9"><filename>Packages/krb5-server-ldap-1.9-22.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-debuginfo" release="22.20.amzn1" version="1.9"><filename>Packages/krb5-debuginfo-1.9-22.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-pkinit-openssl" release="22.20.amzn1" version="1.9"><filename>Packages/krb5-pkinit-openssl-1.9-22.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-libs" release="22.20.amzn1" version="1.9"><filename>Packages/krb5-libs-1.9-22.20.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-pkinit-openssl" release="22.20.amzn1" version="1.9"><filename>Packages/krb5-pkinit-openssl-1.9-22.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-debuginfo" release="22.20.amzn1" version="1.9"><filename>Packages/krb5-debuginfo-1.9-22.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server" release="22.20.amzn1" version="1.9"><filename>Packages/krb5-server-1.9-22.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-workstation" release="22.20.amzn1" version="1.9"><filename>Packages/krb5-workstation-1.9-22.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-libs" release="22.20.amzn1" version="1.9"><filename>Packages/krb5-libs-1.9-22.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-devel" release="22.20.amzn1" version="1.9"><filename>Packages/krb5-devel-1.9-22.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server-ldap" release="22.20.amzn1" version="1.9"><filename>Packages/krb5-server-ldap-1.9-22.20.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-29</id><title>Amazon Linux - ALAS-2011-29: important priority package update for jasper</title><issued date="2011-12-12 13:45" /><updated date="2014-09-14 15:07" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 270 CVE-2011-4516: 271 Two heap-based buffer overflow flaws were found in the way JasPer decoded JPEG 2000 compressed image files. An attacker could create a malicious JPEG 2000 compressed image file that, when opened, would cause applications that use JasPer (such as Nautilus) to crash or, potentially, execute arbitrary code. 272 Two heap-based buffer overflow flaws were found in the embedded JasPer library, which is used to provide support for Part 1 of the JPEG 2000 image compression standard in the jpeg2ktopam and pamtojpeg2k tools. An attacker could create a malicious JPEG 2000 compressed image file that could cause jpeg2ktopam to crash or, potentially, execute arbitrary code with the privileges of the user running jpeg2ktopam. These flaws do not affect pamtojpeg2k. 273 Heap-based buffer overflow in the jpc_cox_getcompparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted numrlvls value in a JPEG2000 file. 274 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516" id="CVE-2011-4516" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1807.html" id="RHSA-2011:1807" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="jasper-debuginfo" release="15.5.amzn1" version="1.900.1"><filename>Packages/jasper-debuginfo-1.900.1-15.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper-devel" release="15.5.amzn1" version="1.900.1"><filename>Packages/jasper-devel-1.900.1-15.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper-libs" release="15.5.amzn1" version="1.900.1"><filename>Packages/jasper-libs-1.900.1-15.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper" release="15.5.amzn1" version="1.900.1"><filename>Packages/jasper-1.900.1-15.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper-utils" release="15.5.amzn1" version="1.900.1"><filename>Packages/jasper-utils-1.900.1-15.5.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper" release="15.5.amzn1" version="1.900.1"><filename>Packages/jasper-1.900.1-15.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper-utils" release="15.5.amzn1" version="1.900.1"><filename>Packages/jasper-utils-1.900.1-15.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper-debuginfo" release="15.5.amzn1" version="1.900.1"><filename>Packages/jasper-debuginfo-1.900.1-15.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper-devel" release="15.5.amzn1" version="1.900.1"><filename>Packages/jasper-devel-1.900.1-15.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper-libs" release="15.5.amzn1" version="1.900.1"><filename>Packages/jasper-libs-1.900.1-15.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2011-30</id><title>Amazon Linux - ALAS-2011-30: medium priority package update for nginx</title><issued date="2011-12-13 12:50" /><updated date="2014-09-14 15:08" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 275 CVE-2011-4315: 276 Heap-based buffer overflow in compression-pointer processing in core/ngx_resolver.c in nginx before 1.0.10 allows remote resolvers to cause a denial of service (daemon crash) or possibly have unspecified other impact via a long response. 277 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4315" id="CVE-2011-4315" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="nginx-debuginfo" release="1.4.amzn1" version="0.8.54"><filename>Packages/nginx-debuginfo-0.8.54-1.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nginx" release="1.4.amzn1" version="0.8.54"><filename>Packages/nginx-0.8.54-1.4.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nginx-debuginfo" release="1.4.amzn1" version="0.8.54"><filename>Packages/nginx-debuginfo-0.8.54-1.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nginx" release="1.4.amzn1" version="0.8.54"><filename>Packages/nginx-0.8.54-1.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-31</id><title>Amazon Linux - ALAS-2012-31: medium priority package update for dhcp</title><issued date="2012-01-05 20:58" /><updated date="2014-09-14 15:10" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 278 CVE-2011-4539: 279 dhcpd in ISC DHCP 4.x before 4.2.3-P1 and 4.1-ESV before 4.1-ESV-R4 does not properly handle regular expressions in dhcpd.conf, which allows remote attackers to cause a denial of service (daemon crash) via a crafted request packet. 280 A denial of service flaw was found in the way the dhcpd daemon handled DHCP request packets when regular expression matching was used in "/etc/dhcp/dhcpd.conf". A remote attacker could use this flaw to crash dhcpd. 281 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4539" id="CVE-2011-4539" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1819.html" id="RHSA-2011:1819" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="12" name="dhcp-devel" release="25.P1.14.amzn1" version="4.1.1"><filename>Packages/dhcp-devel-4.1.1-25.P1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhclient" release="25.P1.14.amzn1" version="4.1.1"><filename>Packages/dhclient-4.1.1-25.P1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp" release="25.P1.14.amzn1" version="4.1.1"><filename>Packages/dhcp-4.1.1-25.P1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-debuginfo" release="25.P1.14.amzn1" version="4.1.1"><filename>Packages/dhcp-debuginfo-4.1.1-25.P1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-common" release="25.P1.14.amzn1" version="4.1.1"><filename>Packages/dhcp-common-4.1.1-25.P1.14.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp" release="25.P1.14.amzn1" version="4.1.1"><filename>Packages/dhcp-4.1.1-25.P1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhclient" release="25.P1.14.amzn1" version="4.1.1"><filename>Packages/dhclient-4.1.1-25.P1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp-devel" release="25.P1.14.amzn1" version="4.1.1"><filename>Packages/dhcp-devel-4.1.1-25.P1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp-common" release="25.P1.14.amzn1" version="4.1.1"><filename>Packages/dhcp-common-4.1.1-25.P1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp-debuginfo" release="25.P1.14.amzn1" version="4.1.1"><filename>Packages/dhcp-debuginfo-4.1.1-25.P1.14.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-32</id><title>Amazon Linux - ALAS-2012-32: medium priority package update for cacti</title><issued date="2012-01-05 20:59" /><updated date="2014-09-14 15:34" /><severity>medium</severity><description /><references /><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="cacti" release="2.3.amzn1" version="0.8.7i"><filename>Packages/cacti-0.8.7i-2.3.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-33</id><title>Amazon Linux - ALAS-2012-33: medium priority package update for icu</title><issued date="2012-01-09 09:18" /><updated date="2014-09-14 15:10" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 282 CVE-2011-4599: 283 A stack-based buffer overflow flaw was found in the way ICU performed variant canonicalization for some locale identifiers. If a specially-crafted locale representation was opened in an application linked against ICU, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 284 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4599" id="CVE-2011-4599" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1815.html" id="RHSA-2011:1815" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="libicu" release="9.9.amzn1" version="4.2.1"><filename>Packages/libicu-4.2.1-9.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="icu" release="9.9.amzn1" version="4.2.1"><filename>Packages/icu-4.2.1-9.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libicu-devel" release="9.9.amzn1" version="4.2.1"><filename>Packages/libicu-devel-4.2.1-9.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="icu-debuginfo" release="9.9.amzn1" version="4.2.1"><filename>Packages/icu-debuginfo-4.2.1-9.9.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="icu-debuginfo" release="9.9.amzn1" version="4.2.1"><filename>Packages/icu-debuginfo-4.2.1-9.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libicu" release="9.9.amzn1" version="4.2.1"><filename>Packages/libicu-4.2.1-9.9.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="libicu-doc" release="9.9.amzn1" version="4.2.1"><filename>Packages/libicu-doc-4.2.1-9.9.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="libicu-devel" release="9.9.amzn1" version="4.2.1"><filename>Packages/libicu-devel-4.2.1-9.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="icu" release="9.9.amzn1" version="4.2.1"><filename>Packages/icu-4.2.1-9.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-34</id><title>Amazon Linux - ALAS-2012-34: medium priority package update for kernel</title><issued date="2012-01-06 10:19" /><updated date="2014-09-14 15:11" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 285 CVE-2011-4127: 286 * Using the SG_IO ioctl to issue SCSI requests to partitions or LVM volumes resulted in the requests being passed to the underlying block device. If a privileged user only had access to a single partition or LVM volume, they could use this flaw to bypass those restrictions and gain read and write access (and be able to issue other SCSI commands) to the entire block device. Refer to Red Hat Knowledgebase article DOC-67874, linked to in the References, for further details about this issue. 287 In KVM (Kernel-based Virtual Machine) environments using raw format virtio disks backed by a partition or LVM volume, a privileged guest user could bypass intended restrictions and issue read and write requests (and other SCSI commands) on the host, and possibly access the data of other guests that reside on the same underlying block device. Partition-based and LVM-based storage pools are not used by default. Refer to Red Hat Bugzilla bug 752375 for further details and a mitigation script for users who cannot apply this update immediately. 288 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4127" id="CVE-2011-4127" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="kernel-doc" release="106.53.amzn1" version="2.6.35.14"><filename>Packages/kernel-doc-2.6.35.14-106.53.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="106.53.amzn1" version="2.6.35.14"><filename>Packages/kernel-headers-2.6.35.14-106.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="106.53.amzn1" version="2.6.35.14"><filename>Packages/kernel-devel-2.6.35.14-106.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="106.53.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-2.6.35.14-106.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="106.53.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-common-i686-2.6.35.14-106.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="106.53.amzn1" version="2.6.35.14"><filename>Packages/perf-2.6.35.14-106.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="106.53.amzn1" version="2.6.35.14"><filename>Packages/kernel-2.6.35.14-106.53.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="106.53.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-2.6.35.14-106.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="106.53.amzn1" version="2.6.35.14"><filename>Packages/kernel-2.6.35.14-106.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="106.53.amzn1" version="2.6.35.14"><filename>Packages/kernel-headers-2.6.35.14-106.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="106.53.amzn1" version="2.6.35.14"><filename>Packages/perf-2.6.35.14-106.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="106.53.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-common-x86_64-2.6.35.14-106.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="106.53.amzn1" version="2.6.35.14"><filename>Packages/kernel-devel-2.6.35.14-106.53.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-35</id><title>Amazon Linux - ALAS-2012-35: important priority package update for ruby</title><issued date="2012-01-19 20:02" /><updated date="2014-09-14 15:12" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 289 CVE-2011-4815: 290 A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. 291 Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. 292 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4815" id="CVE-2011-4815" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="ruby" release="1.10.amzn1" version="1.8.7.357"><filename>Packages/ruby-1.8.7.357-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-static" release="1.10.amzn1" version="1.8.7.357"><filename>Packages/ruby-static-1.8.7.357-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-libs" release="1.10.amzn1" version="1.8.7.357"><filename>Packages/ruby-libs-1.8.7.357-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-ri" release="1.10.amzn1" version="1.8.7.357"><filename>Packages/ruby-ri-1.8.7.357-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-debuginfo" release="1.10.amzn1" version="1.8.7.357"><filename>Packages/ruby-debuginfo-1.8.7.357-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-devel" release="1.10.amzn1" version="1.8.7.357"><filename>Packages/ruby-devel-1.8.7.357-1.10.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="ruby-irb" release="1.10.amzn1" version="1.8.7.357"><filename>Packages/ruby-irb-1.8.7.357-1.10.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-devel" release="1.10.amzn1" version="1.8.7.357"><filename>Packages/ruby-devel-1.8.7.357-1.10.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby-rdoc" release="1.10.amzn1" version="1.8.7.357"><filename>Packages/ruby-rdoc-1.8.7.357-1.10.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-ri" release="1.10.amzn1" version="1.8.7.357"><filename>Packages/ruby-ri-1.8.7.357-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-libs" release="1.10.amzn1" version="1.8.7.357"><filename>Packages/ruby-libs-1.8.7.357-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby" release="1.10.amzn1" version="1.8.7.357"><filename>Packages/ruby-1.8.7.357-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-static" release="1.10.amzn1" version="1.8.7.357"><filename>Packages/ruby-static-1.8.7.357-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-debuginfo" release="1.10.amzn1" version="1.8.7.357"><filename>Packages/ruby-debuginfo-1.8.7.357-1.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-36</id><title>Amazon Linux - ALAS-2012-36: important priority package update for libxml2</title><issued date="2012-01-19 20:08" /><updated date="2014-09-14 15:12" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 293 CVE-2011-3919: 294 Heap-based buffer overflow in libxml2, as used in Google Chrome before 16.0.912.75, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. 295 A heap-based buffer overflow flaw was found in the way libxml2 decoded entity references with long names. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 296 297 CVE-2011-3905: 298 libxml2, as used in Google Chrome before 16.0.912.63, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. 299 An out-of-bounds memory read flaw was found in libxml2. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash. 300 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3919" id="CVE-2011-3919" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3905" id="CVE-2011-3905" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0018.html" id="RHSA-2012:0018" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="libxml2-devel" release="4.11.amzn1" version="2.7.6"><filename>Packages/libxml2-devel-2.7.6-4.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-static" release="4.11.amzn1" version="2.7.6"><filename>Packages/libxml2-static-2.7.6-4.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-debuginfo" release="4.11.amzn1" version="2.7.6"><filename>Packages/libxml2-debuginfo-2.7.6-4.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-python" release="4.11.amzn1" version="2.7.6"><filename>Packages/libxml2-python-2.7.6-4.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2" release="4.11.amzn1" version="2.7.6"><filename>Packages/libxml2-2.7.6-4.11.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2" release="4.11.amzn1" version="2.7.6"><filename>Packages/libxml2-2.7.6-4.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-python" release="4.11.amzn1" version="2.7.6"><filename>Packages/libxml2-python-2.7.6-4.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-devel" release="4.11.amzn1" version="2.7.6"><filename>Packages/libxml2-devel-2.7.6-4.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-debuginfo" release="4.11.amzn1" version="2.7.6"><filename>Packages/libxml2-debuginfo-2.7.6-4.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-static" release="4.11.amzn1" version="2.7.6"><filename>Packages/libxml2-static-2.7.6-4.11.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-37</id><title>Amazon Linux - ALAS-2012-37: medium priority package update for php</title><issued date="2012-01-19 20:10" /><updated date="2014-09-14 15:13" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 301 CVE-2011-4885: 302 It was found that the hashing routine used by PHP arrays was susceptible to predictable hash collisions. If an HTTP POST request to a PHP application contained many parameters whose names map to the same hash value, a large amount of CPU time would be consumed. This flaw has been mitigated by adding a new configuration directive, max_input_vars, that limits the maximum number of parameters processed per request. By default, max_input_vars is set to 1000. 303 PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. 304 305 CVE-2011-4566: 306 An integer overflow flaw was found in the PHP exif extension. On 32-bit systems, a specially-crafted image file could cause the PHP interpreter to crash or disclose portions of its memory when a PHP script tries to extract Exchangeable image file format (Exif) metadata from the image file. 307 Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP 5.4.0beta2 on 32-bit platforms allows remote attackers to read the contents of arbitrary memory locations or cause a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different vulnerability than CVE-2011-0708. 308 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4566" id="CVE-2011-4566" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4885" id="CVE-2011-4885" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0019.html" id="RHSA-2012:0019" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="php-dba" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-dba-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-odbc" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-odbc-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-embedded" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-embedded-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mbstring" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-mbstring-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pgsql" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-pgsql-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-common" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-common-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-debuginfo" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-debuginfo-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-ldap" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-ldap-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-cli" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-cli-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-fpm" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-fpm-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-imap" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-imap-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-bcmath" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-bcmath-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-soap" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-soap-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-devel" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-devel-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xml" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-xml-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pdo" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-pdo-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mcrypt" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-mcrypt-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysqlnd" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-mysqlnd-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-snmp" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-snmp-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysql" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-mysql-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-process" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-process-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-tidy" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-tidy-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-intl" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-intl-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-gd" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-gd-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pspell" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-pspell-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mssql" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-mssql-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xmlrpc" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-xmlrpc-5.3.9-1.9.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php-embedded" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-embedded-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xml" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-xml-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-intl" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-intl-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-soap" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-soap-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-ldap" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-ldap-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mcrypt" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-mcrypt-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-debuginfo" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-debuginfo-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pgsql" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-pgsql-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysqlnd" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-mysqlnd-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-odbc" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-odbc-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mbstring" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-mbstring-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pspell" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-pspell-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pdo" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-pdo-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-tidy" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-tidy-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-dba" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-dba-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-gd" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-gd-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-fpm" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-fpm-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-cli" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-cli-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-devel" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-devel-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysql" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-mysql-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mssql" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-mssql-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xmlrpc" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-xmlrpc-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-process" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-process-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-bcmath" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-bcmath-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-snmp" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-snmp-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-common" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-common-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-imap" release="1.9.amzn1" version="5.3.9"><filename>Packages/php-imap-5.3.9-1.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-38</id><title>Amazon Linux - ALAS-2012-38: medium priority package update for openssl</title><issued date="2012-02-02 14:24" /><updated date="2014-09-14 15:14" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 309 CVE-2011-4619: 310 It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake. 311 The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors. 312 313 CVE-2011-4577: 314 A denial of service flaw was found in the RFC 3779 implementation in OpenSSL. A remote attacker could use this flaw to make an application using OpenSSL exit unexpectedly by providing a specially-crafted X.509 certificate that has malformed RFC 3779 extension data. 315 OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers. 316 317 CVE-2011-4576: 318 The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. 319 An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection. 320 321 CVE-2011-4108: 322 The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. 323 It was discovered that the Datagram Transport Layer Security (DTLS) protocol implementation in OpenSSL leaked timing information when performing certain operations. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a DTLS server as a padding oracle. 324 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577" id="CVE-2011-4577" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576" id="CVE-2011-4576" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108" id="CVE-2011-4108" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619" id="CVE-2011-4619" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0059.html" id="RHSA-2012:0059" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="openssl" release="1.26.amzn1" version="1.0.0g"><filename>Packages/openssl-1.0.0g-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-perl" release="1.26.amzn1" version="1.0.0g"><filename>Packages/openssl-perl-1.0.0g-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-devel" release="1.26.amzn1" version="1.0.0g"><filename>Packages/openssl-devel-1.0.0g-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-debuginfo" release="1.26.amzn1" version="1.0.0g"><filename>Packages/openssl-debuginfo-1.0.0g-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-static" release="1.26.amzn1" version="1.0.0g"><filename>Packages/openssl-static-1.0.0g-1.26.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-static" release="1.26.amzn1" version="1.0.0g"><filename>Packages/openssl-static-1.0.0g-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-debuginfo" release="1.26.amzn1" version="1.0.0g"><filename>Packages/openssl-debuginfo-1.0.0g-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-devel" release="1.26.amzn1" version="1.0.0g"><filename>Packages/openssl-devel-1.0.0g-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-perl" release="1.26.amzn1" version="1.0.0g"><filename>Packages/openssl-perl-1.0.0g-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl" release="1.26.amzn1" version="1.0.0g"><filename>Packages/openssl-1.0.0g-1.26.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-39</id><title>Amazon Linux - ALAS-2012-39: medium priority package update for glibc</title><issued date="2012-02-02 14:26" /><updated date="2014-09-14 15:14" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 325 CVE-2011-4609: 326 A denial of service flaw was found in the remote procedure call (RPC) implementation in glibc. A remote attacker able to open a large number of connections to an RPC service that is using the RPC implementation from glibc, could use this flaw to make that service use an excessive amount of CPU time. 327 328 CVE-2009-5029: 329 An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library read timezone files. If a carefully-crafted timezone file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 330 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029" id="CVE-2009-5029" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4609" id="CVE-2011-4609" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0058.html" id="RHSA-2012:0058" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-common-2.12-1.47.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-common-2.12-1.47.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-2.12-1.47.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-devel-2.12-1.47.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-2.12-1.47.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-utils-2.12-1.47.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="1.47.32.amzn1" version="2.12"><filename>Packages/nscd-2.12-1.47.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-headers-2.12-1.47.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-static-2.12-1.47.32.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-devel-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-static-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-common-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-utils-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-common-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-headers-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="1.47.32.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="1.47.32.amzn1" version="2.12"><filename>Packages/nscd-2.12-1.47.32.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-40</id><title>Amazon Linux - ALAS-2012-40: medium priority package update for t1lib</title><issued date="2012-02-02 14:26" /><updated date="2014-09-14 15:15" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 331 CVE-2011-1554: 332 An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. 333 An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 334 Off-by-one error in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory read, integer overflow, and invalid pointer dereference, a different vulnerability than CVE-2011-0764. 335 An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX. 336 337 CVE-2011-1553: 338 A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 339 A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX. 340 A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. 341 Use-after-free vulnerability in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory write, a different vulnerability than CVE-2011-0764. 342 343 CVE-2011-1552: 344 An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash. 345 t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, reads from invalid memory locations, which allows remote attackers to cause a denial of service (application crash) via a crafted Type 1 font in a PDF document, a different vulnerability than CVE-2011-0764. 346 An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash. 347 An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash. 348 349 CVE-2011-0764: 350 An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX. 351 An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. 352 t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, uses an invalid pointer in conjunction with a dereference operation, which allows remote attackers to execute arbitrary code via a crafted Type 1 font in a PDF document, as demonstrated by testz.2184122398.pdf. 353 An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 354 355 CVE-2010-2642: 356 Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by an application linked against t1lib, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 357 Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by teTeX, it could cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX. 358 A heap-based buffer overflow flaw was found in the DVI renderer's AFM font file parser. A DVI file that references a specially-crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. 359 Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by a TeX Live utility, it could cause the utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. 360 Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier, teTeX 3.0, t1lib 5.1.2, and possibly other products allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer. 361 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1552" id="CVE-2011-1552" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1553" id="CVE-2011-1553" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0764" id="CVE-2011-0764" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2642" id="CVE-2010-2642" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1554" id="CVE-2011-1554" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0062.html" id="RHSA-2012:0062" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="t1lib-debuginfo" release="6.5.amzn1" version="5.1.2"><filename>Packages/t1lib-debuginfo-5.1.2-6.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="t1lib" release="6.5.amzn1" version="5.1.2"><filename>Packages/t1lib-5.1.2-6.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="t1lib-static" release="6.5.amzn1" version="5.1.2"><filename>Packages/t1lib-static-5.1.2-6.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="t1lib-devel" release="6.5.amzn1" version="5.1.2"><filename>Packages/t1lib-devel-5.1.2-6.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="t1lib-apps" release="6.5.amzn1" version="5.1.2"><filename>Packages/t1lib-apps-5.1.2-6.5.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="t1lib-static" release="6.5.amzn1" version="5.1.2"><filename>Packages/t1lib-static-5.1.2-6.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="t1lib-debuginfo" release="6.5.amzn1" version="5.1.2"><filename>Packages/t1lib-debuginfo-5.1.2-6.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="t1lib-apps" release="6.5.amzn1" version="5.1.2"><filename>Packages/t1lib-apps-5.1.2-6.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="t1lib-devel" release="6.5.amzn1" version="5.1.2"><filename>Packages/t1lib-devel-5.1.2-6.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="t1lib" release="6.5.amzn1" version="5.1.2"><filename>Packages/t1lib-5.1.2-6.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-41</id><title>Amazon Linux - ALAS-2012-41: critical priority package update for php</title><issued date="2012-02-02 16:10" /><updated date="2014-09-14 15:16" /><severity>critical</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 362 CVE-2012-0830: 363 The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885. 364 It was discovered that the fix for CVE-2011-4885 (released via RHSA-2012:0071, RHSA-2012:0033, and RHSA-2012:0019 for php packages in Red Hat Enterprise Linux 4, 5, and 6 respectively) introduced an uninitialized memory use flaw. A remote attacker could send a specially-crafted HTTP request to cause the PHP interpreter to crash or, possibly, execute arbitrary code. 365 It was discovered that the fix for CVE-2011-4885 (released via RHSA-2012:0019 for php53 packages in Red Hat Enterprise Linux 5) introduced an uninitialized memory use flaw. A remote attacker could send a specially- crafted HTTP request to cause the PHP interpreter to crash or, possibly, execute arbitrary code. 366 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830" id="CVE-2012-0830" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0093.html" id="RHSA-2012:0093" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="php-pgsql" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-pgsql-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mbstring" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-mbstring-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pdo" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-pdo-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mcrypt" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-mcrypt-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysqlnd" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-mysqlnd-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysql" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-mysql-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-snmp" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-snmp-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-odbc" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-odbc-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-intl" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-intl-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-bcmath" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-bcmath-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-soap" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-soap-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-imap" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-imap-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-debuginfo" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-debuginfo-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-cli" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-cli-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-dba" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-dba-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-embedded" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-embedded-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mssql" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-mssql-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-process" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-process-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-ldap" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-ldap-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-tidy" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-tidy-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-common" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-common-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-devel" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-devel-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xmlrpc" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-xmlrpc-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xml" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-xml-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-gd" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-gd-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-fpm" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-fpm-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pspell" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-pspell-5.3.10-1.15.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pspell" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-pspell-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-imap" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-imap-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-tidy" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-tidy-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pdo" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-pdo-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-process" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-process-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xml" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-xml-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pgsql" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-pgsql-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mbstring" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-mbstring-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-soap" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-soap-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-cli" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-cli-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-debuginfo" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-debuginfo-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysql" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-mysql-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-common" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-common-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-odbc" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-odbc-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-bcmath" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-bcmath-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-gd" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-gd-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-dba" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-dba-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-intl" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-intl-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-ldap" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-ldap-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-embedded" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-embedded-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mcrypt" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-mcrypt-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-snmp" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-snmp-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-devel" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-devel-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-fpm" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-fpm-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xmlrpc" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-xmlrpc-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mssql" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-mssql-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysqlnd" release="1.15.amzn1" version="5.3.10"><filename>Packages/php-mysqlnd-5.3.10-1.15.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-42</id><title>Amazon Linux - ALAS-2012-42: medium priority package update for ghostscript</title><issued date="2012-02-08 13:46" /><updated date="2014-09-14 15:18" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 367 CVE-2010-4820: 368 Ghostscript included the current working directory in its library search path by default. If a user ran Ghostscript without the "-P-" option in an attacker-controlled directory containing a specially-crafted PostScript library file, it could cause Ghostscript to execute arbitrary PostScript code. With this update, Ghostscript no longer searches the current working directory for library files by default. 369 370 CVE-2010-4054: 371 A flaw was found in the way Ghostscript interpreted PostScript Type 1 and PostScript Type 2 font files. An attacker could create a specially-crafted PostScript Type 1 or PostScript Type 2 font file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code. 372 The gs_type2_interpret function in Ghostscript allows remote attackers to cause a denial of service (incorrect pointer dereference and application crash) via crafted font data in a compressed data stream, aka bug 691043. 373 374 CVE-2010-2055: 375 Ghostscript 8.71 and earlier reads initialization files from the current working directory, which allows local users to execute arbitrary PostScript commands via a Trojan horse file, related to improper support for the -P- option to the gs program. 376 It was found that Ghostscript always tried to read Ghostscript system initialization files from the current working directory before checking other directories, even if a search path that did not contain the current working directory was specified with the "-I" option, or the "-P-" option was used (to prevent the current working directory being searched first). If a user ran Ghostscript in an attacker-controlled directory containing a system initialization file, it could cause Ghostscript to execute arbitrary PostScript code. 377 378 CVE-2009-3743: 379 An integer overflow flaw was found in Ghostscript's TrueType bytecode interpreter. An attacker could create a specially-crafted PostScript or PDF file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code. 380 Off-by-one error in the Ins_MINDEX function in the TrueType bytecode interpreter in Ghostscript before 8.71 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a malformed TrueType font in a document that trigger an integer overflow and a heap-based buffer overflow. 381 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4820" id="CVE-2010-4820" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3743" id="CVE-2009-3743" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2055" id="CVE-2010-2055" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4054" id="CVE-2010-4054" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0095.html" id="RHSA-2012:0095" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="ghostscript-doc" release="11.20.amzn1" version="8.70"><filename>Packages/ghostscript-doc-8.70-11.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript-debuginfo" release="11.20.amzn1" version="8.70"><filename>Packages/ghostscript-debuginfo-8.70-11.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript-devel" release="11.20.amzn1" version="8.70"><filename>Packages/ghostscript-devel-8.70-11.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript" release="11.20.amzn1" version="8.70"><filename>Packages/ghostscript-8.70-11.20.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript" release="11.20.amzn1" version="8.70"><filename>Packages/ghostscript-8.70-11.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript-devel" release="11.20.amzn1" version="8.70"><filename>Packages/ghostscript-devel-8.70-11.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript-doc" release="11.20.amzn1" version="8.70"><filename>Packages/ghostscript-doc-8.70-11.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript-debuginfo" release="11.20.amzn1" version="8.70"><filename>Packages/ghostscript-debuginfo-8.70-11.20.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-43</id><title>Amazon Linux - ALAS-2012-43: critical priority package update for java-1.6.0-openjdk</title><issued date="2012-02-15 17:12" /><updated date="2014-09-14 15:19" /><severity>critical</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 382 CVE-2012-0506: 383 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to CORBA. 384 It was discovered that the CORBA (Common Object Request Broker Architecture) implementation in Java did not properly protect repository identifiers on certain CORBA objects. This could have been used to modify immutable object data. 385 386 CVE-2012-0505: 387 It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. 388 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Serialization. 389 390 CVE-2012-0503: 391 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to I18n. 392 It was discovered that the use of TimeZone.setDefault() was not restricted by the SecurityManager, allowing an untrusted Java application or applet to set a new default time zone, and hence bypass Java sandbox restrictions. 393 394 CVE-2012-0502: 395 A flaw was found in the AWT KeyboardFocusManager that could allow an untrusted Java application or applet to acquire keyboard focus and possibly steal sensitive information. 396 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and availability, related to AWT. 397 398 CVE-2012-0501: 399 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect availability via unknown vectors. 400 An off-by-one flaw, causing a stack overflow, was found in the unpacker for ZIP files. A specially-crafted ZIP archive could cause the Java Virtual Machine (JVM) to crash when opened. 401 402 CVE-2012-0497: 403 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, and 6 Update 30 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. 404 It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine (JVM), or bypass Java sandbox restrictions. 405 406 CVE-2011-5035: 407 The HttpServer class did not limit the number of headers read from HTTP requests. A remote attacker could use this flaw to make an application using HttpServer use an excessive amount of CPU time via a specially-crafted request. This update introduces a header count limit controlled using the sun.net.httpserver.maxReqHeaders property. The default value is 200. 408 Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869. 409 410 CVE-2011-3571: 411 Unspecified vulnerability in the Virtual Desktop Infrastructure (VDI) component in Oracle Virtualization 3.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Session. 412 The AtomicReferenceArray class implementation did not properly check if the array was of the expected Object[] type. A malicious Java application or applet could use this flaw to bypass Java sandbox restrictions. 413 414 CVE-2011-3563: 415 This update fixes several vulnerabilities in the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. 416 This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch page, listed in the References section. 417 The Java Sound component did not properly check buffer boundaries. Malicious input, or an untrusted Java application or applet could use this flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion of its memory. 418 This update fixes several vulnerabilities in the IBM Java 1.4.2 Runtime Environment and the IBM Java 1.4.2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. 419 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote attackers to affect confidentiality and availability via unknown vectors related to Sound. 420 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5035" id="CVE-2011-5035" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0497" id="CVE-2012-0497" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3563" id="CVE-2011-3563" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3571" id="CVE-2011-3571" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0506" id="CVE-2012-0506" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0505" id="CVE-2012-0505" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0503" id="CVE-2012-0503" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0502" id="CVE-2012-0502" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0501" id="CVE-2012-0501" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0135.html" id="RHSA-2012:0135" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="52.1.10.6.41.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.10.6.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="52.1.10.6.41.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.10.6.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="52.1.10.6.41.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.10.6.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="52.1.10.6.41.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.10.6.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="52.1.10.6.41.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.10.6.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="52.1.10.6.41.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.10.6.41.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="52.1.10.6.41.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.10.6.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="52.1.10.6.41.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.10.6.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="52.1.10.6.41.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.10.6.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="52.1.10.6.41.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.10.6.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="52.1.10.6.41.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.10.6.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="52.1.10.6.41.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.10.6.41.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-44</id><title>Amazon Linux - ALAS-2012-44: important priority package update for mysql</title><issued date="2012-02-15 17:18" /><updated date="2014-09-14 15:29" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 421 CVE-2012-0492: 422 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, and CVE-2012-0485. 423 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 424 783817: 425 CVE-2012-0492 mysql: Unspecified vulnerability allows remote authenticated users to affect availability 426 427 CVE-2012-0490: 428 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect availability via unknown vectors. 429 783815: 430 CVE-2012-0490 mysql: Unspecified vulnerability allows remote authenticated users to affect availability 431 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 432 433 CVE-2012-0485: 434 783809: 435 CVE-2012-0485 mysql: Unspecified vulnerability allows remote authenticated users to affect availability 436 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 437 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, and CVE-2012-0492. 438 439 CVE-2012-0484: 440 783808: 441 CVE-2012-0484 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality 442 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 443 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect confidentiality via unknown vectors. 444 445 CVE-2012-0120: 446 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0485, and CVE-2012-0492. 447 783807: 448 CVE-2012-0120 mysql: Unspecified vulnerability allows remote authenticated users to affect availability 449 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 450 451 CVE-2012-0119: 452 783806: 453 CVE-2012-0119 mysql: Unspecified vulnerability allows remote authenticated users to affect availability 454 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 455 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492. 456 457 CVE-2012-0118: 458 783805: 459 CVE-2012-0118 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality and availability 460 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 461 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0113. 462 463 CVE-2012-0116: 464 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and integrity via unknown vectors. 465 783803: 466 CVE-2012-0116 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality and integrity 467 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 468 469 CVE-2012-0115: 470 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492. 471 783802: 472 CVE-2012-0115 mysql: Unspecified vulnerability allows remote authenticated users to affect availability 473 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 474 475 CVE-2012-0114: 476 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows local users to affect confidentiality and integrity via unknown vectors. 477 783801: 478 CVE-2012-0114 mysql: Unspecified vulnerability allows local users to affect confidentiality and integrity 479 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 480 481 CVE-2012-0113: 482 783800: 483 CVE-2012-0113 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality and availability 484 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0118. 485 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 486 487 CVE-2012-0112: 488 783799: 489 CVE-2012-0112 mysql: Unspecified vulnerability allows remote authenticated users to affect availability 490 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492. 491 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 492 493 CVE-2012-0101: 494 783797: 495 CVE-2012-0101 mysql: Unspecified vulnerability allows remote authenticated users to affect availability 496 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0087 and CVE-2012-0102. 497 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 498 499 CVE-2012-0087: 500 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0101 and CVE-2012-0102. 501 783795: 502 CVE-2012-0087 mysql: Unspecified vulnerability allows remote authenticated users to affect availability 503 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 504 505 CVE-2012-0075: 506 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect integrity via unknown vectors. 507 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 508 509 CVE-2011-2262: 510 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote attackers to affect availability via unknown vectors. 511 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 512 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0118" id="CVE-2012-0118" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0119" id="CVE-2012-0119" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0114" id="CVE-2012-0114" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0115" id="CVE-2012-0115" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0116" id="CVE-2012-0116" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0112" id="CVE-2012-0112" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0113" id="CVE-2012-0113" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0484" id="CVE-2012-0484" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0485" id="CVE-2012-0485" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0490" id="CVE-2012-0490" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0075" id="CVE-2012-0075" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0492" id="CVE-2012-0492" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0087" id="CVE-2012-0087" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0101" id="CVE-2012-0101" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2262" id="CVE-2011-2262" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0120" id="CVE-2012-0120" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0105.html" id="RHSA-2012:0105" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="mysql-embedded-devel" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-embedded-devel-5.1.61-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-test" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-test-5.1.61-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-debuginfo" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-debuginfo-5.1.61-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-embedded" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-embedded-5.1.61-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-libs" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-libs-5.1.61-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-server" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-server-5.1.61-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-bench" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-bench-5.1.61-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-5.1.61-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-devel" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-devel-5.1.61-1.27.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-libs" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-libs-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-server" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-server-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-embedded-devel" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-embedded-devel-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-debuginfo" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-debuginfo-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-devel" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-devel-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-bench" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-bench-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-test" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-test-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-embedded" release="1.27.amzn1" version="5.1.61"><filename>Packages/mysql-embedded-5.1.61-1.27.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-45</id><title>Amazon Linux - ALAS-2012-45: medium priority package update for kernel</title><issued date="2012-02-15 17:38" /><updated date="2014-09-14 15:21" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 513 CVE-2011-4086: 514 * A flaw was found in the way the Linux kernel's journal_unmap_buffer() function handled buffer head states. On systems that have an ext4 file system with a journal mounted, a local, unprivileged user could use this flaw to cause a denial of service. 515 The journal_unmap_buffer function in fs/jbd2/transaction.c in the Linux kernel before 3.3.1 does not properly handle the _Delay and _Unwritten buffer head states, which allows local users to cause a denial of service (system crash) by leveraging the presence of an ext4 filesystem that was mounted with a journal. 516 749143: 517 CVE-2011-4086 kernel: jbd2: unmapped buffer with _Unwritten or _Delay flags set can lead to DoS 518 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4086" id="CVE-2011-4086" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="kernel-doc" release="107.1.36.amzn1" version="2.6.35.14"><filename>Packages/kernel-doc-2.6.35.14-107.1.36.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="107.1.36.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-common-i686-2.6.35.14-107.1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="107.1.36.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-2.6.35.14-107.1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="107.1.36.amzn1" version="2.6.35.14"><filename>Packages/kernel-headers-2.6.35.14-107.1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="107.1.36.amzn1" version="2.6.35.14"><filename>Packages/kernel-devel-2.6.35.14-107.1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="107.1.36.amzn1" version="2.6.35.14"><filename>Packages/kernel-2.6.35.14-107.1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="107.1.36.amzn1" version="2.6.35.14"><filename>Packages/perf-2.6.35.14-107.1.36.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="107.1.36.amzn1" version="2.6.35.14"><filename>Packages/perf-2.6.35.14-107.1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="107.1.36.amzn1" version="2.6.35.14"><filename>Packages/kernel-devel-2.6.35.14-107.1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="107.1.36.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-common-x86_64-2.6.35.14-107.1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="107.1.36.amzn1" version="2.6.35.14"><filename>Packages/kernel-headers-2.6.35.14-107.1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="107.1.36.amzn1" version="2.6.35.14"><filename>Packages/kernel-2.6.35.14-107.1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="107.1.36.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-2.6.35.14-107.1.36.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-46</id><title>Amazon Linux - ALAS-2012-46: medium priority package update for httpd</title><issued date="2012-02-16 10:48" /><updated date="2014-09-14 15:21" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 519 CVE-2012-0053: 520 The httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies. 521 protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script. 522 523 CVE-2012-0031: 524 A flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown. 525 scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function. 526 527 CVE-2011-3639: 528 It was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1391) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request, or by using a specially-crafted URI. 529 It was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1392) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request. 530 The mod_proxy module in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x before 2.2.18, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers by using the HTTP/0.9 protocol with a malformed URI containing an initial @ (at sign) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368. 531 532 CVE-2011-3607: 533 Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. 534 An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions. An attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a ".htaccess" file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the "apache" user. 535 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607" id="CVE-2011-3607" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3639" id="CVE-2011-3639" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031" id="CVE-2012-0031" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053" id="CVE-2012-0053" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0128.html" id="RHSA-2012:0128" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="httpd-debuginfo" release="1.23.amzn1" version="2.2.22"><filename>Packages/httpd-debuginfo-2.2.22-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod_ssl" release="1.23.amzn1" version="2.2.22"><filename>Packages/mod_ssl-2.2.22-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-devel" release="1.23.amzn1" version="2.2.22"><filename>Packages/httpd-devel-2.2.22-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd" release="1.23.amzn1" version="2.2.22"><filename>Packages/httpd-2.2.22-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-tools" release="1.23.amzn1" version="2.2.22"><filename>Packages/httpd-tools-2.2.22-1.23.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd" release="1.23.amzn1" version="2.2.22"><filename>Packages/httpd-2.2.22-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-devel" release="1.23.amzn1" version="2.2.22"><filename>Packages/httpd-devel-2.2.22-1.23.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd-manual" release="1.23.amzn1" version="2.2.22"><filename>Packages/httpd-manual-2.2.22-1.23.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.23.amzn1" version="2.2.22"><filename>Packages/httpd-debuginfo-2.2.22-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod_ssl" release="1.23.amzn1" version="2.2.22"><filename>Packages/mod_ssl-2.2.22-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-tools" release="1.23.amzn1" version="2.2.22"><filename>Packages/httpd-tools-2.2.22-1.23.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-47</id><title>Amazon Linux - ALAS-2012-47: important priority package update for libvorbis</title><issued date="2012-03-04 16:07" /><updated date="2014-09-14 15:22" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 536 CVE-2012-0444: 537 A heap-based buffer overflow flaw was found in the way the libvorbis library parsed Ogg Vorbis media files. If a specially-crafted Ogg Vorbis media file was opened by an application using libvorbis, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 538 A flaw was found in the way Firefox parsed Ogg Vorbis media files. A web page containing a malicious Ogg Vorbis media file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. 539 Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 do not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file. 540 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0444" id="CVE-2012-0444" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0136.html" id="RHSA-2012:0136" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="1" name="libvorbis-debuginfo" release="4.6.amzn1" version="1.2.3"><filename>Packages/libvorbis-debuginfo-1.2.3-4.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="libvorbis" release="4.6.amzn1" version="1.2.3"><filename>Packages/libvorbis-1.2.3-4.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="libvorbis-devel" release="4.6.amzn1" version="1.2.3"><filename>Packages/libvorbis-devel-1.2.3-4.6.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="1" name="libvorbis-debuginfo" release="4.6.amzn1" version="1.2.3"><filename>Packages/libvorbis-debuginfo-1.2.3-4.6.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="libvorbis-devel-docs" release="4.6.amzn1" version="1.2.3"><filename>Packages/libvorbis-devel-docs-1.2.3-4.6.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="libvorbis" release="4.6.amzn1" version="1.2.3"><filename>Packages/libvorbis-1.2.3-4.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="libvorbis-devel" release="4.6.amzn1" version="1.2.3"><filename>Packages/libvorbis-devel-1.2.3-4.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-48</id><title>Amazon Linux - ALAS-2012-48: medium priority package update for texlive</title><issued date="2012-03-04 16:08" /><updated date="2014-09-14 15:23" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 541 CVE-2011-1554: 542 An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. 543 An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 544 Off-by-one error in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory read, integer overflow, and invalid pointer dereference, a different vulnerability than CVE-2011-0764. 545 An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX. 546 547 CVE-2011-1553: 548 A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 549 A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX. 550 A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. 551 Use-after-free vulnerability in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory write, a different vulnerability than CVE-2011-0764. 552 553 CVE-2011-1552: 554 An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash. 555 t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, reads from invalid memory locations, which allows remote attackers to cause a denial of service (application crash) via a crafted Type 1 font in a PDF document, a different vulnerability than CVE-2011-0764. 556 An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash. 557 An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash. 558 559 CVE-2011-0764: 560 An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX. 561 An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. 562 t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, uses an invalid pointer in conjunction with a dereference operation, which allows remote attackers to execute arbitrary code via a crafted Type 1 font in a PDF document, as demonstrated by testz.2184122398.pdf. 563 An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 564 565 CVE-2010-2642: 566 Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by an application linked against t1lib, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 567 Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by teTeX, it could cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX. 568 A heap-based buffer overflow flaw was found in the DVI renderer's AFM font file parser. A DVI file that references a specially-crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince. 569 Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by a TeX Live utility, it could cause the utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility. 570 Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier, teTeX 3.0, t1lib 5.1.2, and possibly other products allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer. 571 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1552" id="CVE-2011-1552" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1553" id="CVE-2011-1553" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0764" id="CVE-2011-0764" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2642" id="CVE-2010-2642" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1554" id="CVE-2011-1554" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0137.html" id="RHSA-2012:0137" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="texlive-dviutils" release="57.9.amzn1" version="2007"><filename>Packages/texlive-dviutils-2007-57.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kpathsea" release="57.9.amzn1" version="2007"><filename>Packages/kpathsea-2007-57.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="texlive-context" release="57.9.amzn1" version="2007"><filename>Packages/texlive-context-2007-57.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="texlive-afm" release="57.9.amzn1" version="2007"><filename>Packages/texlive-afm-2007-57.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mendexk" release="57.9.amzn1" version="2.6e"><filename>Packages/mendexk-2.6e-57.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="texlive-xetex" release="57.9.amzn1" version="2007"><filename>Packages/texlive-xetex-2007-57.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="texlive-east-asian" release="57.9.amzn1" version="2007"><filename>Packages/texlive-east-asian-2007-57.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="texlive-debuginfo" release="57.9.amzn1" version="2007"><filename>Packages/texlive-debuginfo-2007-57.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="texlive-utils" release="57.9.amzn1" version="2007"><filename>Packages/texlive-utils-2007-57.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="texlive-dvips" release="57.9.amzn1" version="2007"><filename>Packages/texlive-dvips-2007-57.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="texlive-latex" release="57.9.amzn1" version="2007"><filename>Packages/texlive-latex-2007-57.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kpathsea-devel" release="57.9.amzn1" version="2007"><filename>Packages/kpathsea-devel-2007-57.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="texlive" release="57.9.amzn1" version="2007"><filename>Packages/texlive-2007-57.9.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="texlive-dvips" release="57.9.amzn1" version="2007"><filename>Packages/texlive-dvips-2007-57.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mendexk" release="57.9.amzn1" version="2.6e"><filename>Packages/mendexk-2.6e-57.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="texlive" release="57.9.amzn1" version="2007"><filename>Packages/texlive-2007-57.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kpathsea" release="57.9.amzn1" version="2007"><filename>Packages/kpathsea-2007-57.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="texlive-debuginfo" release="57.9.amzn1" version="2007"><filename>Packages/texlive-debuginfo-2007-57.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="texlive-context" release="57.9.amzn1" version="2007"><filename>Packages/texlive-context-2007-57.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="texlive-afm" release="57.9.amzn1" version="2007"><filename>Packages/texlive-afm-2007-57.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="texlive-latex" release="57.9.amzn1" version="2007"><filename>Packages/texlive-latex-2007-57.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="texlive-utils" release="57.9.amzn1" version="2007"><filename>Packages/texlive-utils-2007-57.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="texlive-xetex" release="57.9.amzn1" version="2007"><filename>Packages/texlive-xetex-2007-57.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="texlive-east-asian" release="57.9.amzn1" version="2007"><filename>Packages/texlive-east-asian-2007-57.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="texlive-dviutils" release="57.9.amzn1" version="2007"><filename>Packages/texlive-dviutils-2007-57.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kpathsea-devel" release="57.9.amzn1" version="2007"><filename>Packages/kpathsea-devel-2007-57.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-49</id><title>Amazon Linux - ALAS-2012-49: important priority package update for libpng</title><issued date="2012-03-04 16:09" /><updated date="2014-09-14 15:23" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 572 CVE-2011-3026: 573 A heap-based buffer overflow flaw was found in the way XULRunner handled PNG (Portable Network Graphics) images. A web page containing a malicious PNG image could cause an application linked against XULRunner (such as Firefox) to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 574 Integer overflow in libpng, as used in Google Chrome before 17.0.963.56, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation. 575 A heap-based buffer overflow flaw was found in libpng. An attacker could create a specially-crafted PNG image that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 576 A heap-based buffer overflow flaw was found in the way Thunderbird handled PNG (Portable Network Graphics) images. An HTML mail message or remote content containing a specially-crafted PNG image could cause Thunderbird to crash or, possibly, execute arbitrary code with the privileges of the user running Thunderbird. 577 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3026" id="CVE-2011-3026" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0317.html" id="RHSA-2012:0317" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="2" name="libpng-static" release="2.10.amzn1" version="1.2.46"><filename>Packages/libpng-static-1.2.46-2.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng-debuginfo" release="2.10.amzn1" version="1.2.46"><filename>Packages/libpng-debuginfo-1.2.46-2.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng" release="2.10.amzn1" version="1.2.46"><filename>Packages/libpng-1.2.46-2.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng-devel" release="2.10.amzn1" version="1.2.46"><filename>Packages/libpng-devel-1.2.46-2.10.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng-static" release="2.10.amzn1" version="1.2.46"><filename>Packages/libpng-static-1.2.46-2.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng" release="2.10.amzn1" version="1.2.46"><filename>Packages/libpng-1.2.46-2.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng-devel" release="2.10.amzn1" version="1.2.46"><filename>Packages/libpng-devel-1.2.46-2.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng-debuginfo" release="2.10.amzn1" version="1.2.46"><filename>Packages/libpng-debuginfo-1.2.46-2.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-50</id><title>Amazon Linux - ALAS-2012-50: medium priority package update for nagios</title><issued date="2012-03-04 16:10" /><updated date="2014-09-14 15:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 578 CVE-2011-2179: 579 Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command action or a (b) hosts action. 580 709871: 581 CVE-2011-2179 nagios: XSS in configuration command expansion 582 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2179" id="CVE-2011-2179" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="nagios-debuginfo" release="3.4.amzn1" version="3.3.1"><filename>Packages/nagios-debuginfo-3.3.1-3.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nagios" release="3.4.amzn1" version="3.3.1"><filename>Packages/nagios-3.3.1-3.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nagios-devel" release="3.4.amzn1" version="3.3.1"><filename>Packages/nagios-devel-3.3.1-3.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nagios-common" release="3.4.amzn1" version="3.3.1"><filename>Packages/nagios-common-3.3.1-3.4.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nagios-common" release="3.4.amzn1" version="3.3.1"><filename>Packages/nagios-common-3.3.1-3.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nagios-devel" release="3.4.amzn1" version="3.3.1"><filename>Packages/nagios-devel-3.3.1-3.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nagios" release="3.4.amzn1" version="3.3.1"><filename>Packages/nagios-3.3.1-3.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nagios-debuginfo" release="3.4.amzn1" version="3.3.1"><filename>Packages/nagios-debuginfo-3.3.1-3.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-51</id><title>Amazon Linux - ALAS-2012-51: medium priority package update for cvs</title><issued date="2012-03-04 16:12" /><updated date="2014-09-14 15:39" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 583 CVE-2012-0804: 584 A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client. 585 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0804" id="CVE-2012-0804" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0321.html" id="RHSA-2012:0321" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="cvs-debuginfo" release="11.6.amzn1" version="1.11.23"><filename>Packages/cvs-debuginfo-1.11.23-11.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cvs" release="11.6.amzn1" version="1.11.23"><filename>Packages/cvs-1.11.23-11.6.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="cvs" release="11.6.amzn1" version="1.11.23"><filename>Packages/cvs-1.11.23-11.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cvs-debuginfo" release="11.6.amzn1" version="1.11.23"><filename>Packages/cvs-debuginfo-1.11.23-11.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-52</id><title>Amazon Linux - ALAS-2012-52: medium priority package update for libxml2</title><issued date="2012-03-04 16:12" /><updated date="2014-09-14 15:39" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 586 CVE-2012-0841: 587 It was found that the hashing routine used by libxml2 arrays was susceptible to predictable hash collisions. Sending a specially-crafted message to an XML service could result in longer processing time, which could lead to a denial of service. To mitigate this issue, randomization has been added to the hashing function to reduce the chance of an attacker successfully causing intentional collisions. 588 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0841" id="CVE-2012-0841" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0324.html" id="RHSA-2012:0324" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="libxml2-python" release="4.12.amzn1" version="2.7.6"><filename>Packages/libxml2-python-2.7.6-4.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-debuginfo" release="4.12.amzn1" version="2.7.6"><filename>Packages/libxml2-debuginfo-2.7.6-4.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-devel" release="4.12.amzn1" version="2.7.6"><filename>Packages/libxml2-devel-2.7.6-4.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2" release="4.12.amzn1" version="2.7.6"><filename>Packages/libxml2-2.7.6-4.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-static" release="4.12.amzn1" version="2.7.6"><filename>Packages/libxml2-static-2.7.6-4.12.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-devel" release="4.12.amzn1" version="2.7.6"><filename>Packages/libxml2-devel-2.7.6-4.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2" release="4.12.amzn1" version="2.7.6"><filename>Packages/libxml2-2.7.6-4.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-python" release="4.12.amzn1" version="2.7.6"><filename>Packages/libxml2-python-2.7.6-4.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-debuginfo" release="4.12.amzn1" version="2.7.6"><filename>Packages/libxml2-debuginfo-2.7.6-4.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-static" release="4.12.amzn1" version="2.7.6"><filename>Packages/libxml2-static-2.7.6-4.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-53</id><title>Amazon Linux - ALAS-2012-53: medium priority package update for puppet</title><issued date="2012-03-15 19:11" /><updated date="2014-09-14 15:40" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 589 CVE-2012-1054: 590 Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3, when managing a user login file with the k5login resource type, allows local users to gain privileges via a symlink attack on .k5login. 591 791002: 592 CVE-2012-1054 Puppet 2.6.13 Klogin File Handling Issue 593 594 CVE-2012-1053: 595 791001: 596 CVE-2012-1053 Puppet 2.6.13 group ID handling issues 597 The change_user method in the SUIDManager (lib/puppet/util/suidmanager.rb) in Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3 does not properly manage group privileges, which allows local users to gain privileges via vectors related to (1) the change_user not dropping supplementary groups in certain conditions, (2) changes to the eguid without associated changes to the egid, or (3) the addition of the real gid to supplementary groups. 598 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1054" id="CVE-2012-1054" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1053" id="CVE-2012-1053" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="puppet-server" release="1.5.amzn1" version="2.6.14"><filename>Packages/puppet-server-2.6.14-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet" release="1.5.amzn1" version="2.6.14"><filename>Packages/puppet-2.6.14-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet-debuginfo" release="1.5.amzn1" version="2.6.14"><filename>Packages/puppet-debuginfo-2.6.14-1.5.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet-server" release="1.5.amzn1" version="2.6.14"><filename>Packages/puppet-server-2.6.14-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet" release="1.5.amzn1" version="2.6.14"><filename>Packages/puppet-2.6.14-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet-debuginfo" release="1.5.amzn1" version="2.6.14"><filename>Packages/puppet-debuginfo-2.6.14-1.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-54</id><title>Amazon Linux - ALAS-2012-54: medium priority package update for systemtap</title><issued date="2012-03-15 19:21" /><updated date="2014-09-14 15:40" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 599 CVE-2012-0875: 600 An invalid pointer read flaw was found in the way SystemTap handled malformed debugging information in DWARF format. When SystemTap unprivileged mode was enabled, an unprivileged user in the stapusr group could use this flaw to crash the system or, potentially, read arbitrary kernel memory. Additionally, a privileged user (root, or a member of the stapdev group) could trigger this flaw when tricked into instrumenting a specially-crafted ELF binary, even when unprivileged mode was not enabled. 601 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0875" id="CVE-2012-0875" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0376.html" id="RHSA-2012:0376" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="systemtap-debuginfo" release="5.12.amzn1" version="1.6"><filename>Packages/systemtap-debuginfo-1.6-5.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="systemtap" release="5.12.amzn1" version="1.6"><filename>Packages/systemtap-1.6-5.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="systemtap-server" release="5.12.amzn1" version="1.6"><filename>Packages/systemtap-server-1.6-5.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="systemtap-sdt-devel" release="5.12.amzn1" version="1.6"><filename>Packages/systemtap-sdt-devel-1.6-5.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="systemtap-testsuite" release="5.12.amzn1" version="1.6"><filename>Packages/systemtap-testsuite-1.6-5.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="systemtap-initscript" release="5.12.amzn1" version="1.6"><filename>Packages/systemtap-initscript-1.6-5.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="systemtap-runtime" release="5.12.amzn1" version="1.6"><filename>Packages/systemtap-runtime-1.6-5.12.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="systemtap-sdt-devel" release="5.12.amzn1" version="1.6"><filename>Packages/systemtap-sdt-devel-1.6-5.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="systemtap-testsuite" release="5.12.amzn1" version="1.6"><filename>Packages/systemtap-testsuite-1.6-5.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="systemtap-runtime" release="5.12.amzn1" version="1.6"><filename>Packages/systemtap-runtime-1.6-5.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="systemtap-debuginfo" release="5.12.amzn1" version="1.6"><filename>Packages/systemtap-debuginfo-1.6-5.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="systemtap" release="5.12.amzn1" version="1.6"><filename>Packages/systemtap-1.6-5.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="systemtap-server" release="5.12.amzn1" version="1.6"><filename>Packages/systemtap-server-1.6-5.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="systemtap-initscript" release="5.12.amzn1" version="1.6"><filename>Packages/systemtap-initscript-1.6-5.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-55</id><title>Amazon Linux - ALAS-2012-55: medium priority package update for kernel</title><issued date="2012-03-16 10:53" /><updated date="2014-09-14 15:42" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 602 CVE-2012-0207: 603 * A divide-by-zero flaw was found in the Linux kernel's igmp_heard_query() function. An attacker able to send certain IGMP (Internet Group Management Protocol) packets to a target system could use this flaw to cause a denial of service. 604 605 CVE-2012-0045: 606 * A flaw was found in the way the Linux kernel's KVM hypervisor implementation emulated the syscall instruction for 32-bit guests. An unprivileged guest user could trigger this flaw to crash the guest. 607 608 CVE-2012-0038: 609 * A flaw was found in the way the Linux kernel's XFS file system implementation handled on-disk Access Control Lists (ACLs). A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk. 610 611 CVE-2011-4622: 612 * A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT (Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt controller set up. A local, unprivileged user on the host could force this situation to occur, resulting in the host crashing. 613 A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT (Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt controller set up. A malicious user in the kvm group on the host could force this situation to occur, resulting in the host crashing. 614 The create_pit_timer function in arch/x86/kvm/i8254.c in KVM 83, and possibly other versions, does not properly handle when Programmable Interval Timer (PIT) interrupt requests (IRQs) when a virtual interrupt controller (irqchip) is not available, which allows local users to cause a denial of service (NULL pointer dereference) by starting a timer. 615 616 CVE-2011-4611: 617 * The RHSA-2011:1530 kernel update introduced an integer overflow flaw in the Linux kernel. On PowerPC systems, a local, unprivileged user could use this flaw to cause a denial of service. 618 619 CVE-2011-4594: 620 * Two flaws were found in the way the Linux kernel's __sys_sendmsg() function, when invoked via the sendmmsg() system call, accessed user-space memory. A local, unprivileged user could use these flaws to cause a denial of service. 621 622 CVE-2011-4347: 623 * It was found that the kvm_vm_ioctl_assign_device() function in the KVM (Kernel-based Virtual Machine) subsystem of a Linux kernel did not check if the user requesting device assignment was privileged or not. A local, unprivileged user on the host could assign unused PCI devices, or even devices that were in use and whose resources were not properly claimed by the respective drivers, which could result in the host crashing. 624 It was found that the kvm_vm_ioctl_assign_device() function in the KVM subsystem of a Linux kernel did not check if the user requesting device assignment was privileged or not. A member of the kvm group on the host could assign unused PCI devices, or even devices that were in use and whose resources were not properly claimed by the respective drivers, which could result in the host crashing. 625 626 CVE-2011-4132: 627 * A flaw was found in the Linux kernel's Journaling Block Device (JBD). A local, unprivileged user could use this flaw to crash the system by mounting a specially-crafted ext3 or ext4 disk. 628 * A flaw was found in the Linux kernel's Journaling Block Device (JBD). A local attacker could use this flaw to crash the system by mounting a specially-crafted ext3 or ext4 disk. 629 630 CVE-2011-4081: 631 * Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause a denial of service. 632 633 CVE-2011-4077: 634 * A buffer overflow flaw was found in the way the Linux kernel's XFS file system implementation handled links with overly long path names. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk. 635 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4594" id="CVE-2011-4594" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4347" id="CVE-2011-4347" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0038" id="CVE-2012-0038" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4622" id="CVE-2011-4622" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0045" id="CVE-2012-0045" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4132" id="CVE-2011-4132" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4611" id="CVE-2011-4611" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4081" id="CVE-2011-4081" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4077" id="CVE-2011-4077" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0207" id="CVE-2012-0207" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0350.html" id="RHSA-2012:0350" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="kernel-doc" release="107.1.39.amzn1" version="2.6.35.14"><filename>Packages/kernel-doc-2.6.35.14-107.1.39.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="107.1.39.amzn1" version="2.6.35.14"><filename>Packages/kernel-devel-2.6.35.14-107.1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="107.1.39.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-common-i686-2.6.35.14-107.1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="107.1.39.amzn1" version="2.6.35.14"><filename>Packages/kernel-headers-2.6.35.14-107.1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="107.1.39.amzn1" version="2.6.35.14"><filename>Packages/perf-2.6.35.14-107.1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="107.1.39.amzn1" version="2.6.35.14"><filename>Packages/kernel-2.6.35.14-107.1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="107.1.39.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-2.6.35.14-107.1.39.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="107.1.39.amzn1" version="2.6.35.14"><filename>Packages/kernel-2.6.35.14-107.1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="107.1.39.amzn1" version="2.6.35.14"><filename>Packages/kernel-headers-2.6.35.14-107.1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="107.1.39.amzn1" version="2.6.35.14"><filename>Packages/kernel-devel-2.6.35.14-107.1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="107.1.39.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-common-x86_64-2.6.35.14-107.1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="107.1.39.amzn1" version="2.6.35.14"><filename>Packages/perf-2.6.35.14-107.1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="107.1.39.amzn1" version="2.6.35.14"><filename>Packages/kernel-debuginfo-2.6.35.14-107.1.39.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-56</id><title>Amazon Linux - ALAS-2012-56: medium priority package update for libpng</title><issued date="2012-03-23 14:13" /><updated date="2014-09-14 15:42" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 636 CVE-2011-3045: 637 A heap-based buffer overflow flaw was found in the way libpng processed compressed chunks in PNG image files. An attacker could create a specially-crafted PNG image file that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 638 Integer signedness error in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026. 639 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3045" id="CVE-2011-3045" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0407.html" id="RHSA-2012:0407" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="2" name="libpng-debuginfo" release="1.11.amzn1" version="1.2.48"><filename>Packages/libpng-debuginfo-1.2.48-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng-devel" release="1.11.amzn1" version="1.2.48"><filename>Packages/libpng-devel-1.2.48-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng" release="1.11.amzn1" version="1.2.48"><filename>Packages/libpng-1.2.48-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng-static" release="1.11.amzn1" version="1.2.48"><filename>Packages/libpng-static-1.2.48-1.11.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng-static" release="1.11.amzn1" version="1.2.48"><filename>Packages/libpng-static-1.2.48-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng" release="1.11.amzn1" version="1.2.48"><filename>Packages/libpng-1.2.48-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng-devel" release="1.11.amzn1" version="1.2.48"><filename>Packages/libpng-devel-1.2.48-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng-debuginfo" release="1.11.amzn1" version="1.2.48"><filename>Packages/libpng-debuginfo-1.2.48-1.11.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-57</id><title>Amazon Linux - ALAS-2012-57: medium priority package update for glibc</title><issued date="2012-03-23 14:15" /><updated date="2014-09-14 15:43" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 640 CVE-2012-0864: 641 An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. 642 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0864" id="CVE-2012-0864" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0393.html" id="RHSA-2012:0393" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="glibc-static" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-static-2.12-1.47.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-common-2.12-1.47.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-utils-2.12-1.47.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-devel-2.12-1.47.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-2.12-1.47.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-common-2.12-1.47.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-headers-2.12-1.47.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-2.12-1.47.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="1.47.37.amzn1" version="2.12"><filename>Packages/nscd-2.12-1.47.37.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="1.47.37.amzn1" version="2.12"><filename>Packages/nscd-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-devel-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-common-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-headers-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-static-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-utils-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="1.47.37.amzn1" version="2.12"><filename>Packages/glibc-common-2.12-1.47.37.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-58</id><title>Amazon Linux - ALAS-2012-58: medium priority package update for kernel</title><issued date="2012-03-23 14:18" /><updated date="2014-09-14 15:44" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 643 CVE-2012-1568: 644 * It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. 645 804947: 646 CVE-2012-1568 kernel: execshield: predictable ascii armour base address 647 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1568" id="CVE-2012-1568" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="kernel-doc" release="3.2.4.amzn1" version="3.2.12"><filename>Packages/kernel-doc-3.2.12-3.2.4.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="3.2.4.amzn1" version="3.2.12"><filename>Packages/kernel-devel-3.2.12-3.2.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="3.2.4.amzn1" version="3.2.12"><filename>Packages/kernel-debuginfo-common-i686-3.2.12-3.2.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="3.2.4.amzn1" version="3.2.12"><filename>Packages/kernel-headers-3.2.12-3.2.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="3.2.4.amzn1" version="3.2.12"><filename>Packages/kernel-debuginfo-3.2.12-3.2.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="3.2.4.amzn1" version="3.2.12"><filename>Packages/kernel-3.2.12-3.2.4.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="3.2.4.amzn1" version="3.2.12"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.12-3.2.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="3.2.4.amzn1" version="3.2.12"><filename>Packages/kernel-3.2.12-3.2.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="3.2.4.amzn1" version="3.2.12"><filename>Packages/kernel-headers-3.2.12-3.2.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="3.2.4.amzn1" version="3.2.12"><filename>Packages/kernel-debuginfo-3.2.12-3.2.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="3.2.4.amzn1" version="3.2.12"><filename>Packages/kernel-devel-3.2.12-3.2.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-59</id><title>Amazon Linux - ALAS-2012-59: important priority package update for gnutls</title><issued date="2012-04-05 12:47" /><updated date="2014-09-14 15:44" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 648 CVE-2012-1573: 649 A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially-crafted TLS record from a remote TLS/SSL connection peer. 650 gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure. 651 652 CVE-2011-4128: 653 Buffer overflow in the gnutls_session_get_data function in lib/gnutls_session.c in GnuTLS 2.12.x before 2.12.14 and 3.x before 3.0.7, when used on a client that performs nonstandard session resumption, allows remote TLS servers to cause a denial of service (application crash) via a large SessionTicket. 654 A boundary error was found in the gnutls_session_get_data() function. A malicious TLS/SSL server could use this flaw to crash a TLS/SSL client or, possibly, execute arbitrary code as the client, if the client passed a fixed-sized buffer to gnutls_session_get_data() before checking the real size of the session data provided by the server. 655 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4128" id="CVE-2011-4128" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1573" id="CVE-2012-1573" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0429.html" id="RHSA-2012:0429" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="gnutls-debuginfo" release="4.6.amzn1" version="2.8.5"><filename>Packages/gnutls-debuginfo-2.8.5-4.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-guile" release="4.6.amzn1" version="2.8.5"><filename>Packages/gnutls-guile-2.8.5-4.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-utils" release="4.6.amzn1" version="2.8.5"><filename>Packages/gnutls-utils-2.8.5-4.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-devel" release="4.6.amzn1" version="2.8.5"><filename>Packages/gnutls-devel-2.8.5-4.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls" release="4.6.amzn1" version="2.8.5"><filename>Packages/gnutls-2.8.5-4.6.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls" release="4.6.amzn1" version="2.8.5"><filename>Packages/gnutls-2.8.5-4.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-guile" release="4.6.amzn1" version="2.8.5"><filename>Packages/gnutls-guile-2.8.5-4.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-devel" release="4.6.amzn1" version="2.8.5"><filename>Packages/gnutls-devel-2.8.5-4.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-utils" release="4.6.amzn1" version="2.8.5"><filename>Packages/gnutls-utils-2.8.5-4.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-debuginfo" release="4.6.amzn1" version="2.8.5"><filename>Packages/gnutls-debuginfo-2.8.5-4.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-60</id><title>Amazon Linux - ALAS-2012-60: important priority package update for libtasn1</title><issued date="2012-04-05 12:48" /><updated date="2014-09-14 15:45" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 656 CVE-2012-1569: 657 The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure. 658 A flaw was found in the way libtasn1 decoded DER data. An attacker could create carefully-crafted DER encoded input (such as an X.509 certificate) that, when parsed by an application that uses libtasn1 (such as applications using GnuTLS), could cause the application to crash. 659 A flaw was found in the way libtasn1 decoded DER data. An attacker could create a carefully-crafted X.509 certificate that, when parsed by an application that uses GnuTLS, could cause the application to crash. 660 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1569" id="CVE-2012-1569" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0427.html" id="RHSA-2012:0427" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="libtasn1-tools" release="3.4.amzn1" version="2.3"><filename>Packages/libtasn1-tools-2.3-3.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtasn1-debuginfo" release="3.4.amzn1" version="2.3"><filename>Packages/libtasn1-debuginfo-2.3-3.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtasn1" release="3.4.amzn1" version="2.3"><filename>Packages/libtasn1-2.3-3.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtasn1-devel" release="3.4.amzn1" version="2.3"><filename>Packages/libtasn1-devel-2.3-3.4.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libtasn1-debuginfo" release="3.4.amzn1" version="2.3"><filename>Packages/libtasn1-debuginfo-2.3-3.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtasn1-tools" release="3.4.amzn1" version="2.3"><filename>Packages/libtasn1-tools-2.3-3.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtasn1" release="3.4.amzn1" version="2.3"><filename>Packages/libtasn1-2.3-3.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtasn1-devel" release="3.4.amzn1" version="2.3"><filename>Packages/libtasn1-devel-2.3-3.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-61</id><title>Amazon Linux - ALAS-2012-61: important priority package update for rpm</title><issued date="2012-04-05 12:49" /><updated date="2014-09-14 15:45" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 661 CVE-2012-0060: 662 Multiple flaws were found in the way RPM parsed package file headers. An attacker could create a specially-crafted RPM package that, when its package header was accessed, or during package signature verification, could cause an application using the RPM library (such as the rpm command line tool, or the yum and up2date package managers) to crash or, potentially, execute arbitrary code. 663 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0060" id="CVE-2012-0060" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0451.html" id="RHSA-2012:0451" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="rpm-python" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-python-4.8.0-19.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-build" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-build-4.8.0-19.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-cron" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-cron-4.8.0-19.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-apidocs" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-apidocs-4.8.0-19.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-libs" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-libs-4.8.0-19.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-4.8.0-19.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-devel" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-devel-4.8.0-19.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-debuginfo" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-debuginfo-4.8.0-19.38.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-4.8.0-19.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-python" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-python-4.8.0-19.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-debuginfo" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-debuginfo-4.8.0-19.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-devel" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-devel-4.8.0-19.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-cron" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-cron-4.8.0-19.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-build" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-build-4.8.0-19.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-apidocs" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-apidocs-4.8.0-19.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-libs" release="19.38.amzn1" version="4.8.0"><filename>Packages/rpm-libs-4.8.0-19.38.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-62</id><title>Amazon Linux - ALAS-2012-62: medium priority package update for openssl</title><issued date="2012-04-05 12:49" /><updated date="2014-09-14 15:46" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 664 CVE-2012-1165: 665 The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250. 666 A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages. 667 668 CVE-2012-0884: 669 A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS) implementations in OpenSSL. An attacker could possibly use this flaw to perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by sending a large number of chosen ciphertext messages to a service using OpenSSL and measuring error response times. 670 The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack. 671 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1165" id="CVE-2012-1165" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884" id="CVE-2012-0884" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0426.html" id="RHSA-2012:0426" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="openssl-devel" release="2.39.amzn1" version="1.0.0g"><filename>Packages/openssl-devel-1.0.0g-2.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-static" release="2.39.amzn1" version="1.0.0g"><filename>Packages/openssl-static-1.0.0g-2.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-perl" release="2.39.amzn1" version="1.0.0g"><filename>Packages/openssl-perl-1.0.0g-2.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-debuginfo" release="2.39.amzn1" version="1.0.0g"><filename>Packages/openssl-debuginfo-1.0.0g-2.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl" release="2.39.amzn1" version="1.0.0g"><filename>Packages/openssl-1.0.0g-2.39.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl" release="2.39.amzn1" version="1.0.0g"><filename>Packages/openssl-1.0.0g-2.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-static" release="2.39.amzn1" version="1.0.0g"><filename>Packages/openssl-static-1.0.0g-2.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-debuginfo" release="2.39.amzn1" version="1.0.0g"><filename>Packages/openssl-debuginfo-1.0.0g-2.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-perl" release="2.39.amzn1" version="1.0.0g"><filename>Packages/openssl-perl-1.0.0g-2.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-devel" release="2.39.amzn1" version="1.0.0g"><filename>Packages/openssl-devel-1.0.0g-2.39.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-63</id><title>Amazon Linux - ALAS-2012-63: medium priority package update for nginx</title><issued date="2012-04-05 12:50" /><updated date="2014-09-14 15:58" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 672 CVE-2012-1180: 673 803856: 674 CVE-2012-1180 nginx: malformed HTTP response headers leads to information leak 675 Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request. 676 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1180" id="CVE-2012-1180" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="nginx" release="1.8.amzn1" version="1.0.14"><filename>Packages/nginx-1.0.14-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nginx-debuginfo" release="1.8.amzn1" version="1.0.14"><filename>Packages/nginx-debuginfo-1.0.14-1.8.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nginx-debuginfo" release="1.8.amzn1" version="1.0.14"><filename>Packages/nginx-debuginfo-1.0.14-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nginx" release="1.8.amzn1" version="1.0.14"><filename>Packages/nginx-1.0.14-1.8.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-64</id><title>Amazon Linux - ALAS-2012-64: low priority package update for iproute</title><issued date="2012-04-05 12:51" /><updated date="2014-09-14 16:09" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 677 CVE-2012-1088: 678 iproute2 before 3.3.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary file used by (1) configure or (2) examples/dhcp-client-script. 679 797878: 680 CVE-2012-1088 iproute: multiple insecure temporary file use issues 681 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1088" id="CVE-2012-1088" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="iproute-doc" release="3.7.amzn1" version="3.2.0"><filename>Packages/iproute-doc-3.2.0-3.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="iproute-devel" release="3.7.amzn1" version="3.2.0"><filename>Packages/iproute-devel-3.2.0-3.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="iproute" release="3.7.amzn1" version="3.2.0"><filename>Packages/iproute-3.2.0-3.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="iproute-debuginfo" release="3.7.amzn1" version="3.2.0"><filename>Packages/iproute-debuginfo-3.2.0-3.7.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="iproute-doc" release="3.7.amzn1" version="3.2.0"><filename>Packages/iproute-doc-3.2.0-3.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="iproute-devel" release="3.7.amzn1" version="3.2.0"><filename>Packages/iproute-devel-3.2.0-3.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="iproute-debuginfo" release="3.7.amzn1" version="3.2.0"><filename>Packages/iproute-debuginfo-3.2.0-3.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="iproute" release="3.7.amzn1" version="3.2.0"><filename>Packages/iproute-3.2.0-3.7.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-65</id><title>Amazon Linux - ALAS-2012-65: important priority package update for libtiff</title><issued date="2012-04-30 14:43" /><updated date="2014-09-14 15:46" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 682 CVE-2012-1173: 683 Two integer overflow flaws, leading to heap-based buffer overflows, were found in the way libtiff attempted to allocate space for a tile in a TIFF image file. An attacker could use these flaws to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code. 684 Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a TIFF file, which is not properly handled by the (1) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer overflow. 685 803078: 686 CVE-2012-1173 libtiff: Heap-buffer overflow due to TileSize calculation when parsing tiff files 687 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1173" id="CVE-2012-1173" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0468.html" id="RHSA-2012:0468" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="libtiff-debuginfo" release="5.8.amzn1" version="3.9.4"><filename>Packages/libtiff-debuginfo-3.9.4-5.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff" release="5.8.amzn1" version="3.9.4"><filename>Packages/libtiff-3.9.4-5.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-static" release="5.8.amzn1" version="3.9.4"><filename>Packages/libtiff-static-3.9.4-5.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-devel" release="5.8.amzn1" version="3.9.4"><filename>Packages/libtiff-devel-3.9.4-5.8.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-static" release="5.8.amzn1" version="3.9.4"><filename>Packages/libtiff-static-3.9.4-5.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-debuginfo" release="5.8.amzn1" version="3.9.4"><filename>Packages/libtiff-debuginfo-3.9.4-5.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-devel" release="5.8.amzn1" version="3.9.4"><filename>Packages/libtiff-devel-3.9.4-5.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff" release="5.8.amzn1" version="3.9.4"><filename>Packages/libtiff-3.9.4-5.8.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-66</id><title>Amazon Linux - ALAS-2012-66: important priority package update for freetype</title><issued date="2012-04-30 14:46" /><updated date="2014-09-14 15:48" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 688 CVE-2012-1134: 689 800592: 690 CVE-2012-1134 freetype: limited heap buffer overflow in Type1 parser T1_Get_Private_Dict() (#35608) 691 Multiple flaws were found in the way FreeType handled TrueType Font (TTF), Glyph Bitmap Distribution Format (BDF), Windows .fnt and .fon, and PostScript Type 1 fonts. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 692 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted private-dictionary data in a Type 1 font. 693 694 CVE-2012-1126: 695 Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash. 696 800581: 697 CVE-2012-1126 freetype: heap buffer over-read in BDF parsing _bdf_is_atom() (#35597, #35598) 698 FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a BDF font. 699 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1126" id="CVE-2012-1126" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1134" id="CVE-2012-1134" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0467.html" id="RHSA-2012:0467" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="freetype" release="6.12.amzn1" version="2.3.11"><filename>Packages/freetype-2.3.11-6.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype-demos" release="6.12.amzn1" version="2.3.11"><filename>Packages/freetype-demos-2.3.11-6.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype-devel" release="6.12.amzn1" version="2.3.11"><filename>Packages/freetype-devel-2.3.11-6.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype-debuginfo" release="6.12.amzn1" version="2.3.11"><filename>Packages/freetype-debuginfo-2.3.11-6.12.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype-demos" release="6.12.amzn1" version="2.3.11"><filename>Packages/freetype-demos-2.3.11-6.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype-debuginfo" release="6.12.amzn1" version="2.3.11"><filename>Packages/freetype-debuginfo-2.3.11-6.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype-devel" release="6.12.amzn1" version="2.3.11"><filename>Packages/freetype-devel-2.3.11-6.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype" release="6.12.amzn1" version="2.3.11"><filename>Packages/freetype-2.3.11-6.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-67</id><title>Amazon Linux - ALAS-2012-67: medium priority package update for nvidia</title><issued date="2012-04-30 14:47" /><updated date="2014-09-14 16:06" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 700 CVE-2012-0946: 701 702 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0946" id="CVE-2012-0946" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="x86_64" epoch="0" name="nvidia" release="1.1.amzn1" version="295.40.3.2.12"><filename>Packages/nvidia-295.40.3.2.12-1.1.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nvidia-kmod" release="1.1.amzn1" version="295.40.3.2.12"><filename>Packages/nvidia-kmod-295.40.3.2.12-1.1.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nvidia-kmod-3.2.12-3.2.4.amzn1" release="1.1.amzn1" version="295.40"><filename>Packages/nvidia-kmod-3.2.12-3.2.4.amzn1-295.40-1.1.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-68</id><title>Amazon Linux - ALAS-2012-68: medium priority package update for libpng</title><issued date="2012-04-30 14:52" /><updated date="2014-09-14 15:48" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 703 CVE-2011-3048: 704 The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow. 705 808139: 706 CVE-2011-3048 libpng: memory corruption flaw 707 A heap-based buffer overflow flaw was found in the way libpng processed tEXt chunks in PNG image files. An attacker could create a specially-crafted PNG image file that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 708 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048" id="CVE-2011-3048" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0523.html" id="RHSA-2012:0523" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="2" name="libpng-devel" release="1.12.amzn1" version="1.2.49"><filename>Packages/libpng-devel-1.2.49-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng-static" release="1.12.amzn1" version="1.2.49"><filename>Packages/libpng-static-1.2.49-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng-debuginfo" release="1.12.amzn1" version="1.2.49"><filename>Packages/libpng-debuginfo-1.2.49-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng" release="1.12.amzn1" version="1.2.49"><filename>Packages/libpng-1.2.49-1.12.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng-static" release="1.12.amzn1" version="1.2.49"><filename>Packages/libpng-static-1.2.49-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng" release="1.12.amzn1" version="1.2.49"><filename>Packages/libpng-1.2.49-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng-debuginfo" release="1.12.amzn1" version="1.2.49"><filename>Packages/libpng-debuginfo-1.2.49-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng-devel" release="1.12.amzn1" version="1.2.49"><filename>Packages/libpng-devel-1.2.49-1.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-69</id><title>Amazon Linux - ALAS-2012-69: low priority package update for perl-YAML-LibYAML</title><issued date="2012-04-30 14:53" /><updated date="2014-09-14 15:59" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 709 CVE-2012-1152: 710 801738: 711 CVE-2012-1152 perl-YAML-LibYAML: Multiple format string flaws by reporting errors during YAML document load 712 Multiple format string vulnerabilities in the error reporting functionality in the YAML::LibYAML (aka YAML-LibYAML and perl-YAML-LibYAML) module 0.38 for Perl allow remote attackers to cause a denial of service (process crash) via format string specifiers in a (1) YAML stream to the Load function, (2) YAML node to the load_node function, (3) YAML mapping to the load_mapping function, or (4) YAML sequence to the load_sequence function. 713 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1152" id="CVE-2012-1152" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="perl-YAML-LibYAML-debuginfo" release="2.2.amzn1" version="0.38"><filename>Packages/perl-YAML-LibYAML-debuginfo-0.38-2.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-YAML-LibYAML" release="2.2.amzn1" version="0.38"><filename>Packages/perl-YAML-LibYAML-0.38-2.2.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-YAML-LibYAML-debuginfo" release="2.2.amzn1" version="0.38"><filename>Packages/perl-YAML-LibYAML-debuginfo-0.38-2.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-YAML-LibYAML" release="2.2.amzn1" version="0.38"><filename>Packages/perl-YAML-LibYAML-0.38-2.2.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-70</id><title>Amazon Linux - ALAS-2012-70: medium priority package update for quagga</title><issued date="2012-04-30 14:55" /><updated date="2014-09-14 15:49" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 714 CVE-2012-0250: 715 Buffer overflow in the OSPFv2 implementation in ospfd in Quagga before 0.99.20.1 allows remote attackers to cause a denial of service (daemon crash) via a Link State Update (aka LS Update) packet containing a network-LSA link-state advertisement for which the data-structure length is smaller than the value in the Length header field. 716 A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router. 717 802829: 718 CVE-2012-0250 quagga (ospfd): Crash by processing LS-Update OSPF packet due improper length check of the Network-LSA structures 719 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0250" id="CVE-2012-0250" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="quagga-contrib" release="1.4.amzn1" version="0.99.20.1"><filename>Packages/quagga-contrib-0.99.20.1-1.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="quagga" release="1.4.amzn1" version="0.99.20.1"><filename>Packages/quagga-0.99.20.1-1.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="quagga-devel" release="1.4.amzn1" version="0.99.20.1"><filename>Packages/quagga-devel-0.99.20.1-1.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="quagga-debuginfo" release="1.4.amzn1" version="0.99.20.1"><filename>Packages/quagga-debuginfo-0.99.20.1-1.4.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="quagga-contrib" release="1.4.amzn1" version="0.99.20.1"><filename>Packages/quagga-contrib-0.99.20.1-1.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="quagga-devel" release="1.4.amzn1" version="0.99.20.1"><filename>Packages/quagga-devel-0.99.20.1-1.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="quagga" release="1.4.amzn1" version="0.99.20.1"><filename>Packages/quagga-0.99.20.1-1.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="quagga-debuginfo" release="1.4.amzn1" version="0.99.20.1"><filename>Packages/quagga-debuginfo-0.99.20.1-1.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-71</id><title>Amazon Linux - ALAS-2012-71: medium priority package update for wireshark</title><issued date="2012-04-30 16:16" /><updated date="2014-09-14 15:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 720 CVE-2011-1590: 721 697741: 722 CVE-2011-1590 Wireshark: Use-after-free causes heap-based buffer overflow in X.509if dissector 723 Several flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. 724 The X.509if dissector in Wireshark 1.2.x before 1.2.16 and 1.4.x before 1.4.5 does not properly initialize certain global variables, which allows remote attackers to cause a denial of service (application crash) via a crafted .pcap file. 725 726 CVE-2011-1143: 727 681760: 728 CVE-2011-1143 Wireshark: Null pointer dereference causing application crash when reading malformed pcap file 729 epan/dissectors/packet-ntlmssp.c in the NTLMSSP dissector in Wireshark before 1.4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted .pcap file. 730 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 731 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1143" id="CVE-2011-1143" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1590" id="CVE-2011-1590" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0509.html" id="RHSA-2012:0509" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="wireshark-devel" release="2.10.amzn1" version="1.2.15"><filename>Packages/wireshark-devel-1.2.15-2.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wireshark" release="2.10.amzn1" version="1.2.15"><filename>Packages/wireshark-1.2.15-2.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wireshark-debuginfo" release="2.10.amzn1" version="1.2.15"><filename>Packages/wireshark-debuginfo-1.2.15-2.10.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="wireshark-debuginfo" release="2.10.amzn1" version="1.2.15"><filename>Packages/wireshark-debuginfo-1.2.15-2.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wireshark-devel" release="2.10.amzn1" version="1.2.15"><filename>Packages/wireshark-devel-1.2.15-2.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wireshark" release="2.10.amzn1" version="1.2.15"><filename>Packages/wireshark-1.2.15-2.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-72</id><title>Amazon Linux - ALAS-2012-72: important priority package update for openssl</title><issued date="2012-05-02 12:28" /><updated date="2014-09-14 15:52" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 732 CVE-2012-2110: 733 The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. 734 814185: 735 CVE-2012-2110 openssl: asn1_d2i_read_bio integer errors leading to buffer overflow 736 Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code. 737 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110" id="CVE-2012-2110" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0518.html" id="RHSA-2012:0518" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="openssl-static" release="1.41.amzn1" version="1.0.0i"><filename>Packages/openssl-static-1.0.0i-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-devel" release="1.41.amzn1" version="1.0.0i"><filename>Packages/openssl-devel-1.0.0i-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl" release="1.41.amzn1" version="1.0.0i"><filename>Packages/openssl-1.0.0i-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-perl" release="1.41.amzn1" version="1.0.0i"><filename>Packages/openssl-perl-1.0.0i-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-debuginfo" release="1.41.amzn1" version="1.0.0i"><filename>Packages/openssl-debuginfo-1.0.0i-1.41.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-devel" release="1.41.amzn1" version="1.0.0i"><filename>Packages/openssl-devel-1.0.0i-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-perl" release="1.41.amzn1" version="1.0.0i"><filename>Packages/openssl-perl-1.0.0i-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-static" release="1.41.amzn1" version="1.0.0i"><filename>Packages/openssl-static-1.0.0i-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-debuginfo" release="1.41.amzn1" version="1.0.0i"><filename>Packages/openssl-debuginfo-1.0.0i-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl" release="1.41.amzn1" version="1.0.0i"><filename>Packages/openssl-1.0.0i-1.41.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-73</id><title>Amazon Linux - ALAS-2012-73: important priority package update for openssl098e</title><issued date="2012-05-02 12:31" /><updated date="2014-09-14 15:52" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 738 CVE-2012-2110: 739 The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. 740 814185: 741 CVE-2012-2110 openssl: asn1_d2i_read_bio integer errors leading to buffer overflow 742 Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code. 743 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110" id="CVE-2012-2110" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0518.html" id="RHSA-2012:0518" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="openssl098e" release="17.8.amzn1" version="0.9.8e"><filename>Packages/openssl098e-0.9.8e-17.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl098e-debuginfo" release="17.8.amzn1" version="0.9.8e"><filename>Packages/openssl098e-debuginfo-0.9.8e-17.8.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl098e-debuginfo" release="17.8.amzn1" version="0.9.8e"><filename>Packages/openssl098e-debuginfo-0.9.8e-17.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl098e" release="17.8.amzn1" version="0.9.8e"><filename>Packages/openssl098e-0.9.8e-17.8.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-74</id><title>Amazon Linux - ALAS-2012-74: important priority package update for nginx</title><issued date="2012-05-08 23:12" /><updated date="2014-09-14 16:09" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 744 CVE-2012-2089: 745 812093: 746 CVE-2012-2089 nginx: arbitrary code execution in mp4 pseudo-streaming module 747 Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4 directive is used, allows remote attackers to cause a denial of service (memory overwrite) or possibly execute arbitrary code via a crafted MP4 file. 748 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2089" id="CVE-2012-2089" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="nginx" release="1.9.amzn1" version="1.0.15"><filename>Packages/nginx-1.0.15-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nginx-debuginfo" release="1.9.amzn1" version="1.0.15"><filename>Packages/nginx-debuginfo-1.0.15-1.9.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nginx" release="1.9.amzn1" version="1.0.15"><filename>Packages/nginx-1.0.15-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nginx-debuginfo" release="1.9.amzn1" version="1.0.15"><filename>Packages/nginx-debuginfo-1.0.15-1.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-75</id><title>Amazon Linux - ALAS-2012-75: medium priority package update for puppet</title><issued date="2012-05-08 23:13" /><updated date="2014-09-14 16:09" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 749 CVE-2012-1986: 750 Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket. 751 810069: 752 CVE-2012-1986 puppet: Filebucket arbitrary file read 753 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1986" id="CVE-2012-1986" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="puppet-debuginfo" release="1.6.amzn1" version="2.6.16"><filename>Packages/puppet-debuginfo-2.6.16-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet" release="1.6.amzn1" version="2.6.16"><filename>Packages/puppet-2.6.16-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet-server" release="1.6.amzn1" version="2.6.16"><filename>Packages/puppet-server-2.6.16-1.6.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet-debuginfo" release="1.6.amzn1" version="2.6.16"><filename>Packages/puppet-debuginfo-2.6.16-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet" release="1.6.amzn1" version="2.6.16"><filename>Packages/puppet-2.6.16-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet-server" release="1.6.amzn1" version="2.6.16"><filename>Packages/puppet-server-2.6.16-1.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-76</id><title>Amazon Linux - ALAS-2012-76: medium priority package update for ImageMagick</title><issued date="2012-05-08 23:14" /><updated date="2014-09-14 16:09" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 754 CVE-2012-1798: 755 The TIFFGetEXIFProperties function in coders/tiff.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted EXIF IFD in a TIFF image. 756 An out-of-bounds buffer read flaw was found in the way ImageMagick processed certain TIFF image files. A remote attacker could provide a TIFF image with a specially-crafted Exif IFD value (the set of tags for recording Exif-specific attribute information), which once opened by ImageMagick, would cause it to crash. 757 807997: 758 CVE-2012-1798 ImageMagick: Out-of-bounds buffer read by copying image bytes for TIFF images with crafted TIFF EXIF IFD value 759 760 CVE-2012-0260: 761 807994: 762 CVE-2012-0260 ImageMagick: excessive CPU use DoS by processing JPEG images with crafted restart markers 763 The JPEGWarningHandler function in coders/jpeg.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (memory consumption) via a JPEG image with a crafted sequence of restart markers. 764 A denial of service flaw was found in the way ImageMagick decoded certain JPEG images. A remote attacker could provide a JPEG image with specially-crafted sequences of RST0 up to RST7 restart markers (used to indicate the input stream to be corrupted), which once processed by ImageMagick, would cause it to consume excessive amounts of memory and CPU time. 765 766 CVE-2012-0259: 767 An integer overflow flaw was found in the way ImageMagick processed certain Exif tags with a large components count. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to access invalid memory and crash. 768 The GetEXIFProperty function in magick/property.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (crash) via a zero value in the component count of an EXIF XResolution tag in a JPEG file, which triggers an out-of-bounds read. 769 807993: 770 CVE-2012-0259 ImageMagick: Out-of heap-based buffer read by processing crafted JPEG EXIF header tag value 771 772 CVE-2012-0248: 773 A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop. 774 789443: 775 CVE-2012-0247 CVE-2012-0248 ImageMagick: invalid validation of images denial of service 776 ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted image whose IFD contains IOP tags that all reference the beginning of the IDF. 777 778 CVE-2012-0247: 779 A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format (Exif) metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. 780 789443: 781 CVE-2012-0247 CVE-2012-0248 ImageMagick: invalid validation of images denial of service 782 ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via crafted offset and count values in the ResolutionUnit tag in the EXIF IFD0 of an image. 783 784 CVE-2010-4167: 785 Untrusted search path vulnerability in configure.c in ImageMagick before 6.6.5-5, when MAGICKCORE_INSTALLED_SUPPORT is defined, allows local users to gain privileges via a Trojan horse configuration file in the current working directory. 786 It was found that ImageMagick utilities tried to load ImageMagick configuration files from the current working directory. If a user ran an ImageMagick utility in an attacker-controlled directory containing a specially-crafted ImageMagick configuration file, it could cause the utility to execute arbitrary code. 787 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0259" id="CVE-2012-0259" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0247" id="CVE-2012-0247" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0248" id="CVE-2012-0248" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4167" id="CVE-2010-4167" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1798" id="CVE-2012-1798" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0260" id="CVE-2012-0260" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0544.html" id="RHSA-2012:0544" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="ImageMagick-doc" release="6.12.amzn1" version="6.5.4.7"><filename>Packages/ImageMagick-doc-6.5.4.7-6.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-devel" release="6.12.amzn1" version="6.5.4.7"><filename>Packages/ImageMagick-devel-6.5.4.7-6.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-debuginfo" release="6.12.amzn1" version="6.5.4.7"><filename>Packages/ImageMagick-debuginfo-6.5.4.7-6.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-perl" release="6.12.amzn1" version="6.5.4.7"><filename>Packages/ImageMagick-perl-6.5.4.7-6.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-c++-devel" release="6.12.amzn1" version="6.5.4.7"><filename>Packages/ImageMagick-c++-devel-6.5.4.7-6.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-c++" release="6.12.amzn1" version="6.5.4.7"><filename>Packages/ImageMagick-c++-6.5.4.7-6.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick" release="6.12.amzn1" version="6.5.4.7"><filename>Packages/ImageMagick-6.5.4.7-6.12.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-c++" release="6.12.amzn1" version="6.5.4.7"><filename>Packages/ImageMagick-c++-6.5.4.7-6.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-c++-devel" release="6.12.amzn1" version="6.5.4.7"><filename>Packages/ImageMagick-c++-devel-6.5.4.7-6.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-devel" release="6.12.amzn1" version="6.5.4.7"><filename>Packages/ImageMagick-devel-6.5.4.7-6.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-doc" release="6.12.amzn1" version="6.5.4.7"><filename>Packages/ImageMagick-doc-6.5.4.7-6.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick" release="6.12.amzn1" version="6.5.4.7"><filename>Packages/ImageMagick-6.5.4.7-6.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-debuginfo" release="6.12.amzn1" version="6.5.4.7"><filename>Packages/ImageMagick-debuginfo-6.5.4.7-6.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-perl" release="6.12.amzn1" version="6.5.4.7"><filename>Packages/ImageMagick-perl-6.5.4.7-6.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-77</id><title>Amazon Linux - ALAS-2012-77: critical priority package update for php</title><issued date="2012-05-09 14:54" /><updated date="2014-09-14 16:10" /><severity>critical</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 788 CVE-2012-1823: 789 818607: 790 CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827) 791 A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. 792 A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. 793 sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. 794 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823" id="CVE-2012-1823" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0546.html" id="RHSA-2012:0546" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="php-dba" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-dba-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-process" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-process-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysql" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-mysql-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xml" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-xml-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pdo" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-pdo-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-snmp" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-snmp-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mbstring" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-mbstring-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-devel" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-devel-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xmlrpc" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-xmlrpc-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mssql" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-mssql-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-soap" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-soap-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-odbc" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-odbc-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-bcmath" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-bcmath-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mcrypt" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-mcrypt-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-tidy" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-tidy-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-debuginfo" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-debuginfo-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-ldap" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-ldap-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-recode" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-recode-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-fpm" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-fpm-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-common" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-common-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-imap" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-imap-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-embedded" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-embedded-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-cli" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-cli-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pgsql" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-pgsql-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-intl" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-intl-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysqlnd" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-mysqlnd-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pspell" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-pspell-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-gd" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-gd-5.3.13-1.20.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php-snmp" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-snmp-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mcrypt" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-mcrypt-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-devel" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-devel-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-dba" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-dba-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mssql" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-mssql-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-process" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-process-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-imap" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-imap-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pspell" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-pspell-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-bcmath" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-bcmath-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-common" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-common-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xml" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-xml-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-odbc" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-odbc-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-debuginfo" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-debuginfo-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xmlrpc" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-xmlrpc-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-fpm" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-fpm-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-cli" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-cli-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pgsql" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-pgsql-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mbstring" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-mbstring-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-ldap" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-ldap-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-recode" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-recode-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-intl" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-intl-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-soap" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-soap-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysqlnd" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-mysqlnd-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-tidy" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-tidy-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysql" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-mysql-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pdo" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-pdo-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-embedded" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-embedded-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-gd" release="1.20.amzn1" version="5.3.13"><filename>Packages/php-gd-5.3.13-1.20.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-78</id><title>Amazon Linux - ALAS-2012-78: low priority package update for kernel</title><issued date="2012-05-21 16:47" /><updated date="2014-09-14 16:11" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 795 CVE-2012-2313: 796 * A flaw was found in the way the Linux kernel's dl2k driver, used by certain D-Link Gigabit Ethernet adapters, restricted IOCTLs. A local, unprivileged user could use this flaw to issue potentially harmful IOCTLs, which could cause Ethernet adapters using the dl2k driver to malfunction (for example, losing network connectivity). 797 818820: 798 CVE-2012-2313 kernel: unfiltered netdev rio_ioctl access by users 799 The rio_ioctl function in drivers/net/ethernet/dlink/dl2k.c in the Linux kernel before 3.3.7 does not restrict access to the SIOCSMIIREG command, which allows local users to write data to an Ethernet adapter via an ioctl call. 800 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2313" id="CVE-2012-2313" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="kernel-doc" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-doc-3.2.18-1.26.6.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-tools-3.2.18-1.26.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-headers-3.2.18-1.26.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-3.2.18-1.26.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-debuginfo-common-i686-3.2.18-1.26.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-debuginfo-3.2.18-1.26.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-tools-debuginfo-3.2.18-1.26.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-devel-3.2.18-1.26.6.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-tools-3.2.18-1.26.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-debuginfo-3.2.18-1.26.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-3.2.18-1.26.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-tools-debuginfo-3.2.18-1.26.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-devel-3.2.18-1.26.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-headers-3.2.18-1.26.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="1.26.6.amzn1" version="3.2.18"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.18-1.26.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-79</id><title>Amazon Linux - ALAS-2012-79: medium priority package update for rubygems</title><issued date="2012-05-21 16:48" /><updated date="2014-09-14 16:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 801 CVE-2012-2125: 802 814718: 803 CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23 804 It was found that, when using RubyGems, the connection could be redirected from HTTPS to HTTP. This could lead to a user believing they are installing a gem via HTTPS, when the connection may have been silently downgraded to HTTP. 805 RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack. 806 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2125" id="CVE-2012-2125" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="rubygems-devel" release="3.1.amzn1" version="1.8.11"><filename>Packages/rubygems-devel-1.8.11-3.1.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems" release="3.1.amzn1" version="1.8.11"><filename>Packages/rubygems-1.8.11-3.1.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-80</id><title>Amazon Linux - ALAS-2012-80: medium priority package update for python26</title><issued date="2012-05-21 16:50" /><updated date="2014-09-14 16:11" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 807 CVE-2012-0845: 808 A flaw was found in the way the Python SimpleXMLRPCServer module handled clients disconnecting prematurely. A remote attacker could use this flaw to cause excessive CPU consumption on a server using SimpleXMLRPCServer. 809 789790: 810 CVE-2012-0845 python: SimpleXMLRPCServer CPU usage DoS via malformed XML-RPC request 811 SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header. 812 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0845" id="CVE-2012-0845" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="python26-devel" release="1.45.amzn1" version="2.6.8"><filename>Packages/python26-devel-2.6.8-1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-tools" release="1.45.amzn1" version="2.6.8"><filename>Packages/python26-tools-2.6.8-1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-test" release="1.45.amzn1" version="2.6.8"><filename>Packages/python26-test-2.6.8-1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-debuginfo" release="1.45.amzn1" version="2.6.8"><filename>Packages/python26-debuginfo-2.6.8-1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26" release="1.45.amzn1" version="2.6.8"><filename>Packages/python26-2.6.8-1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-libs" release="1.45.amzn1" version="2.6.8"><filename>Packages/python26-libs-2.6.8-1.45.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-debuginfo" release="1.45.amzn1" version="2.6.8"><filename>Packages/python26-debuginfo-2.6.8-1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-devel" release="1.45.amzn1" version="2.6.8"><filename>Packages/python26-devel-2.6.8-1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26" release="1.45.amzn1" version="2.6.8"><filename>Packages/python26-2.6.8-1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-libs" release="1.45.amzn1" version="2.6.8"><filename>Packages/python26-libs-2.6.8-1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-test" release="1.45.amzn1" version="2.6.8"><filename>Packages/python26-test-2.6.8-1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-tools" release="1.45.amzn1" version="2.6.8"><filename>Packages/python26-tools-2.6.8-1.45.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-81</id><title>Amazon Linux - ALAS-2012-81: medium priority package update for python27</title><issued date="2012-05-21 16:52" /><updated date="2014-09-14 16:12" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 813 CVE-2012-0845: 814 A flaw was found in the way the Python SimpleXMLRPCServer module handled clients disconnecting prematurely. A remote attacker could use this flaw to cause excessive CPU consumption on a server using SimpleXMLRPCServer. 815 789790: 816 CVE-2012-0845 python: SimpleXMLRPCServer CPU usage DoS via malformed XML-RPC request 817 SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header. 818 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0845" id="CVE-2012-0845" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="python27" release="1.18.amzn1" version="2.7.3"><filename>Packages/python27-2.7.3-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libs" release="1.18.amzn1" version="2.7.3"><filename>Packages/python27-libs-2.7.3-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-devel" release="1.18.amzn1" version="2.7.3"><filename>Packages/python27-devel-2.7.3-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-test" release="1.18.amzn1" version="2.7.3"><filename>Packages/python27-test-2.7.3-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-tools" release="1.18.amzn1" version="2.7.3"><filename>Packages/python27-tools-2.7.3-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-debuginfo" release="1.18.amzn1" version="2.7.3"><filename>Packages/python27-debuginfo-2.7.3-1.18.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libs" release="1.18.amzn1" version="2.7.3"><filename>Packages/python27-libs-2.7.3-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-tools" release="1.18.amzn1" version="2.7.3"><filename>Packages/python27-tools-2.7.3-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27" release="1.18.amzn1" version="2.7.3"><filename>Packages/python27-2.7.3-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-test" release="1.18.amzn1" version="2.7.3"><filename>Packages/python27-test-2.7.3-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-devel" release="1.18.amzn1" version="2.7.3"><filename>Packages/python27-devel-2.7.3-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-debuginfo" release="1.18.amzn1" version="2.7.3"><filename>Packages/python27-debuginfo-2.7.3-1.18.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-82</id><title>Amazon Linux - ALAS-2012-82: medium priority package update for postgresql8</title><issued date="2012-05-23 10:08" /><updated date="2014-09-14 16:13" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 819 CVE-2012-0868: 820 The pg_dump utility inserted object names literally into comments in the SQL script it produces. An unprivileged database user could create an object whose name includes a newline followed by an SQL command. This SQL command might then be executed by a privileged user during later restore of the backup dump, allowing privilege escalation. 821 797917: 822 CVE-2012-0868 postgresql: SQL injection due unsanitized newline characters in object names 823 CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored. 824 825 CVE-2012-0867: 826 PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters. 827 797915: 828 CVE-2012-0867 postgresql: MITM due improper x509_v3 CN validation during certificate verification 829 When configured to do SSL certificate verification, PostgreSQL only checked the first 31 characters of the certificate's Common Name field. Depending on the configuration, this could allow an attacker to impersonate a server or a client using a certificate from a trusted Certificate Authority issued for a different name. 830 831 CVE-2012-0866: 832 CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted triggers on arbitrary data by installing the trigger on an attacker-owned table. 833 CREATE TRIGGER did not do a permissions check on the trigger function to be called. This could possibly allow an authenticated database user to call a privileged trigger function on data of their choosing. 834 797222: 835 CVE-2012-0866 postgresql: Absent permission checks on trigger function to be called when creating a trigger 836 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0866" id="CVE-2012-0866" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0867" id="CVE-2012-0867" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0868" id="CVE-2012-0868" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0678.html" id="RHSA-2012:0678" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="postgresql8-libs" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-libs-8.4.11-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-test" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-test-8.4.11-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-8.4.11-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plperl" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-plperl-8.4.11-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-contrib" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-contrib-8.4.11-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-debuginfo" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-debuginfo-8.4.11-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-pltcl" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-pltcl-8.4.11-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plpython" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-plpython-8.4.11-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-docs" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-docs-8.4.11-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-devel" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-devel-8.4.11-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-server" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-server-8.4.11-1.34.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-pltcl" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-pltcl-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-debuginfo" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-debuginfo-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plpython" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-plpython-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-docs" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-docs-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plperl" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-plperl-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-devel" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-devel-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-libs" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-libs-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-contrib" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-contrib-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-server" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-server-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-test" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-test-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8" release="1.34.amzn1" version="8.4.11"><filename>Packages/postgresql8-8.4.11-1.34.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-83</id><title>Amazon Linux - ALAS-2012-83: medium priority package update for kernel</title><issued date="2012-06-10 11:46" /><updated date="2014-09-14 16:13" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 837 CVE-2012-2136: 838 816289: 839 CVE-2012-2136 kernel: net: insufficient data_len validation in sock_alloc_send_pskb() 840 * It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A privileged guest user in a KVM guest could use this flaw to crash the host or, possibly, escalate their privileges on the host. 841 * It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A local user with access to a TUN/TAP virtual interface could use this flaw to crash the system or, potentially, escalate their privileges. Note that unprivileged users cannot access TUN/TAP devices until the root user grants them access. 842 The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel before 3.4.5 does not properly validate a certain length value, which allows local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. 843 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2136" id="CVE-2012-2136" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0690.html" id="RHSA-2012:0690" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="kernel-doc" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-doc-3.2.19-1.28.6.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-headers-3.2.19-1.28.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-tools-3.2.19-1.28.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-3.2.19-1.28.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-devel-3.2.19-1.28.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-debuginfo-common-i686-3.2.19-1.28.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-tools-debuginfo-3.2.19-1.28.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-debuginfo-3.2.19-1.28.6.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-tools-debuginfo-3.2.19-1.28.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-tools-3.2.19-1.28.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-debuginfo-3.2.19-1.28.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-devel-3.2.19-1.28.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.19-1.28.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-headers-3.2.19-1.28.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="1.28.6.amzn1" version="3.2.19"><filename>Packages/kernel-3.2.19-1.28.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-84</id><title>Amazon Linux - ALAS-2012-84: important priority package update for bind</title><issued date="2012-06-10 11:47" /><updated date="2014-09-14 16:18" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 844 CVE-2012-1667: 845 ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource records with a zero-length RDATA section, which allows remote DNS servers to cause a denial of service (daemon crash or data corruption) or obtain sensitive information from process memory via a crafted record. 846 828078: 847 CVE-2012-1667 bind: handling of zero length rdata can cause named to terminate unexpectedly 848 A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory. 849 850 CVE-2012-1033: 851 The resolver in ISC BIND 9 through 9.8.1-P1 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack. 852 788650: 853 CVE-2012-1033 bind: deleted domain name resolving flaw 854 A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced. 855 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1667" id="CVE-2012-1667" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1033" id="CVE-2012-1033" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0716.html" id="RHSA-2012:0716" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="32" name="bind-chroot" release="1.P1.18.amzn1" version="9.7.6"><filename>Packages/bind-chroot-9.7.6-1.P1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="1.P1.18.amzn1" version="9.7.6"><filename>Packages/bind-devel-9.7.6-1.P1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="1.P1.18.amzn1" version="9.7.6"><filename>Packages/bind-utils-9.7.6-1.P1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="1.P1.18.amzn1" version="9.7.6"><filename>Packages/bind-libs-9.7.6-1.P1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="1.P1.18.amzn1" version="9.7.6"><filename>Packages/bind-sdb-9.7.6-1.P1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="1.P1.18.amzn1" version="9.7.6"><filename>Packages/bind-9.7.6-1.P1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="1.P1.18.amzn1" version="9.7.6"><filename>Packages/bind-debuginfo-9.7.6-1.P1.18.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="1.P1.18.amzn1" version="9.7.6"><filename>Packages/bind-sdb-9.7.6-1.P1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="1.P1.18.amzn1" version="9.7.6"><filename>Packages/bind-chroot-9.7.6-1.P1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="1.P1.18.amzn1" version="9.7.6"><filename>Packages/bind-libs-9.7.6-1.P1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="1.P1.18.amzn1" version="9.7.6"><filename>Packages/bind-9.7.6-1.P1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="1.P1.18.amzn1" version="9.7.6"><filename>Packages/bind-debuginfo-9.7.6-1.P1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="1.P1.18.amzn1" version="9.7.6"><filename>Packages/bind-devel-9.7.6-1.P1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="1.P1.18.amzn1" version="9.7.6"><filename>Packages/bind-utils-9.7.6-1.P1.18.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-85</id><title>Amazon Linux - ALAS-2012-85: medium priority package update for openssl</title><issued date="2012-06-10 11:48" /><updated date="2014-09-14 16:18" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 856 CVE-2012-2333: 857 An integer underflow flaw, leading to a buffer over-read, was found in the way OpenSSL handled DTLS (Datagram Transport Layer Security) application data record lengths when using a block cipher in CBC (cipher-block chaining) mode. A malicious DTLS client or server could use this flaw to crash its DTLS connection peer. 858 820686: 859 CVE-2012-2333 openssl: record length handling integer underflow 860 Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation. 861 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2333" id="CVE-2012-2333" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0699.html" id="RHSA-2012:0699" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="openssl-static" release="1.43.amzn1" version="1.0.0j"><filename>Packages/openssl-static-1.0.0j-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl" release="1.43.amzn1" version="1.0.0j"><filename>Packages/openssl-1.0.0j-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-debuginfo" release="1.43.amzn1" version="1.0.0j"><filename>Packages/openssl-debuginfo-1.0.0j-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-perl" release="1.43.amzn1" version="1.0.0j"><filename>Packages/openssl-perl-1.0.0j-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-devel" release="1.43.amzn1" version="1.0.0j"><filename>Packages/openssl-devel-1.0.0j-1.43.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-devel" release="1.43.amzn1" version="1.0.0j"><filename>Packages/openssl-devel-1.0.0j-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-perl" release="1.43.amzn1" version="1.0.0j"><filename>Packages/openssl-perl-1.0.0j-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl" release="1.43.amzn1" version="1.0.0j"><filename>Packages/openssl-1.0.0j-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-debuginfo" release="1.43.amzn1" version="1.0.0j"><filename>Packages/openssl-debuginfo-1.0.0j-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-static" release="1.43.amzn1" version="1.0.0j"><filename>Packages/openssl-static-1.0.0j-1.43.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-86</id><title>Amazon Linux - ALAS-2012-86: medium priority package update for python-crypto</title><issued date="2012-06-11 10:27" /><updated date="2014-09-14 16:19" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 862 CVE-2012-2417: 863 825162: 864 CVE-2012-2417 python-crypto: Insecure ElGamal key generation 865 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2417" id="CVE-2012-2417" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="python-crypto" release="6.5.amzn1" version="2.3"><filename>Packages/python-crypto-2.3-6.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python-crypto-debuginfo" release="6.5.amzn1" version="2.3"><filename>Packages/python-crypto-debuginfo-2.3-6.5.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python-crypto-debuginfo" release="6.5.amzn1" version="2.3"><filename>Packages/python-crypto-debuginfo-2.3-6.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python-crypto" release="6.5.amzn1" version="2.3"><filename>Packages/python-crypto-2.3-6.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-87</id><title>Amazon Linux - ALAS-2012-87: medium priority package update for socat</title><issued date="2012-06-11 10:28" /><updated date="2014-09-14 16:19" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 866 CVE-2012-0219: 867 821552: 868 CVE-2012-0219 socat: heap-based buffer overflow flaw leads to arbitrary code execution 869 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0219" id="CVE-2012-0219" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="socat-debuginfo" release="1.6.amzn1" version="1.7.2.1"><filename>Packages/socat-debuginfo-1.7.2.1-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="socat" release="1.6.amzn1" version="1.7.2.1"><filename>Packages/socat-1.7.2.1-1.6.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="socat" release="1.6.amzn1" version="1.7.2.1"><filename>Packages/socat-1.7.2.1-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="socat-debuginfo" release="1.6.amzn1" version="1.7.2.1"><filename>Packages/socat-debuginfo-1.7.2.1-1.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-88</id><title>Amazon Linux - ALAS-2012-88: important priority package update for java-1.6.0-openjdk</title><issued date="2012-06-19 15:58" /><updated date="2014-09-14 16:20" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 870 CVE-2012-1724: 871 829374: 872 CVE-2012-1724 OpenJDK: XML parsing infinite loop (JAXP, 7157609) 873 It was discovered that the Java XML parser did not properly handle certain XML documents. An attacker able to make a Java application parse a specially-crafted XML file could use this flaw to make the XML parser enter an infinite loop. 874 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows remote attackers to affect availability, related to JAXP. 875 876 CVE-2012-1723: 877 829373: 878 CVE-2012-1723 OpenJDK: insufficient field accessibility checks (HotSpot, 7152811) 879 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. 880 Multiple flaws were found in the way the Java HotSpot Virtual Machine verified the bytecode of the class file to be executed. A specially-crafted Java application or applet could use these flaws to crash the Java Virtual Machine, or bypass Java sandbox restrictions. 881 882 CVE-2012-1718: 883 829372: 884 CVE-2012-1718 OpenJDK: CRL and certificate extensions handling improvements (Security, 7143872) 885 It was discovered that the Java security classes did not properly handle Certificate Revocation Lists (CRL). CRL containing entries with duplicate certificate serial numbers could have been ignored. 886 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect availability via unknown vectors related to Security. 887 888 CVE-2012-1717: 889 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows local users to affect confidentiality via unknown vectors related to printing on Solaris or Linux. 890 829358: 891 CVE-2012-1717 OpenJDK: insecure temporary file permissions (JRE, 7143606) 892 It was discovered that various classes of the Java Runtime library could create temporary files with insecure permissions. A local attacker could use this flaw to gain access to the content of such temporary files. 893 894 CVE-2012-1716: 895 It was discovered that the SynthLookAndFeel class from Swing did not properly prevent access to certain UI elements from outside the current application context. A malicious Java application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java sandbox restrictions. 896 829360: 897 CVE-2012-1716 OpenJDK: SynthLookAndFeel application context bypass (Swing, 7143614) 898 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, and 5 update 35 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Swing. 899 900 CVE-2012-1713: 901 This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. 902 Multiple flaws were discovered in the font manager's layout lookup implementation. A specially-crafted font file could cause the Java Virtual Machine to crash or, possibly, execute arbitrary code with the privileges of the user running the virtual machine. 903 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, 1.4.2_37 and earlier, and JavaFX 2.1 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. 904 829361: 905 CVE-2012-1713 OpenJDK: fontmanager layout lookup code memory corruption (2D, 7143617) 906 907 CVE-2012-1711: 908 829354: 909 CVE-2012-1711 OpenJDK: improper protection of CORBA data models (CORBA, 7079902) 910 Multiple flaws were discovered in the CORBA (Common Object Request Broker Architecture) implementation in Java. A malicious Java application or applet could use these flaws to bypass Java sandbox restrictions or modify immutable object data. 911 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to CORBA. 912 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1724" id="CVE-2012-1724" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1718" id="CVE-2012-1718" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1723" id="CVE-2012-1723" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1717" id="CVE-2012-1717" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1716" id="CVE-2012-1716" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1711" id="CVE-2012-1711" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1713" id="CVE-2012-1713" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0729.html" id="RHSA-2012:0729" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="52.1.11.3.45.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.11.3.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="52.1.11.3.45.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.11.3.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="52.1.11.3.45.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.11.3.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="52.1.11.3.45.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.11.3.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="52.1.11.3.45.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.11.3.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="52.1.11.3.45.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.11.3.45.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="52.1.11.3.45.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.11.3.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="52.1.11.3.45.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.11.3.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="52.1.11.3.45.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.11.3.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="52.1.11.3.45.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.11.3.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="52.1.11.3.45.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.11.3.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="52.1.11.3.45.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.11.3.45.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-89</id><title>Amazon Linux - ALAS-2012-89: medium priority package update for expat</title><issued date="2012-06-19 15:59" /><updated date="2014-09-14 16:21" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 913 CVE-2012-1148: 914 Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities. 915 A memory leak flaw was found in Expat. If an XML file processed by an application linked against Expat triggered a memory re-allocation failure, Expat failed to free the previously allocated memory. This could cause the application to exit unexpectedly or crash when all available memory is exhausted. 916 801648: 917 CVE-2012-1148 expat: Memory leak in poolGrow 918 919 CVE-2012-0876: 920 786617: 921 CVE-2012-0876 expat: hash table collisions CPU usage DoS 922 The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value. 923 A denial of service flaw was found in the implementation of hash arrays in Expat. An attacker could use this flaw to make an application using Expat consume an excessive amount of CPU time by providing a specially-crafted XML file that triggers multiple hash function collisions. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. 924 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1148" id="CVE-2012-1148" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876" id="CVE-2012-0876" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0731.html" id="RHSA-2012:0731" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="expat-devel" release="11.9.amzn1" version="2.0.1"><filename>Packages/expat-devel-2.0.1-11.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="expat-debuginfo" release="11.9.amzn1" version="2.0.1"><filename>Packages/expat-debuginfo-2.0.1-11.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="expat" release="11.9.amzn1" version="2.0.1"><filename>Packages/expat-2.0.1-11.9.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="expat-devel" release="11.9.amzn1" version="2.0.1"><filename>Packages/expat-devel-2.0.1-11.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="expat" release="11.9.amzn1" version="2.0.1"><filename>Packages/expat-2.0.1-11.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="expat-debuginfo" release="11.9.amzn1" version="2.0.1"><filename>Packages/expat-debuginfo-2.0.1-11.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-90</id><title>Amazon Linux - ALAS-2012-90: low priority package update for quagga</title><issued date="2012-06-19 16:01" /><updated date="2014-09-14 16:37" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 925 CVE-2012-1820: 926 817580: 927 CVE-2012-1820 quagga (bgpd): Assertion failure by processing BGP OPEN message with malformed ORF capability TLV (VU#962587) 928 Two flaws were found in the way the bgpd daemon processed certain BGP OPEN messages. A configured BGP peer could cause bgpd on a target system to abort via a specially-crafted BGP OPEN message. 929 The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier allows remote attackers to cause a denial of service (assertion failure and daemon exit) by leveraging a BGP peering relationship and sending a malformed Outbound Route Filtering (ORF) capability TLV in an OPEN message. 930 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1820" id="CVE-2012-1820" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="quagga-devel" release="1.5.amzn1" version="0.99.20.1"><filename>Packages/quagga-devel-0.99.20.1-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="quagga-debuginfo" release="1.5.amzn1" version="0.99.20.1"><filename>Packages/quagga-debuginfo-0.99.20.1-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="quagga" release="1.5.amzn1" version="0.99.20.1"><filename>Packages/quagga-0.99.20.1-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="quagga-contrib" release="1.5.amzn1" version="0.99.20.1"><filename>Packages/quagga-contrib-0.99.20.1-1.5.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="quagga" release="1.5.amzn1" version="0.99.20.1"><filename>Packages/quagga-0.99.20.1-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="quagga-debuginfo" release="1.5.amzn1" version="0.99.20.1"><filename>Packages/quagga-debuginfo-0.99.20.1-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="quagga-devel" release="1.5.amzn1" version="0.99.20.1"><filename>Packages/quagga-devel-0.99.20.1-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="quagga-contrib" release="1.5.amzn1" version="0.99.20.1"><filename>Packages/quagga-contrib-0.99.20.1-1.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-91</id><title>Amazon Linux - ALAS-2012-91: medium priority package update for postgresql9</title><issued date="2012-06-19 16:02" /><updated date="2014-09-14 16:21" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 931 CVE-2012-2143: 932 A flaw was found in the way the crypt() password hashing function from the optional PostgreSQL pgcrypto contrib module performed password transformation when used with the DES algorithm. If the password string to be hashed contained the 0x80 byte value, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. This made brute-force guessing more efficient as the whole password was not required to gain access to protected resources. 933 816956: 934 CVE-2012-2143 BSD crypt(): DES encrypted password weakness 935 A flaw was found in the DES algorithm implementation in the crypt() password hashing function in PHP. If the password string to be hashed contained certain characters, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. 936 The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. 937 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143" id="CVE-2012-2143" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="postgresql9-debuginfo" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-debuginfo-9.1.4-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-9.1.4-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-server" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-server-9.1.4-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-libs" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-libs-9.1.4-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-test" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-test-9.1.4-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-contrib" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-contrib-9.1.4-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-plpython" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-plpython-9.1.4-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-plperl" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-plperl-9.1.4-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-devel" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-devel-9.1.4-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-pltcl" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-pltcl-9.1.4-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-docs" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-docs-9.1.4-1.21.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-server" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-server-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-test" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-test-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-plpython" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-plpython-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-contrib" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-contrib-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-docs" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-docs-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-libs" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-libs-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-devel" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-devel-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-debuginfo" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-debuginfo-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-pltcl" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-pltcl-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-plperl" release="1.21.amzn1" version="9.1.4"><filename>Packages/postgresql9-plperl-9.1.4-1.21.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-92</id><title>Amazon Linux - ALAS-2012-92: low priority package update for mysql51</title><issued date="2012-07-05 13:59" /><updated date="2014-09-14 16:22" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 938 CVE-2012-2102: 939 812431: 940 CVE-2012-2102 mysql: Server crash on HANDLER READ NEXT after DELETE 941 A flaw was found in the way MySQL processed HANDLER READ NEXT statements after deleting a record. A remote, authenticated attacker could use this flaw to provide such requests, causing mysqld to crash. This issue only caused a temporary denial of service, as mysqld was automatically restarted after the crash. 942 MySQL 5.1.x before 5.1.62 and 5.5.x before 5.5.22 allows remote authenticated users to cause a denial of service (assertion failure and mysqld abort) by deleting a record and using HANDLER READ NEXT. 943 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2102" id="CVE-2012-2102" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0874.html" id="RHSA-2012:0874" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="mysql51-server" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-server-5.1.61-4.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded-devel" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-embedded-devel-5.1.61-4.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-common" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-common-5.1.61-4.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-libs" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-libs-5.1.61-4.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-test" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-test-5.1.61-4.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-devel" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-devel-5.1.61-4.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-5.1.61-4.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-embedded-5.1.61-4.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-bench" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-bench-5.1.61-4.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-debuginfo" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-debuginfo-5.1.61-4.54.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-common" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-common-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-server" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-server-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-bench" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-bench-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-devel" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-devel-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-debuginfo" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-debuginfo-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-libs" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-libs-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-test" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-test-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-embedded-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded-devel" release="4.54.amzn1" version="5.1.61"><filename>Packages/mysql51-embedded-devel-5.1.61-4.54.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-93</id><title>Amazon Linux - ALAS-2012-93: important priority package update for mysql55</title><issued date="2012-07-05 16:07" /><updated date="2014-09-14 16:23" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 944 CVE-2012-2122: 945 This update also adds a patch for a potential flaw in the MySQL password checking function, which could allow an attacker to log into any MySQL account without knowing the correct password. This problem 946 814605: 947 CVE-2012-2122 mysql: incorrect type case in check_scramble() leading to authentication bypass 948 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122" id="CVE-2012-2122" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-embedded-devel-5.5.24-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-debuginfo-5.5.24-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-server-5.5.24-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-common" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-common-5.5.24-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-test-5.5.24-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-embedded-5.5.24-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-bench-5.5.24-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-libs-5.5.24-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-5.5.24-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-devel-5.5.24-1.24.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-libs-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-test" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-test-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-embedded-devel-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-debuginfo-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-bench" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-bench-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-common" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-common-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-devel-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-server" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-server-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded" release="1.24.amzn1" version="5.5.24"><filename>Packages/mysql55-embedded-5.5.24-1.24.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-94</id><title>Amazon Linux - ALAS-2012-94: medium priority package update for postgresql8</title><issued date="2012-07-05 16:08" /><updated date="2014-09-14 16:24" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 949 CVE-2012-2655: 950 PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to cause a denial of service (server crash) by adding the (1) SECURITY DEFINER or (2) SET attributes to a procedural language's call handler. 951 A denial of service flaw was found in the way the PostgreSQL server performed a user privileges check when applying SECURITY DEFINER or SET attributes to a procedural language's (such as PL/Perl or PL/Python) call handler function. A non-superuser database owner could use this flaw to cause the PostgreSQL server to crash due to infinite recursion. 952 825995: 953 CVE-2012-2655 postgresql: Ability of database owners to install procedural languages via CREATE LANGUAGE found unsafe (DoS) 954 955 CVE-2012-2143: 956 A flaw was found in the way the crypt() password hashing function from the optional PostgreSQL pgcrypto contrib module performed password transformation when used with the DES algorithm. If the password string to be hashed contained the 0x80 byte value, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. This made brute-force guessing more efficient as the whole password was not required to gain access to protected resources. 957 816956: 958 CVE-2012-2143 BSD crypt(): DES encrypted password weakness 959 A flaw was found in the DES algorithm implementation in the crypt() password hashing function in PHP. If the password string to be hashed contained certain characters, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. 960 The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. 961 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2655" id="CVE-2012-2655" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143" id="CVE-2012-2143" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1037.html" id="RHSA-2012:1037" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="postgresql8-test" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-test-8.4.12-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-pltcl" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-pltcl-8.4.12-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plperl" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-plperl-8.4.12-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-contrib" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-contrib-8.4.12-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-docs" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-docs-8.4.12-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-debuginfo" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-debuginfo-8.4.12-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-server" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-server-8.4.12-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-8.4.12-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-libs" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-libs-8.4.12-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plpython" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-plpython-8.4.12-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-devel" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-devel-8.4.12-1.35.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plpython" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-plpython-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-devel" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-devel-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-debuginfo" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-debuginfo-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plperl" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-plperl-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-contrib" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-contrib-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-test" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-test-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-docs" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-docs-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-server" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-server-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-libs" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-libs-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-pltcl" release="1.35.amzn1" version="8.4.12"><filename>Packages/postgresql8-pltcl-8.4.12-1.35.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-95</id><title>Amazon Linux - ALAS-2012-95: medium priority package update for php</title><issued date="2012-07-05 16:09" /><updated date="2014-09-14 16:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 962 CVE-2012-2386: 963 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way the PHP phar extension processed certain fields of tar archive files. A remote attacker could provide a specially-crafted tar archive file that, when processed by a PHP application using the phar extension, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running PHP. 964 Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tar file that triggers a heap-based buffer overflow. 965 823594: 966 CVE-2012-2386 php: Integer overflow leading to heap-buffer overflow in the Phar extension 967 968 CVE-2012-2143: 969 A flaw was found in the way the crypt() password hashing function from the optional PostgreSQL pgcrypto contrib module performed password transformation when used with the DES algorithm. If the password string to be hashed contained the 0x80 byte value, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. This made brute-force guessing more efficient as the whole password was not required to gain access to protected resources. 970 816956: 971 CVE-2012-2143 BSD crypt(): DES encrypted password weakness 972 A flaw was found in the DES algorithm implementation in the crypt() password hashing function in PHP. If the password string to be hashed contained certain characters, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. 973 The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. 974 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386" id="CVE-2012-2386" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143" id="CVE-2012-2143" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="php-intl" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-intl-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysql" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-mysql-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mbstring" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-mbstring-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xmlrpc" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-xmlrpc-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-recode" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-recode-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xml" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-xml-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-embedded" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-embedded-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mcrypt" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-mcrypt-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-bcmath" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-bcmath-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-dba" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-dba-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-odbc" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-odbc-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-soap" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-soap-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-debuginfo" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-debuginfo-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-tidy" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-tidy-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-devel" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-devel-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-snmp" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-snmp-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pgsql" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-pgsql-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-process" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-process-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-fpm" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-fpm-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysqlnd" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-mysqlnd-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-ldap" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-ldap-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pspell" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-pspell-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-imap" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-imap-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mssql" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-mssql-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-common" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-common-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-cli" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-cli-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pdo" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-pdo-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-gd" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-gd-5.3.14-2.21.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mssql" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-mssql-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-cli" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-cli-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-fpm" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-fpm-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pgsql" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-pgsql-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-common" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-common-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-bcmath" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-bcmath-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-embedded" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-embedded-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xmlrpc" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-xmlrpc-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-recode" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-recode-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-gd" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-gd-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pspell" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-pspell-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-odbc" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-odbc-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mbstring" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-mbstring-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-soap" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-soap-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-intl" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-intl-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-devel" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-devel-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-ldap" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-ldap-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysqlnd" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-mysqlnd-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-dba" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-dba-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-debuginfo" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-debuginfo-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xml" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-xml-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-tidy" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-tidy-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-process" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-process-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pdo" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-pdo-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mcrypt" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-mcrypt-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-imap" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-imap-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysql" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-mysql-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-snmp" release="2.21.amzn1" version="5.3.14"><filename>Packages/php-snmp-5.3.14-2.21.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-96</id><title>Amazon Linux - ALAS-2012-96: low priority package update for php-pecl-apc</title><issued date="2012-07-05 16:13" /><updated date="2014-09-14 16:26" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 975 CVE-2010-3294: 976 634334: 977 CVE-2010-3294 php-pecl-apc: potential XSS in apc.php 978 A cross-site scripting (XSS) flaw was found in the "apc.php" script, which provides a detailed analysis of the internal workings of APC and is shipped as part of the APC extension documentation. A remote attacker could possibly use this flaw to conduct a cross-site scripting attack. 979 Cross-site scripting (XSS) vulnerability in apc.php in the Alternative PHP Cache (APC) extension before 3.1.4 for PHP allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 980 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3294" id="CVE-2010-3294" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0811.html" id="RHSA-2012:0811" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="php-pecl-apc" release="1.4.amzn1" version="3.1.10"><filename>Packages/php-pecl-apc-3.1.10-1.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pecl-apc-debuginfo" release="1.4.amzn1" version="3.1.10"><filename>Packages/php-pecl-apc-debuginfo-3.1.10-1.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pecl-apc-devel" release="1.4.amzn1" version="3.1.10"><filename>Packages/php-pecl-apc-devel-3.1.10-1.4.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pecl-apc-devel" release="1.4.amzn1" version="3.1.10"><filename>Packages/php-pecl-apc-devel-3.1.10-1.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pecl-apc-debuginfo" release="1.4.amzn1" version="3.1.10"><filename>Packages/php-pecl-apc-debuginfo-3.1.10-1.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pecl-apc" release="1.4.amzn1" version="3.1.10"><filename>Packages/php-pecl-apc-3.1.10-1.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-97</id><title>Amazon Linux - ALAS-2012-97: medium priority package update for net-snmp</title><issued date="2012-07-05 16:15" /><updated date="2014-09-14 16:31" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 981 CVE-2012-2141: 982 An out-of-bounds buffer read flaw was found in the net-snmp agent. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the "extend" directive (in "/etc/snmp/snmpd.conf") could use this flaw to crash snmpd via a crafted SNMP GET request. 983 815813: 984 CVE-2012-2141 net-snmp: Array index error, leading to out-of heap-based buffer read (snmpd crash) 985 An array index error, leading to an out-of-bounds buffer read flaw, was found in the way the net-snmp agent looked up entries in the extension table. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the "extend" directive (in "/etc/snmp/snmpd.conf") could use this flaw to crash snmpd via a crafted SNMP GET request. 986 Array index error in the handle_nsExtendOutput2Table function in agent/mibgroup/agent/extend.c in Net-SNMP 5.7.1 allows remote authenticated users to cause a denial of service (out-of-bounds read and snmpd crash) via an SNMP GET request for an entry not in the extension table. 987 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2141" id="CVE-2012-2141" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0876.html" id="RHSA-2012:0876" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="1" name="net-snmp-perl" release="41.10.amzn1" version="5.5"><filename>Packages/net-snmp-perl-5.5-41.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-utils" release="41.10.amzn1" version="5.5"><filename>Packages/net-snmp-utils-5.5-41.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-libs" release="41.10.amzn1" version="5.5"><filename>Packages/net-snmp-libs-5.5-41.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-python" release="41.10.amzn1" version="5.5"><filename>Packages/net-snmp-python-5.5-41.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-debuginfo" release="41.10.amzn1" version="5.5"><filename>Packages/net-snmp-debuginfo-5.5-41.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-devel" release="41.10.amzn1" version="5.5"><filename>Packages/net-snmp-devel-5.5-41.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp" release="41.10.amzn1" version="5.5"><filename>Packages/net-snmp-5.5-41.10.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-python" release="41.10.amzn1" version="5.5"><filename>Packages/net-snmp-python-5.5-41.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp" release="41.10.amzn1" version="5.5"><filename>Packages/net-snmp-5.5-41.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-debuginfo" release="41.10.amzn1" version="5.5"><filename>Packages/net-snmp-debuginfo-5.5-41.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-libs" release="41.10.amzn1" version="5.5"><filename>Packages/net-snmp-libs-5.5-41.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-devel" release="41.10.amzn1" version="5.5"><filename>Packages/net-snmp-devel-5.5-41.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-perl" release="41.10.amzn1" version="5.5"><filename>Packages/net-snmp-perl-5.5-41.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-utils" release="41.10.amzn1" version="5.5"><filename>Packages/net-snmp-utils-5.5-41.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-98</id><title>Amazon Linux - ALAS-2012-98: low priority package update for python26</title><issued date="2012-07-05 16:16" /><updated date="2014-09-14 16:31" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 988 CVE-2012-1150: 989 750555: 990 CVE-2012-1150 python: hash table collisions CPU usage DoS (oCERT-2011-003) 991 Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. 992 A denial of service flaw was found in the implementation of associative arrays (dictionaries) in Python. An attacker able to supply a large number of inputs to a Python application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. 993 994 CVE-2012-0845: 995 A flaw was found in the way the Python SimpleXMLRPCServer module handled clients disconnecting prematurely. A remote attacker could use this flaw to cause excessive CPU consumption on a server using SimpleXMLRPCServer. 996 789790: 997 CVE-2012-0845 python: SimpleXMLRPCServer CPU usage DoS via malformed XML-RPC request 998 SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header. 999 1000 CVE-2011-4944: 1001 A race condition was found in the way the Python distutils module set file permissions during the creation of the .pypirc file. If a local user had access to the home directory of another user who is running distutils, they could use this flaw to gain access to that user's .pypirc file, which can contain usernames and passwords for code repositories. 1002 Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file. 1003 758905: 1004 CVE-2011-4944 python: distutils creates ~/.pypirc insecurely 1005 1006 CVE-2011-4940: 1007 The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding. 1008 803500: 1009 CVE-2011-4940 python: potential XSS in SimpleHTTPServer's list_directory() 1010 A flaw was found in the way the Python SimpleHTTPServer module generated directory listings. An attacker able to upload a file with a specially-crafted name to a server could possibly perform a cross-site scripting (XSS) attack against victims visiting a listing page generated by SimpleHTTPServer, for a directory containing the crafted file (if the victims were using certain web browsers). 1011 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4944" id="CVE-2011-4944" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1150" id="CVE-2012-1150" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0845" id="CVE-2012-0845" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4940" id="CVE-2011-4940" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0744.html" id="RHSA-2012:0744" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="python26" release="2.28.amzn1" version="2.6.8"><filename>Packages/python26-2.6.8-2.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-test" release="2.28.amzn1" version="2.6.8"><filename>Packages/python26-test-2.6.8-2.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-debuginfo" release="2.28.amzn1" version="2.6.8"><filename>Packages/python26-debuginfo-2.6.8-2.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-libs" release="2.28.amzn1" version="2.6.8"><filename>Packages/python26-libs-2.6.8-2.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-devel" release="2.28.amzn1" version="2.6.8"><filename>Packages/python26-devel-2.6.8-2.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-tools" release="2.28.amzn1" version="2.6.8"><filename>Packages/python26-tools-2.6.8-2.28.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-devel" release="2.28.amzn1" version="2.6.8"><filename>Packages/python26-devel-2.6.8-2.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-debuginfo" release="2.28.amzn1" version="2.6.8"><filename>Packages/python26-debuginfo-2.6.8-2.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-test" release="2.28.amzn1" version="2.6.8"><filename>Packages/python26-test-2.6.8-2.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-tools" release="2.28.amzn1" version="2.6.8"><filename>Packages/python26-tools-2.6.8-2.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-libs" release="2.28.amzn1" version="2.6.8"><filename>Packages/python26-libs-2.6.8-2.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26" release="2.28.amzn1" version="2.6.8"><filename>Packages/python26-2.6.8-2.28.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-99</id><title>Amazon Linux - ALAS-2012-99: medium priority package update for openssh</title><issued date="2012-07-05 16:18" /><updated date="2014-09-14 16:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1012 CVE-2011-5000: 1013 The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant. 1014 809938: 1015 CVE-2011-5000 openssh: post-authentication resource exhaustion bug via GSSAPI 1016 A denial of service flaw was found in the OpenSSH GSSAPI authentication implementation. A remote, authenticated user could use this flaw to make the OpenSSH server daemon (sshd) use an excessive amount of memory, leading to a denial of service. GSSAPI authentication is enabled by default ("GSSAPIAuthentication yes" in "/etc/ssh/sshd_config"). 1017 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5000" id="CVE-2011-5000" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0884.html" id="RHSA-2012:0884" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="openssh-ldap" release="81.17.amzn1" version="5.3p1"><filename>Packages/openssh-ldap-5.3p1-81.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-debuginfo" release="81.17.amzn1" version="5.3p1"><filename>Packages/openssh-debuginfo-5.3p1-81.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh" release="81.17.amzn1" version="5.3p1"><filename>Packages/openssh-5.3p1-81.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-server" release="81.17.amzn1" version="5.3p1"><filename>Packages/openssh-server-5.3p1-81.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-clients" release="81.17.amzn1" version="5.3p1"><filename>Packages/openssh-clients-5.3p1-81.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam_ssh_agent_auth" release="81.17.amzn1" version="0.9"><filename>Packages/pam_ssh_agent_auth-0.9-81.17.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-server" release="81.17.amzn1" version="5.3p1"><filename>Packages/openssh-server-5.3p1-81.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh" release="81.17.amzn1" version="5.3p1"><filename>Packages/openssh-5.3p1-81.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-debuginfo" release="81.17.amzn1" version="5.3p1"><filename>Packages/openssh-debuginfo-5.3p1-81.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-clients" release="81.17.amzn1" version="5.3p1"><filename>Packages/openssh-clients-5.3p1-81.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-ldap" release="81.17.amzn1" version="5.3p1"><filename>Packages/openssh-ldap-5.3p1-81.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam_ssh_agent_auth" release="81.17.amzn1" version="0.9"><filename>Packages/pam_ssh_agent_auth-0.9-81.17.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-100</id><title>Amazon Linux - ALAS-2012-100: medium priority package update for kernel</title><issued date="2012-07-05 16:19" /><updated date="2014-09-14 16:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1018 CVE-2012-2372: 1019 822754: 1020 CVE-2012-2372 kernel: rds-ping cause kernel panic 1021 * A flaw in the Reliable Datagram Sockets (RDS) protocol implementation could allow a local, unprivileged user to cause a denial of service. 1022 * A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service. 1023 The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interface's own IP address, as demonstrated by rds-ping. 1024 1025 CVE-2011-4131: 1026 The NFSv4 implementation in the Linux kernel before 3.2.2 does not properly handle bitmap sizes in GETACL replies, which allows remote NFS servers to cause a denial of service (OOPS) by sending an excessive number of bitmap words. 1027 * A malicious Network File System version 4 (NFSv4) server could return a crafted reply to a GETACL request, causing a denial of service on the client. 1028 747106: 1029 CVE-2011-4131 kernel: nfs4_getfacl decoding kernel oops 1030 1031 CVE-2011-1083: 1032 The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls. 1033 * A flaw was found in the way the Linux kernel's Event Poll (epoll) subsystem handled large, nested epoll structures. A local, unprivileged user could use this flaw to cause a denial of service. 1034 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2372" id="CVE-2012-2372" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1083" id="CVE-2011-1083" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4131" id="CVE-2011-4131" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0862.html" id="RHSA-2012:0862" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="kernel-doc" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-doc-3.2.22-35.60.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-tools-debuginfo-3.2.22-35.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-headers-3.2.22-35.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-tools-3.2.22-35.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-devel-3.2.22-35.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-debuginfo-3.2.22-35.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-3.2.22-35.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-debuginfo-common-i686-3.2.22-35.60.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-tools-debuginfo-3.2.22-35.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-tools-3.2.22-35.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-devel-3.2.22-35.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.22-35.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-debuginfo-3.2.22-35.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-3.2.22-35.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="35.60.amzn1" version="3.2.22"><filename>Packages/kernel-headers-3.2.22-35.60.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-101</id><title>Amazon Linux - ALAS-2012-101: medium priority package update for openldap</title><issued date="2012-07-05 16:21" /><updated date="2014-09-14 16:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1035 CVE-2012-1164: 1036 802514: 1037 CVE-2012-1164 openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry 1038 slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned. 1039 A denial of service flaw was found in the way the OpenLDAP server daemon (slapd) processed certain search queries requesting only attributes and no values. In certain configurations, a remote attacker could issue a specially-crafted LDAP search query that, when processed by slapd, would cause slapd to crash due to an assertion failure. 1040 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1164" id="CVE-2012-1164" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0899.html" id="RHSA-2012:0899" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="openldap-servers-sql" release="26.15.amzn1" version="2.4.23"><filename>Packages/openldap-servers-sql-2.4.23-26.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-servers" release="26.15.amzn1" version="2.4.23"><filename>Packages/openldap-servers-2.4.23-26.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-devel" release="26.15.amzn1" version="2.4.23"><filename>Packages/openldap-devel-2.4.23-26.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-debuginfo" release="26.15.amzn1" version="2.4.23"><filename>Packages/openldap-debuginfo-2.4.23-26.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-clients" release="26.15.amzn1" version="2.4.23"><filename>Packages/openldap-clients-2.4.23-26.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap" release="26.15.amzn1" version="2.4.23"><filename>Packages/openldap-2.4.23-26.15.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-devel" release="26.15.amzn1" version="2.4.23"><filename>Packages/openldap-devel-2.4.23-26.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-servers" release="26.15.amzn1" version="2.4.23"><filename>Packages/openldap-servers-2.4.23-26.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap" release="26.15.amzn1" version="2.4.23"><filename>Packages/openldap-2.4.23-26.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-clients" release="26.15.amzn1" version="2.4.23"><filename>Packages/openldap-clients-2.4.23-26.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-servers-sql" release="26.15.amzn1" version="2.4.23"><filename>Packages/openldap-servers-sql-2.4.23-26.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-debuginfo" release="26.15.amzn1" version="2.4.23"><filename>Packages/openldap-debuginfo-2.4.23-26.15.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-102</id><title>Amazon Linux - ALAS-2012-102: medium priority package update for nss</title><issued date="2012-07-05 16:22" /><updated date="2014-09-14 16:42" /><severity>medium</severity><description /><references><reference href="https://rhn.redhat.com/errata/RHSA-2012:0973.html" id="RHSA-2012:0973" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="nss-debuginfo" release="8.25.amzn1" version="3.13.3"><filename>Packages/nss-debuginfo-3.13.3-8.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="8.25.amzn1" version="3.13.3"><filename>Packages/nss-tools-3.13.3-8.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="8.25.amzn1" version="3.13.3"><filename>Packages/nss-pkcs11-devel-3.13.3-8.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="8.25.amzn1" version="3.13.3"><filename>Packages/nss-devel-3.13.3-8.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="8.25.amzn1" version="3.13.3"><filename>Packages/nss-sysinit-3.13.3-8.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="8.25.amzn1" version="3.13.3"><filename>Packages/nss-3.13.3-8.25.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="8.25.amzn1" version="3.13.3"><filename>Packages/nss-pkcs11-devel-3.13.3-8.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="8.25.amzn1" version="3.13.3"><filename>Packages/nss-tools-3.13.3-8.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="8.25.amzn1" version="3.13.3"><filename>Packages/nss-3.13.3-8.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="8.25.amzn1" version="3.13.3"><filename>Packages/nss-sysinit-3.13.3-8.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="8.25.amzn1" version="3.13.3"><filename>Packages/nss-debuginfo-3.13.3-8.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="8.25.amzn1" version="3.13.3"><filename>Packages/nss-devel-3.13.3-8.25.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-103</id><title>Amazon Linux - ALAS-2012-103: low priority package update for busybox</title><issued date="2012-07-05 16:23" /><updated date="2014-09-14 16:43" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1041 CVE-2011-2716: 1042 The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages. 1043 1044 CVE-2006-1168: 1045 The decompress function in compress42.c in (1) ncompress 4.2.4 and (2) liblzw allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code, via crafted data that leads to a buffer underflow. 1046 A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially-crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. 1047 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2716" id="CVE-2011-2716" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1168" id="CVE-2006-1168" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0810.html" id="RHSA-2012:0810" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="1" name="busybox" release="2.11.amzn1" version="1.19.3"><filename>Packages/busybox-1.19.3-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="busybox-petitboot" release="2.11.amzn1" version="1.19.3"><filename>Packages/busybox-petitboot-1.19.3-2.11.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="1" name="busybox" release="2.11.amzn1" version="1.19.3"><filename>Packages/busybox-1.19.3-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="busybox-petitboot" release="2.11.amzn1" version="1.19.3"><filename>Packages/busybox-petitboot-1.19.3-2.11.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-104</id><title>Amazon Linux - ALAS-2012-104: low priority package update for xorg-x11-server</title><issued date="2012-07-05 16:24" /><updated date="2014-09-14 16:44" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1048 CVE-2011-4029: 1049 A race condition was found in the way the X.Org server managed temporary lock files. A local attacker could use this flaw to perform a symbolic link attack, allowing them to make an arbitrary file world readable, leading to the disclosure of sensitive information. 1050 745024: 1051 CVE-2011-4029 xorg-x11-server: lock file chmod change race condition 1052 The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows local users to change the permissions of arbitrary files to 444, read those files, and possibly cause a denial of service (removed execution permission) via a symlink attack on a temporary lock file. 1053 1054 CVE-2011-4028: 1055 A flaw was found in the way the X.Org server handled lock files. A local user with access to the system console could use this flaw to determine the existence of a file in a directory not accessible to the user, via a symbolic link attack. 1056 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4029" id="CVE-2011-4029" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4028" id="CVE-2011-4028" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0939.html" id="RHSA-2012:0939" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="xorg-x11-server-common" release="1.12.amzn1" version="1.10.6"><filename>Packages/xorg-x11-server-common-1.10.6-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xvfb" release="1.12.amzn1" version="1.10.6"><filename>Packages/xorg-x11-server-Xvfb-1.10.6-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xephyr" release="1.12.amzn1" version="1.10.6"><filename>Packages/xorg-x11-server-Xephyr-1.10.6-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xnest" release="1.12.amzn1" version="1.10.6"><filename>Packages/xorg-x11-server-Xnest-1.10.6-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-debuginfo" release="1.12.amzn1" version="1.10.6"><filename>Packages/xorg-x11-server-debuginfo-1.10.6-1.12.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-debuginfo" release="1.12.amzn1" version="1.10.6"><filename>Packages/xorg-x11-server-debuginfo-1.10.6-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xephyr" release="1.12.amzn1" version="1.10.6"><filename>Packages/xorg-x11-server-Xephyr-1.10.6-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xnest" release="1.12.amzn1" version="1.10.6"><filename>Packages/xorg-x11-server-Xnest-1.10.6-1.12.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="xorg-x11-server-source" release="1.12.amzn1" version="1.10.6"><filename>Packages/xorg-x11-server-source-1.10.6-1.12.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xvfb" release="1.12.amzn1" version="1.10.6"><filename>Packages/xorg-x11-server-Xvfb-1.10.6-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-common" release="1.12.amzn1" version="1.10.6"><filename>Packages/xorg-x11-server-common-1.10.6-1.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-105</id><title>Amazon Linux - ALAS-2012-105: medium priority package update for rsyslog</title><issued date="2012-07-06 16:04" /><updated date="2014-09-14 16:44" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1057 CVE-2011-4623: 1058 A numeric truncation error, leading to a heap-based buffer overflow, was found in the way the rsyslog imfile module processed text files containing long lines. An attacker could use this flaw to crash the rsyslogd daemon or, possibly, execute arbitrary code with the privileges of rsyslogd, if they are able to cause a long line to be written to a log file that rsyslogd monitors with imfile. The imfile module is not enabled by default. 1059 769822: 1060 CVE-2011-4623 rsyslog: DoS due integer signedness error while extending rsyslog counted string buffer 1061 Integer overflow in the rsCStrExtendBuf function in runtime/stringbuf.c in the imfile module in rsyslog 4.x before 4.6.6, 5.x before 5.7.4, and 6.x before 6.1.4 allows local users to cause a denial of service (daemon hang) via a large file, which triggers a heap-based buffer overflow. 1062 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4623" id="CVE-2011-4623" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0796.html" id="RHSA-2012:0796" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="rsyslog-gssapi" release="2.17.amzn1" version="5.8.10"><filename>Packages/rsyslog-gssapi-5.8.10-2.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rsyslog-snmp" release="2.17.amzn1" version="5.8.10"><filename>Packages/rsyslog-snmp-5.8.10-2.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rsyslog-mysql" release="2.17.amzn1" version="5.8.10"><filename>Packages/rsyslog-mysql-5.8.10-2.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rsyslog-pgsql" release="2.17.amzn1" version="5.8.10"><filename>Packages/rsyslog-pgsql-5.8.10-2.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rsyslog" release="2.17.amzn1" version="5.8.10"><filename>Packages/rsyslog-5.8.10-2.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rsyslog-gnutls" release="2.17.amzn1" version="5.8.10"><filename>Packages/rsyslog-gnutls-5.8.10-2.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rsyslog-debuginfo" release="2.17.amzn1" version="5.8.10"><filename>Packages/rsyslog-debuginfo-5.8.10-2.17.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="rsyslog-pgsql" release="2.17.amzn1" version="5.8.10"><filename>Packages/rsyslog-pgsql-5.8.10-2.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rsyslog-snmp" release="2.17.amzn1" version="5.8.10"><filename>Packages/rsyslog-snmp-5.8.10-2.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rsyslog-gnutls" release="2.17.amzn1" version="5.8.10"><filename>Packages/rsyslog-gnutls-5.8.10-2.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rsyslog-debuginfo" release="2.17.amzn1" version="5.8.10"><filename>Packages/rsyslog-debuginfo-5.8.10-2.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rsyslog-mysql" release="2.17.amzn1" version="5.8.10"><filename>Packages/rsyslog-mysql-5.8.10-2.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rsyslog" release="2.17.amzn1" version="5.8.10"><filename>Packages/rsyslog-5.8.10-2.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rsyslog-gssapi" release="2.17.amzn1" version="5.8.10"><filename>Packages/rsyslog-gssapi-5.8.10-2.17.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-106</id><title>Amazon Linux - ALAS-2012-106: important priority package update for libtiff</title><issued date="2012-07-06 16:18" /><updated date="2014-09-14 16:44" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1063 CVE-2012-2113: 1064 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the tiff2pdf tool. An attacker could use these flaws to create a specially-crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code. 1065 810551: 1066 CVE-2012-2113 libtiff: integer overflow in tiff2pdf leading to heap-buffer overflow when reading a tiled tiff file 1067 Multiple integer overflows in tiff2pdf in libtiff before 4.0.2 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow. 1068 1069 CVE-2012-2088: 1070 832864: 1071 CVE-2012-2088 libtiff: Type conversion flaw leading to heap-buffer overflow 1072 Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow. 1073 libtiff did not properly convert between signed and unsigned integer values, leading to a buffer overflow. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code. 1074 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2088" id="CVE-2012-2088" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2113" id="CVE-2012-2113" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1054.html" id="RHSA-2012:1054" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="libtiff-devel" release="6.10.amzn1" version="3.9.4"><filename>Packages/libtiff-devel-3.9.4-6.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff" release="6.10.amzn1" version="3.9.4"><filename>Packages/libtiff-3.9.4-6.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-debuginfo" release="6.10.amzn1" version="3.9.4"><filename>Packages/libtiff-debuginfo-3.9.4-6.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-static" release="6.10.amzn1" version="3.9.4"><filename>Packages/libtiff-static-3.9.4-6.10.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff" release="6.10.amzn1" version="3.9.4"><filename>Packages/libtiff-3.9.4-6.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-debuginfo" release="6.10.amzn1" version="3.9.4"><filename>Packages/libtiff-debuginfo-3.9.4-6.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-static" release="6.10.amzn1" version="3.9.4"><filename>Packages/libtiff-static-3.9.4-6.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-devel" release="6.10.amzn1" version="3.9.4"><filename>Packages/libtiff-devel-3.9.4-6.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-107</id><title>Amazon Linux - ALAS-2012-107: medium priority package update for lighttpd</title><issued date="2012-07-09 14:20" /><updated date="2014-09-14 16:45" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1075 CVE-2011-4362: 1076 Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index. 1077 758624: 1078 CVE-2011-4362 lighttpd: Out of bounds read due to a signedness error (DoS, crash) 1079 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4362" id="CVE-2011-4362" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="lighttpd-fastcgi" release="1.2.amzn1" version="1.4.31"><filename>Packages/lighttpd-fastcgi-1.4.31-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_mysql_vhost" release="1.2.amzn1" version="1.4.31"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.31-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-debuginfo" release="1.2.amzn1" version="1.4.31"><filename>Packages/lighttpd-debuginfo-1.4.31-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_geoip" release="1.2.amzn1" version="1.4.31"><filename>Packages/lighttpd-mod_geoip-1.4.31-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd" release="1.2.amzn1" version="1.4.31"><filename>Packages/lighttpd-1.4.31-1.2.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-fastcgi" release="1.2.amzn1" version="1.4.31"><filename>Packages/lighttpd-fastcgi-1.4.31-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-debuginfo" release="1.2.amzn1" version="1.4.31"><filename>Packages/lighttpd-debuginfo-1.4.31-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd" release="1.2.amzn1" version="1.4.31"><filename>Packages/lighttpd-1.4.31-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-mod_geoip" release="1.2.amzn1" version="1.4.31"><filename>Packages/lighttpd-mod_geoip-1.4.31-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-mod_mysql_vhost" release="1.2.amzn1" version="1.4.31"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.31-1.2.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-108</id><title>Amazon Linux - ALAS-2012-108: medium priority package update for nss</title><issued date="2012-07-25 17:55" /><updated date="2014-09-14 16:45" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1080 CVE-2012-0441: 1081 A flaw was found in the way the ASN.1 (Abstract Syntax Notation One) decoder in NSS handled zero length items. This flaw could cause the decoder to incorrectly skip or replace certain items with a default value, or could cause an application to crash if, for example, it received a specially-crafted OCSP (Online Certificate Status Protocol) response. 1082 The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows remote attackers to cause a denial of service (application crash) via a zero-length item, as demonstrated by (1) a zero-length basic constraint or (2) a zero-length field in an OCSP response. 1083 827833: 1084 CVE-2012-0441 nss: NSS parsing errors with zero length items 1085 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0441" id="CVE-2012-0441" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1091.html" id="RHSA-2012:1091" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="nss" release="1.26.amzn1" version="3.13.5"><filename>Packages/nss-3.13.5-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="1.26.amzn1" version="3.13.5"><filename>Packages/nss-debuginfo-3.13.5-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="1.26.amzn1" version="3.13.5"><filename>Packages/nss-pkcs11-devel-3.13.5-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="1.26.amzn1" version="3.13.5"><filename>Packages/nss-devel-3.13.5-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="1.26.amzn1" version="3.13.5"><filename>Packages/nss-tools-3.13.5-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="1.26.amzn1" version="3.13.5"><filename>Packages/nss-sysinit-3.13.5-1.26.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="1.26.amzn1" version="3.13.5"><filename>Packages/nss-debuginfo-3.13.5-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="1.26.amzn1" version="3.13.5"><filename>Packages/nss-tools-3.13.5-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="1.26.amzn1" version="3.13.5"><filename>Packages/nss-sysinit-3.13.5-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="1.26.amzn1" version="3.13.5"><filename>Packages/nss-pkcs11-devel-3.13.5-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="1.26.amzn1" version="3.13.5"><filename>Packages/nss-devel-3.13.5-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="1.26.amzn1" version="3.13.5"><filename>Packages/nss-3.13.5-1.26.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-109</id><title>Amazon Linux - ALAS-2012-109: medium priority package update for glibc</title><issued date="2012-07-25 17:56" /><updated date="2014-09-14 16:59" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1086 CVE-2012-3406: 1087 It was discovered that the formatted printing functionality in glibc did not properly restrict the use of alloca(). This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. 1088 Multiple errors in glibc's formatted printing functionality could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. 1089 826943: 1090 CVE-2012-3406 glibc: printf() unbound alloca() usage in case of positional parameters + many format specs 1091 1092 CVE-2012-3405: 1093 833704: 1094 CVE-2012-3405 glibc: incorrect use of extend_alloca() in formatted printing can lead to FORTIFY_SOURCE format string protection bypass 1095 Multiple errors in glibc's formatted printing functionality could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. 1096 1097 CVE-2012-3404: 1098 833703: 1099 CVE-2012-3404 glibc: incorrect size calculation in formatted printing can lead to FORTIFY_SOURCE format string protection bypass 1100 Multiple errors in glibc's formatted printing functionality could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort. 1101 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3406" id="CVE-2012-3406" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3405" id="CVE-2012-3405" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3404" id="CVE-2012-3404" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1098.html" id="RHSA-2012:1098" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="glibc-common" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-common-2.12-1.80.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-common-2.12-1.80.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-headers-2.12-1.80.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="1.80.40.amzn1" version="2.12"><filename>Packages/nscd-2.12-1.80.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-static-2.12-1.80.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-2.12-1.80.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-utils-2.12-1.80.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-2.12-1.80.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-devel-2.12-1.80.40.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-devel-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="1.80.40.amzn1" version="2.12"><filename>Packages/nscd-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-common-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-utils-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-headers-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-static-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="1.80.40.amzn1" version="2.12"><filename>Packages/glibc-common-2.12-1.80.40.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-110</id><title>Amazon Linux - ALAS-2012-110: medium priority package update for sudo</title><issued date="2012-07-25 18:00" /><updated date="2014-09-14 16:47" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1102 CVE-2012-2337: 1103 820677: 1104 CVE-2012-2337 sudo: Multiple netmask values used in Host / Host_List configuration cause any host to be allowed access 1105 sudo 1.6.x and 1.7.x before 1.7.9p1, and 1.8.x before 1.8.4p5, does not properly support configurations that use a netmask syntax, which allows local users to bypass intended command restrictions in opportunistic circumstances by executing a command on a host that has an IPv4 address. 1106 A flaw was found in the way the network matching code in sudo handled multiple IP networks listed in user specification configuration directives. A user, who is authorized to run commands with sudo on specific hosts, could use this flaw to bypass intended restrictions and run those commands on hosts not matched by any of the network specifications. 1107 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337" id="CVE-2012-2337" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1081.html" id="RHSA-2012:1081" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="sudo-debuginfo" release="12.14.amzn1" version="1.7.4p5"><filename>Packages/sudo-debuginfo-1.7.4p5-12.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sudo" release="12.14.amzn1" version="1.7.4p5"><filename>Packages/sudo-1.7.4p5-12.14.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="sudo-debuginfo" release="12.14.amzn1" version="1.7.4p5"><filename>Packages/sudo-debuginfo-1.7.4p5-12.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sudo" release="12.14.amzn1" version="1.7.4p5"><filename>Packages/sudo-1.7.4p5-12.14.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-111</id><title>Amazon Linux - ALAS-2012-111: important priority package update for openjpeg</title><issued date="2012-07-30 16:35" /><updated date="2014-09-14 16:47" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1108 CVE-2012-3358: 1109 Multiple heap-based buffer overflows in the j2k_read_sot function in j2k.c in OpenJPEG 1.5 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted (1) tile number or (2) tile length in a JPEG 2000 image file. 1110 835767: 1111 CVE-2012-3358 openjpeg: heap-based buffer overflow when processing JPEG2000 image files 1112 An input validation flaw, leading to a heap-based buffer overflow, was found in the way OpenJPEG handled the tile number and size in an image tile header. A remote attacker could provide a specially-crafted image file that, when decoded using an application linked against OpenJPEG, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 1113 1114 CVE-2009-5030: 1115 812317: 1116 CVE-2009-5030 openjpeg: Heap memory corruption leading to invalid free by processing certain Gray16 TIFF images 1117 OpenJPEG allocated insufficient memory when encoding JPEG 2000 files from input images that have certain color depths. A remote attacker could provide a specially-crafted image file that, when opened in an application linked against OpenJPEG (such as image_to_j2k), would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 1118 The tcd_free_encode function in tcd.c in OpenJPEG 1.3 through 1.5 allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via crafted tile information in a Gray16 TIFF image, which causes insufficient memory to be allocated and leads to an "invalid free." 1119 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5030" id="CVE-2009-5030" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3358" id="CVE-2012-3358" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1068.html" id="RHSA-2012:1068" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="openjpeg" release="8.5.amzn1" version="1.3"><filename>Packages/openjpeg-1.3-8.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openjpeg-devel" release="8.5.amzn1" version="1.3"><filename>Packages/openjpeg-devel-1.3-8.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openjpeg-libs" release="8.5.amzn1" version="1.3"><filename>Packages/openjpeg-libs-1.3-8.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openjpeg-debuginfo" release="8.5.amzn1" version="1.3"><filename>Packages/openjpeg-debuginfo-1.3-8.5.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="openjpeg-debuginfo" release="8.5.amzn1" version="1.3"><filename>Packages/openjpeg-debuginfo-1.3-8.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openjpeg-libs" release="8.5.amzn1" version="1.3"><filename>Packages/openjpeg-libs-1.3-8.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openjpeg" release="8.5.amzn1" version="1.3"><filename>Packages/openjpeg-1.3-8.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openjpeg-devel" release="8.5.amzn1" version="1.3"><filename>Packages/openjpeg-devel-1.3-8.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-112</id><title>Amazon Linux - ALAS-2012-112: medium priority package update for perl-DBD-Pg</title><issued date="2012-08-03 13:50" /><updated date="2014-09-14 16:48" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1120 CVE-2012-1151: 1121 801733: 1122 CVE-2012-1151 perl-DBD-Pg: Format string flaws by turning db notices into Perl warnings and by preparing DBD statement 1123 Two format string flaws were found in perl-DBD-Pg. A specially-crafted database warning or error message from a server could cause an application using perl-DBD-Pg to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 1124 Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a crafted database warning to the pg_warn function or (2) a crafted DBD statement to the dbd_st_prepare function. 1125 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1151" id="CVE-2012-1151" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1116.html" id="RHSA-2012:1116" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="perl-DBD-Pg" release="4.3.amzn1" version="2.15.1"><filename>Packages/perl-DBD-Pg-2.15.1-4.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-DBD-Pg-debuginfo" release="4.3.amzn1" version="2.15.1"><filename>Packages/perl-DBD-Pg-debuginfo-2.15.1-4.3.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-DBD-Pg-debuginfo" release="4.3.amzn1" version="2.15.1"><filename>Packages/perl-DBD-Pg-debuginfo-2.15.1-4.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-DBD-Pg" release="4.3.amzn1" version="2.15.1"><filename>Packages/perl-DBD-Pg-2.15.1-4.3.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-113</id><title>Amazon Linux - ALAS-2012-113: important priority package update for bind</title><issued date="2012-08-03 15:55" /><updated date="2014-09-14 16:49" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1126 CVE-2012-3817: 1127 ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2; 9.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation is enabled, does not properly initialize the failing-query cache, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) by sending many queries. 1128 An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure. 1129 842897: 1130 CVE-2012-3817 bind: heavy DNSSEC validation load can cause assertion failure 1131 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3817" id="CVE-2012-3817" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1123.html" id="RHSA-2012:1123" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="32" name="bind-libs" release="0.10.rc1.23.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.10.rc1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.10.rc1.23.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.10.rc1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.10.rc1.23.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.10.rc1.23.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.10.rc1.23.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.10.rc1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.10.rc1.23.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.10.rc1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.10.rc1.23.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.23.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.10.rc1.23.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.10.rc1.23.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.10.rc1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.10.rc1.23.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.10.rc1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.10.rc1.23.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.10.rc1.23.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.10.rc1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.10.rc1.23.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.10.rc1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.10.rc1.23.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.23.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-114</id><title>Amazon Linux - ALAS-2012-114: important priority package update for krb5</title><issued date="2012-08-03 15:55" /><updated date="2014-09-14 16:48" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1132 CVE-2012-1015: 1133 838012: 1134 CVE-2012-1015 krb5: KDC daemon crash via free() of an uninitialized pointer 1135 An uninitialized pointer use flaw was found in the way the MIT Kerberos KDC handled initial authentication requests (AS-REQ). A remote, unauthenticated attacker could use this flaw to crash the KDC via a specially-crafted AS-REQ request. 1136 The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x before 1.9.5, and 1.10.x before 1.10.3 attempts to calculate a checksum before verifying that the key type is appropriate for a checksum, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free, heap memory corruption, and daemon crash) via a crafted AS-REQ request. 1137 1138 CVE-2012-1013: 1139 The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before 1.10.2 allows remote authenticated administrators to cause a denial of service (NULL pointer dereference and daemon crash) via a KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password. 1140 A NULL pointer dereference flaw was found in the MIT Kerberos administration daemon, kadmind. A Kerberos administrator who has the "create" privilege could use this flaw to crash kadmind. 1141 827517: 1142 CVE-2012-1013 krb5: kadmind denial of service 1143 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013" id="CVE-2012-1013" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1015" id="CVE-2012-1015" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1131.html" id="RHSA-2012:1131" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="krb5-pkinit-openssl" release="33.22.amzn1" version="1.9"><filename>Packages/krb5-pkinit-openssl-1.9-33.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server-ldap" release="33.22.amzn1" version="1.9"><filename>Packages/krb5-server-ldap-1.9-33.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-debuginfo" release="33.22.amzn1" version="1.9"><filename>Packages/krb5-debuginfo-1.9-33.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-devel" release="33.22.amzn1" version="1.9"><filename>Packages/krb5-devel-1.9-33.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-workstation" release="33.22.amzn1" version="1.9"><filename>Packages/krb5-workstation-1.9-33.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-libs" release="33.22.amzn1" version="1.9"><filename>Packages/krb5-libs-1.9-33.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server" release="33.22.amzn1" version="1.9"><filename>Packages/krb5-server-1.9-33.22.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server-ldap" release="33.22.amzn1" version="1.9"><filename>Packages/krb5-server-ldap-1.9-33.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-workstation" release="33.22.amzn1" version="1.9"><filename>Packages/krb5-workstation-1.9-33.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-libs" release="33.22.amzn1" version="1.9"><filename>Packages/krb5-libs-1.9-33.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-pkinit-openssl" release="33.22.amzn1" version="1.9"><filename>Packages/krb5-pkinit-openssl-1.9-33.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-devel" release="33.22.amzn1" version="1.9"><filename>Packages/krb5-devel-1.9-33.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server" release="33.22.amzn1" version="1.9"><filename>Packages/krb5-server-1.9-33.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-debuginfo" release="33.22.amzn1" version="1.9"><filename>Packages/krb5-debuginfo-1.9-33.22.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-115</id><title>Amazon Linux - ALAS-2012-115: medium priority package update for dhcp</title><issued date="2012-08-03 15:56" /><updated date="2014-09-14 16:49" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1144 CVE-2012-3954: 1145 Two memory leak flaws were found in the dhcpd daemon. A remote attacker could use these flaws to cause dhcpd to exhaust all available memory by sending a large number of DHCP requests. 1146 842428: 1147 CVE-2012-3954 dhcp: two memory leaks may result in DoS 1148 Multiple memory leaks in ISC DHCP 4.1.x and 4.2.x before 4.2.4-P1 and 4.1-ESV before 4.1-ESV-R6 allow remote attackers to cause a denial of service (memory consumption) by sending many requests. 1149 1150 CVE-2012-3571: 1151 842420: 1152 CVE-2012-3571 dhcp: DoS due to error in handling malformed client identifiers 1153 ISC DHCP 4.1.2 through 4.2.4 and 4.1-ESV before 4.1-ESV-R6 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a malformed client identifier. 1154 A denial of service flaw was found in the way the dhcpd daemon handled zero-length client identifiers. A remote attacker could use this flaw to send a specially-crafted request to dhcpd, possibly causing it to enter an infinite loop and consume an excessive amount of CPU time. 1155 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3571" id="CVE-2012-3571" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3954" id="CVE-2012-3954" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1141.html" id="RHSA-2012:1141" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="12" name="dhcp" release="31.P1.17.amzn1" version="4.1.1"><filename>Packages/dhcp-4.1.1-31.P1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-devel" release="31.P1.17.amzn1" version="4.1.1"><filename>Packages/dhcp-devel-4.1.1-31.P1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-debuginfo" release="31.P1.17.amzn1" version="4.1.1"><filename>Packages/dhcp-debuginfo-4.1.1-31.P1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhclient" release="31.P1.17.amzn1" version="4.1.1"><filename>Packages/dhclient-4.1.1-31.P1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-common" release="31.P1.17.amzn1" version="4.1.1"><filename>Packages/dhcp-common-4.1.1-31.P1.17.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp-common" release="31.P1.17.amzn1" version="4.1.1"><filename>Packages/dhcp-common-4.1.1-31.P1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhclient" release="31.P1.17.amzn1" version="4.1.1"><filename>Packages/dhclient-4.1.1-31.P1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp-devel" release="31.P1.17.amzn1" version="4.1.1"><filename>Packages/dhcp-devel-4.1.1-31.P1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp-debuginfo" release="31.P1.17.amzn1" version="4.1.1"><filename>Packages/dhcp-debuginfo-4.1.1-31.P1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp" release="31.P1.17.amzn1" version="4.1.1"><filename>Packages/dhcp-4.1.1-31.P1.17.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-116</id><title>Amazon Linux - ALAS-2012-116: low priority package update for php</title><issued date="2012-08-05 14:14" /><updated date="2014-09-14 16:50" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1156 CVE-2012-2688: 1157 828051: 1158 CVE-2012-2688 php: Integer Signedness issues in _php_stream_scandir 1159 Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow." 1160 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2688" id="CVE-2012-2688" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="php-cli" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-cli-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-fpm" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-fpm-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysqlnd" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-mysqlnd-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pgsql" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-pgsql-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-debuginfo" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-debuginfo-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-tidy" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-tidy-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xml" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-xml-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-imap" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-imap-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xmlrpc" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-xmlrpc-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-recode" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-recode-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysql" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-mysql-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-devel" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-devel-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-intl" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-intl-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-ldap" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-ldap-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mssql" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-mssql-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pdo" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-pdo-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-gd" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-gd-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-snmp" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-snmp-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pspell" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-pspell-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-soap" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-soap-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-bcmath" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-bcmath-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mcrypt" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-mcrypt-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-odbc" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-odbc-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-embedded" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-embedded-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mbstring" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-mbstring-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-common" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-common-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-process" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-process-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-dba" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-dba-5.3.15-1.22.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php-devel" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-devel-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mcrypt" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-mcrypt-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-odbc" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-odbc-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mbstring" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-mbstring-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysql" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-mysql-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysqlnd" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-mysqlnd-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-recode" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-recode-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-ldap" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-ldap-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-bcmath" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-bcmath-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xml" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-xml-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pspell" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-pspell-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-imap" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-imap-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-fpm" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-fpm-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pgsql" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-pgsql-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-intl" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-intl-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-snmp" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-snmp-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-embedded" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-embedded-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xmlrpc" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-xmlrpc-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-soap" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-soap-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-common" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-common-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-debuginfo" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-debuginfo-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-tidy" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-tidy-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-gd" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-gd-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pdo" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-pdo-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-cli" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-cli-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-process" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-process-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mssql" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-mssql-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-dba" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-dba-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php" release="1.22.amzn1" version="5.3.15"><filename>Packages/php-5.3.15-1.22.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-117</id><title>Amazon Linux - ALAS-2012-117: low priority package update for openldap</title><issued date="2012-08-18 05:14" /><updated date="2014-09-14 16:50" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1161 CVE-2012-2668: 1162 It was found that the OpenLDAP server daemon ignored olcTLSCipherSuite settings. This resulted in the default cipher suite always being used, which could lead to weaker than expected ciphers being accepted during Transport Layer Security (TLS) negotiation with OpenLDAP clients. 1163 libraries/libldap/tls_m.c in OpenLDAP, possibly 2.4.31 and earlier, when using the Mozilla NSS backend, always uses the default cipher suite even when TLSCipherSuite is set, which might cause OpenLDAP to use weaker ciphers than intended and make it easier for remote attackers to obtain sensitive information. 1164 825875: 1165 CVE-2012-2668 openldap: does not honor TLSCipherSuite settings 1166 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2668" id="CVE-2012-2668" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1151.html" id="RHSA-2012:1151" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="openldap-clients" release="26.16.amzn1" version="2.4.23"><filename>Packages/openldap-clients-2.4.23-26.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-devel" release="26.16.amzn1" version="2.4.23"><filename>Packages/openldap-devel-2.4.23-26.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-debuginfo" release="26.16.amzn1" version="2.4.23"><filename>Packages/openldap-debuginfo-2.4.23-26.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-servers" release="26.16.amzn1" version="2.4.23"><filename>Packages/openldap-servers-2.4.23-26.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-servers-sql" release="26.16.amzn1" version="2.4.23"><filename>Packages/openldap-servers-sql-2.4.23-26.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap" release="26.16.amzn1" version="2.4.23"><filename>Packages/openldap-2.4.23-26.16.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-clients" release="26.16.amzn1" version="2.4.23"><filename>Packages/openldap-clients-2.4.23-26.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-servers-sql" release="26.16.amzn1" version="2.4.23"><filename>Packages/openldap-servers-sql-2.4.23-26.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap" release="26.16.amzn1" version="2.4.23"><filename>Packages/openldap-2.4.23-26.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-devel" release="26.16.amzn1" version="2.4.23"><filename>Packages/openldap-devel-2.4.23-26.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-servers" release="26.16.amzn1" version="2.4.23"><filename>Packages/openldap-servers-2.4.23-26.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-debuginfo" release="26.16.amzn1" version="2.4.23"><filename>Packages/openldap-debuginfo-2.4.23-26.16.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-118</id><title>Amazon Linux - ALAS-2012-118: medium priority package update for kernel</title><issued date="2012-08-21 21:04" /><updated date="2014-09-14 16:51" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1167 CVE-2012-3430: 1168 820039: 1169 CVE-2012-3430 kernel: recv{from,msg}() on an rds socket can leak kernel memory 1170 * A flaw was found in the way the msg_namelen variable in the rds_recvmsg() function of the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was initialized. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space. 1171 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3430" id="CVE-2012-3430" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="kernel-doc" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-doc-3.2.28-45.62.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-tools-debuginfo-3.2.28-45.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-3.2.28-45.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-debuginfo-common-i686-3.2.28-45.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-devel-3.2.28-45.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-headers-3.2.28-45.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-tools-3.2.28-45.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-debuginfo-3.2.28-45.62.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-tools-3.2.28-45.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.28-45.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-devel-3.2.28-45.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-headers-3.2.28-45.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-debuginfo-3.2.28-45.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-tools-debuginfo-3.2.28-45.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="45.62.amzn1" version="3.2.28"><filename>Packages/kernel-3.2.28-45.62.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-119</id><title>Amazon Linux - ALAS-2012-119: important priority package update for java-1.6.0-openjdk</title><issued date="2012-09-04 10:22" /><updated date="2014-09-14 16:54" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1172 CVE-2012-1682: 1173 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-3136. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "XMLDecoder security issue via ClassFinder." 1174 It was discovered that the Beans component in OpenJDK did not perform permission checks properly. An untrusted Java application or applet could use this flaw to use classes from restricted packages, allowing it to bypass Java sandbox restrictions. 1175 853097: 1176 CVE-2012-1682 OpenJDK: beans ClassFinder insufficient permission checks (beans, 7162476) 1177 1178 CVE-2012-0547: 1179 853228: 1180 CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201) 1181 This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. 1182 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no impact and remote attack vectors involving AWT and "a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited." NOTE: this identifier was assigned by the Oracle CNA, but CVE is not intended to cover defense-in-depth issues that are only exposed by the presence of other vulnerabilities. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "toolkit internals references." 1183 This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory and Oracle Security Alert pages, listed in the References section. 1184 A hardening fix was applied to the AWT component in OpenJDK, removing functionality from the restricted SunToolkit class that was used in combination with other flaws to bypass Java sandbox restrictions. 1185 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0547" id="CVE-2012-0547" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1682" id="CVE-2012-1682" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1221.html" id="RHSA-2012:1221" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="52.1.11.4.46.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.11.4.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="52.1.11.4.46.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.11.4.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="52.1.11.4.46.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.11.4.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="52.1.11.4.46.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.11.4.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="52.1.11.4.46.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.11.4.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="52.1.11.4.46.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.11.4.46.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="52.1.11.4.46.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.11.4.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="52.1.11.4.46.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.11.4.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="52.1.11.4.46.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.11.4.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="52.1.11.4.46.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.11.4.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="52.1.11.4.46.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.11.4.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="52.1.11.4.46.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.11.4.46.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-120</id><title>Amazon Linux - ALAS-2012-120: medium priority package update for glibc</title><issued date="2012-09-04 10:23" /><updated date="2014-09-14 16:54" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1186 CVE-2012-3480: 1187 Multiple integer overflows in the (1) strtod, (2) strtof, (3) strtold, (4) strtod_l, and other unspecified "related functions" in stdlib in GNU C Library (aka glibc or libc6) 2.16 allow local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow. 1188 847715: 1189 CVE-2012-3480 glibc: Integer overflows, leading to stack-based buffer overflows in strto* related routines 1190 Multiple integer overflow flaws, leading to stack-based buffer overflows, were found in glibc's functions for converting a string to a numeric representation (strtod(), strtof(), and strtold()). If an application used such a function on attacker controlled input, it could cause the application to crash or, potentially, execute arbitrary code. 1191 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3480" id="CVE-2012-3480" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1208.html" id="RHSA-2012:1208" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="glibc-static" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-static-2.12-1.80.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-2.12-1.80.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-common-2.12-1.80.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-utils-2.12-1.80.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-devel-2.12-1.80.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-2.12-1.80.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-headers-2.12-1.80.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="1.80.42.amzn1" version="2.12"><filename>Packages/nscd-2.12-1.80.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-common-2.12-1.80.42.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-utils-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="1.80.42.amzn1" version="2.12"><filename>Packages/nscd-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-common-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-static-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-common-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-devel-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="1.80.42.amzn1" version="2.12"><filename>Packages/glibc-headers-2.12-1.80.42.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-121</id><title>Amazon Linux - ALAS-2012-121: medium priority package update for postgresql9</title><issued date="2012-09-04 10:23" /><updated date="2014-09-14 16:55" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1192 CVE-2012-3488: 1193 849172: 1194 CVE-2012-3488 postgresql (xml2 contrib module): XXE by applying XSL stylesheet to the document 1195 It was found that the optional PostgreSQL xml2 contrib module allowed local files and remote URLs to be read and written to with the privileges of the database server when parsing Extensible Stylesheet Language Transformations (XSLT). An unprivileged database user could use this flaw to read and write to local files (such as the database's configuration files) and remote URLs they would otherwise not have access to by issuing a specially-crafted SQL query. 1196 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3488" id="CVE-2012-3488" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="postgresql9-devel" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-devel-9.1.5-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-docs" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-docs-9.1.5-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-test" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-test-9.1.5-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-pltcl" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-pltcl-9.1.5-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-9.1.5-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-debuginfo" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-debuginfo-9.1.5-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-plperl" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-plperl-9.1.5-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-plpython" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-plpython-9.1.5-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-contrib" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-contrib-9.1.5-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-server" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-server-9.1.5-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-libs" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-libs-9.1.5-1.23.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-devel" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-devel-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-server" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-server-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-plperl" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-plperl-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-pltcl" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-pltcl-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-libs" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-libs-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-docs" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-docs-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-test" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-test-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-debuginfo" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-debuginfo-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-contrib" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-contrib-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-plpython" release="1.23.amzn1" version="9.1.5"><filename>Packages/postgresql9-plpython-9.1.5-1.23.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-122</id><title>Amazon Linux - ALAS-2012-122: medium priority package update for kernel</title><issued date="2012-09-10 17:56" /><updated date="2014-09-14 16:56" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1197 CVE-2012-3520: 1198 850449: 1199 CVE-2012-3520 kernel: af_netlink: invalid handling of SCM_CREDENTIALS passing 1200 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3520" id="CVE-2012-3520" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="kernel-doc" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-doc-3.2.28-45.63.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-3.2.28-45.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-devel-3.2.28-45.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-debuginfo-common-i686-3.2.28-45.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-tools-3.2.28-45.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-debuginfo-3.2.28-45.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-tools-debuginfo-3.2.28-45.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-headers-3.2.28-45.63.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-tools-3.2.28-45.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-tools-debuginfo-3.2.28-45.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-devel-3.2.28-45.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-debuginfo-3.2.28-45.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-3.2.28-45.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-headers-3.2.28-45.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="45.63.amzn1" version="3.2.28"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.28-45.63.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-123</id><title>Amazon Linux - ALAS-2012-123: important priority package update for libxslt</title><issued date="2012-09-22 21:33" /><updated date="2014-09-14 17:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1201 CVE-2012-2871: 1202 852935: 1203 CVE-2012-2871 libxslt: Heap-buffer overflow caused by bad cast in XSL transforms 1204 libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly support a cast of an unspecified variable during handling of XSL transforms, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document, related to the _xmlNs data structure in include/libxml/tree.h. 1205 A heap-based buffer overflow flaw was found in the way libxslt applied templates to nodes selected by certain namespaces. An attacker could use this flaw to create a malicious XSL file that, when used by an application linked against libxslt to perform an XSL transformation, could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 1206 1207 CVE-2012-2870: 1208 852937: 1209 CVE-2012-2870 libxslt: Use-after-free when processing an invalid XPath expression 1210 Several denial of service flaws were found in libxslt. An attacker could use these flaws to create a malicious XSL file that, when used by an application linked against libxslt to perform an XSL transformation, could cause the application to crash. 1211 libxslt 1.1.26 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly manage memory, which might allow remote attackers to cause a denial of service (application crash) via a crafted XSLT expression that is not properly identified during XPath navigation, related to (1) the xsltCompileLocationPathPattern function in libxslt/pattern.c and (2) the xsltGenerateIdFunction function in libxslt/functions.c. 1212 1213 CVE-2012-2825: 1214 The XSL implementation in Google Chrome before 20.0.1132.43 allows remote attackers to cause a denial of service (incorrect read operation) via unspecified vectors. 1215 Several denial of service flaws were found in libxslt. An attacker could use these flaws to create a malicious XSL file that, when used by an application linked against libxslt to perform an XSL transformation, could cause the application to crash. 1216 835982: 1217 CVE-2012-2825 libxslt: DoS when reading unexpected DTD nodes in XSLT 1218 1219 CVE-2011-3970: 1220 libxslt, as used in Google Chrome before 17.0.963.46, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. 1221 788826: 1222 CVE-2011-3970 libxslt: Out-of-bounds read when parsing certain patterns 1223 Several denial of service flaws were found in libxslt. An attacker could use these flaws to create a malicious XSL file that, when used by an application linked against libxslt to perform an XSL transformation, could cause the application to crash. 1224 1225 CVE-2011-1202: 1226 A flaw was found in the Firefox XSLT generate-id() function. This function returned the memory address of an object in memory, which could possibly be used by attackers to bypass address randomization protections. 1227 An information leak could occur if an application using libxslt processed an untrusted XPath expression, or used a malicious XSL file to perform an XSL transformation. If combined with other flaws, this leak could possibly help an attacker bypass intended memory corruption protections. 1228 The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function. 1229 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1202" id="CVE-2011-1202" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3970" id="CVE-2011-3970" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2871" id="CVE-2012-2871" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2870" id="CVE-2012-2870" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2825" id="CVE-2012-2825" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1265.html" id="RHSA-2012:1265" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="libxslt-python" release="2.7.amzn1" version="1.1.26"><filename>Packages/libxslt-python-1.1.26-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxslt" release="2.7.amzn1" version="1.1.26"><filename>Packages/libxslt-1.1.26-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxslt-devel" release="2.7.amzn1" version="1.1.26"><filename>Packages/libxslt-devel-1.1.26-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxslt-debuginfo" release="2.7.amzn1" version="1.1.26"><filename>Packages/libxslt-debuginfo-1.1.26-2.7.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libxslt-devel" release="2.7.amzn1" version="1.1.26"><filename>Packages/libxslt-devel-1.1.26-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxslt-debuginfo" release="2.7.amzn1" version="1.1.26"><filename>Packages/libxslt-debuginfo-1.1.26-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxslt-python" release="2.7.amzn1" version="1.1.26"><filename>Packages/libxslt-python-1.1.26-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxslt" release="2.7.amzn1" version="1.1.26"><filename>Packages/libxslt-1.1.26-2.7.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-124</id><title>Amazon Linux - ALAS-2012-124: important priority package update for bind</title><issued date="2012-09-22 21:34" /><updated date="2014-09-14 16:57" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1230 CVE-2012-4244: 1231 ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for a long resource record. 1232 A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure. 1233 856754: 1234 CVE-2012-4244 bind: specially crafted resource record causes named to exit 1235 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244" id="CVE-2012-4244" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1268.html" id="RHSA-2012:1268" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="32" name="bind" release="0.10.rc1.24.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.10.rc1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.10.rc1.24.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.10.rc1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.10.rc1.24.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.10.rc1.24.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.10.rc1.24.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.10.rc1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.10.rc1.24.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.10.rc1.24.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.10.rc1.24.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.10.rc1.24.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.10.rc1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.10.rc1.24.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.10.rc1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.10.rc1.24.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.10.rc1.24.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.10.rc1.24.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.10.rc1.24.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.10.rc1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.10.rc1.24.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.10.rc1.24.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-125</id><title>Amazon Linux - ALAS-2012-125: important priority package update for openjpeg</title><issued date="2012-09-22 21:35" /><updated date="2014-09-14 16:58" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1236 CVE-2012-3535: 1237 Heap-based buffer overflow in OpenJPEG 1.5.0 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted JPEG2000 file. 1238 It was found that OpenJPEG failed to sanity-check an image header field before using it. A remote attacker could provide a specially-crafted image file that could cause an application linked against OpenJPEG to crash or, possibly, execute arbitrary code. 1239 842918: 1240 CVE-2012-3535 openjpeg: heap-based buffer overflow when decoding jpeg2000 files 1241 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3535" id="CVE-2012-3535" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1283.html" id="RHSA-2012:1283" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="openjpeg-devel" release="9.6.amzn1" version="1.3"><filename>Packages/openjpeg-devel-1.3-9.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openjpeg" release="9.6.amzn1" version="1.3"><filename>Packages/openjpeg-1.3-9.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openjpeg-debuginfo" release="9.6.amzn1" version="1.3"><filename>Packages/openjpeg-debuginfo-1.3-9.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openjpeg-libs" release="9.6.amzn1" version="1.3"><filename>Packages/openjpeg-libs-1.3-9.6.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="openjpeg-libs" release="9.6.amzn1" version="1.3"><filename>Packages/openjpeg-libs-1.3-9.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openjpeg-debuginfo" release="9.6.amzn1" version="1.3"><filename>Packages/openjpeg-debuginfo-1.3-9.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openjpeg" release="9.6.amzn1" version="1.3"><filename>Packages/openjpeg-1.3-9.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openjpeg-devel" release="9.6.amzn1" version="1.3"><filename>Packages/openjpeg-devel-1.3-9.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-126</id><title>Amazon Linux - ALAS-2012-126: medium priority package update for libexif</title><issued date="2012-09-22 21:36" /><updated date="2014-09-14 17:26" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1242 CVE-2012-2841: 1243 Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 1244 839189: 1245 CVE-2012-2841 libexif: "exif_entry_get_value()" integer underflow 1246 Integer underflow in the exif_entry_get_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) 0.6.20 might allow remote attackers to execute arbitrary code via vectors involving a crafted buffer-size parameter during the formatting of an EXIF tag, leading to a heap-based buffer overflow. 1247 1248 CVE-2012-2840: 1249 Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 1250 839188: 1251 CVE-2012-2840 libexif: "exif_convert_utf16_to_utf8()" off-by-one 1252 Off-by-one error in the exif_convert_utf16_to_utf8 function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted EXIF tags in an image. 1253 1254 CVE-2012-2837: 1255 839185: 1256 CVE-2012-2837 libexif: "mnote_olympus_entry_get_value()" division by zero 1257 Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 1258 The mnote_olympus_entry_get_value function in olympus/mnote-olympus-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (divide-by-zero error) via an image with crafted EXIF tags that are not properly handled during the formatting of EXIF maker note tags. 1259 1260 CVE-2012-2836: 1261 Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 1262 The exif_data_load_data function in exif-data.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image. 1263 839184: 1264 CVE-2012-2836 libexif: "exif_data_load_data()" heap-based out-of-bounds array read 1265 1266 CVE-2012-2814: 1267 Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 1268 839183: 1269 CVE-2012-2814 libexif: "exif_entry_format_value()" buffer overflow 1270 Buffer overflow in the exif_entry_format_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) 0.6.20 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted EXIF tags in an image. 1271 1272 CVE-2012-2813: 1273 Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 1274 The exif_convert_utf16_to_utf8 function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image. 1275 839182: 1276 CVE-2012-2813 libexif: "exif_convert_utf16_to_utf8()" heap-based out-of-bounds array read 1277 1278 CVE-2012-2812: 1279 Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 1280 839203: 1281 CVE-2012-2812 libexif: "exif_entry_get_value()" heap-based out-of-bounds array read 1282 The exif_entry_get_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image. 1283 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2840" id="CVE-2012-2840" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2841" id="CVE-2012-2841" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2837" id="CVE-2012-2837" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2836" id="CVE-2012-2836" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2814" id="CVE-2012-2814" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2813" id="CVE-2012-2813" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2812" id="CVE-2012-2812" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1255.html" id="RHSA-2012:1255" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="libexif-debuginfo" release="5.6.amzn1" version="0.6.21"><filename>Packages/libexif-debuginfo-0.6.21-5.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libexif" release="5.6.amzn1" version="0.6.21"><filename>Packages/libexif-0.6.21-5.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libexif-devel" release="5.6.amzn1" version="0.6.21"><filename>Packages/libexif-devel-0.6.21-5.6.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libexif-devel" release="5.6.amzn1" version="0.6.21"><filename>Packages/libexif-devel-0.6.21-5.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libexif" release="5.6.amzn1" version="0.6.21"><filename>Packages/libexif-0.6.21-5.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libexif-debuginfo" release="5.6.amzn1" version="0.6.21"><filename>Packages/libexif-debuginfo-0.6.21-5.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-127</id><title>Amazon Linux - ALAS-2012-127: medium priority package update for ghostscript</title><issued date="2012-09-22 21:37" /><updated date="2014-09-14 17:04" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1284 CVE-2012-4405: 1285 An integer overflow flaw, leading to a heap-based buffer overflow, was found in Ghostscript's International Color Consortium Format library (icclib). An attacker could create a specially-crafted PostScript or PDF file with embedded images that would cause Ghostscript to crash or, potentially, execute arbitrary code with the privileges of the user running Ghostscript. 1286 854227: 1287 CVE-2012-4405 ghostscript, argyllcms: Array index error leading to heap-based bufer OOB write 1288 Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (icclib), as used in Ghostscript 9.06 and Argyll Color Management System, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) PostScript or (2) PDF file with embedded images, which triggers a heap-based buffer overflow. NOTE: this issue is also described as an array index error. 1289 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4405" id="CVE-2012-4405" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1256.html" id="RHSA-2012:1256" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="ghostscript-doc" release="15.22.amzn1" version="8.70"><filename>Packages/ghostscript-doc-8.70-15.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript-devel" release="15.22.amzn1" version="8.70"><filename>Packages/ghostscript-devel-8.70-15.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript" release="15.22.amzn1" version="8.70"><filename>Packages/ghostscript-8.70-15.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript-debuginfo" release="15.22.amzn1" version="8.70"><filename>Packages/ghostscript-debuginfo-8.70-15.22.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript-devel" release="15.22.amzn1" version="8.70"><filename>Packages/ghostscript-devel-8.70-15.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript-debuginfo" release="15.22.amzn1" version="8.70"><filename>Packages/ghostscript-debuginfo-8.70-15.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript-doc" release="15.22.amzn1" version="8.70"><filename>Packages/ghostscript-doc-8.70-15.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript" release="15.22.amzn1" version="8.70"><filename>Packages/ghostscript-8.70-15.22.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-128</id><title>Amazon Linux - ALAS-2012-128: medium priority package update for dbus</title><issued date="2012-09-22 21:37" /><updated date="2014-09-14 17:04" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1290 CVE-2012-3524: 1291 libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus." 1292 It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the D-Bus library (libdbus). 1293 847402: 1294 CVE-2012-3524 dbus: privilege escalation when libdbus is used in setuid/setgid application 1295 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3524" id="CVE-2012-3524" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1261.html" id="RHSA-2012:1261" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="1" name="dbus-libs" release="7.16.amzn1" version="1.2.24"><filename>Packages/dbus-libs-1.2.24-7.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="dbus-debuginfo" release="7.16.amzn1" version="1.2.24"><filename>Packages/dbus-debuginfo-1.2.24-7.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="dbus" release="7.16.amzn1" version="1.2.24"><filename>Packages/dbus-1.2.24-7.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="dbus-devel" release="7.16.amzn1" version="1.2.24"><filename>Packages/dbus-devel-1.2.24-7.16.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="1" name="dbus-doc" release="7.16.amzn1" version="1.2.24"><filename>Packages/dbus-doc-1.2.24-7.16.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="dbus" release="7.16.amzn1" version="1.2.24"><filename>Packages/dbus-1.2.24-7.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="dbus-devel" release="7.16.amzn1" version="1.2.24"><filename>Packages/dbus-devel-1.2.24-7.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="dbus-libs" release="7.16.amzn1" version="1.2.24"><filename>Packages/dbus-libs-1.2.24-7.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="dbus-debuginfo" release="7.16.amzn1" version="1.2.24"><filename>Packages/dbus-debuginfo-1.2.24-7.16.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-129</id><title>Amazon Linux - ALAS-2012-129: medium priority package update for postgresql8</title><issued date="2012-09-22 21:38" /><updated date="2014-09-14 17:05" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1296 CVE-2012-3489: 1297 It was found that the "xml" data type allowed local files and remote URLs to be read with the privileges of the database server to resolve DTD and entity references in the provided XML. An unprivileged database user could use this flaw to read local files they would otherwise not have access to by issuing a specially-crafted SQL query. Note that the full contents of the files were not returned, but portions could be displayed to the user via error messages. 1298 849173: 1299 CVE-2012-3489 postgresql: File disclosure through XXE in xmlparse by DTD validation 1300 1301 CVE-2012-3488: 1302 849172: 1303 CVE-2012-3488 postgresql (xml2 contrib module): XXE by applying XSL stylesheet to the document 1304 It was found that the optional PostgreSQL xml2 contrib module allowed local files and remote URLs to be read and written to with the privileges of the database server when parsing Extensible Stylesheet Language Transformations (XSLT). An unprivileged database user could use this flaw to read and write to local files (such as the database's configuration files) and remote URLs they would otherwise not have access to by issuing a specially-crafted SQL query. 1305 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3489" id="CVE-2012-3489" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3488" id="CVE-2012-3488" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1263.html" id="RHSA-2012:1263" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="postgresql8-debuginfo" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-debuginfo-8.4.13-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plperl" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-plperl-8.4.13-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-pltcl" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-pltcl-8.4.13-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-devel" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-devel-8.4.13-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plpython" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-plpython-8.4.13-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-8.4.13-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-server" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-server-8.4.13-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-contrib" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-contrib-8.4.13-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-libs" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-libs-8.4.13-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-docs" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-docs-8.4.13-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-test" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-test-8.4.13-1.37.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-server" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-server-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plpython" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-plpython-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-libs" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-libs-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-docs" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-docs-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-debuginfo" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-debuginfo-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plperl" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-plperl-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-contrib" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-contrib-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-devel" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-devel-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-pltcl" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-pltcl-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-test" release="1.37.amzn1" version="8.4.13"><filename>Packages/postgresql8-test-8.4.13-1.37.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-130</id><title>Amazon Linux - ALAS-2012-130: medium priority package update for munin</title><issued date="2012-10-08 10:39" /><updated date="2014-09-14 17:07" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1306 CVE-2012-3512: 1307 849830: 1308 CVE-2012-3512 munin: insecure state file handling, munin-&gt;root privilege 1309 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3512" id="CVE-2012-3512" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="munin-common" release="2.9.amzn1" version="2.0.6"><filename>Packages/munin-common-2.0.6-2.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-async" release="2.9.amzn1" version="2.0.6"><filename>Packages/munin-async-2.0.6-2.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin" release="2.9.amzn1" version="2.0.6"><filename>Packages/munin-2.0.6-2.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-node" release="2.9.amzn1" version="2.0.6"><filename>Packages/munin-node-2.0.6-2.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-java-plugins" release="2.9.amzn1" version="2.0.6"><filename>Packages/munin-java-plugins-2.0.6-2.9.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-131</id><title>Amazon Linux - ALAS-2012-131: medium priority package update for freeradius</title><issued date="2012-10-08 10:40" /><updated date="2014-09-14 17:07" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1310 CVE-2012-3547: 1311 Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS 2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via a long "not after" timestamp in a client certificate. 1312 A buffer overflow flaw was discovered in the way radiusd handled the expiration date field in X.509 client certificates. A remote attacker could possibly use this flaw to crash radiusd if it were configured to use the certificate or TLS tunnelled authentication methods (such as EAP-TLS, EAP-TTLS, and PEAP). 1313 852752: 1314 CVE-2012-3547 freeradius: stack-based buffer overflow via long expiration date fields in client X509 certificates 1315 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3547" id="CVE-2012-3547" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1326.html" id="RHSA-2012:1326" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="freeradius-perl" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-perl-2.1.12-4.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-utils" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-utils-2.1.12-4.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-ldap" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-ldap-2.1.12-4.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-unixODBC" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-unixODBC-2.1.12-4.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-postgresql" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-postgresql-2.1.12-4.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-python" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-python-2.1.12-4.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-mysql" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-mysql-2.1.12-4.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-2.1.12-4.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-krb5" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-krb5-2.1.12-4.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-debuginfo" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-debuginfo-2.1.12-4.11.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-postgresql" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-postgresql-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-mysql" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-mysql-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-ldap" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-ldap-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-debuginfo" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-debuginfo-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-unixODBC" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-unixODBC-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-utils" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-utils-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-perl" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-perl-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-krb5" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-krb5-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-python" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-python-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius" release="4.11.amzn1" version="2.1.12"><filename>Packages/freeradius-2.1.12-4.11.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-132</id><title>Amazon Linux - ALAS-2012-132: low priority package update for fetchmail</title><issued date="2012-10-08 10:41" /><updated date="2014-09-14 17:08" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1316 CVE-2012-3482: 1317 847988: 1318 CVE-2012-3482 fetchmail: DoS (crash) in the base64 decoder upon server NTLM protocol exchange abort right after the initial request 1319 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482" id="CVE-2012-3482" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="fetchmail" release="1.9.amzn1" version="6.3.17"><filename>Packages/fetchmail-6.3.17-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="fetchmail-debuginfo" release="1.9.amzn1" version="6.3.17"><filename>Packages/fetchmail-debuginfo-6.3.17-1.9.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="fetchmail-debuginfo" release="1.9.amzn1" version="6.3.17"><filename>Packages/fetchmail-debuginfo-6.3.17-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="fetchmail" release="1.9.amzn1" version="6.3.17"><filename>Packages/fetchmail-6.3.17-1.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-133</id><title>Amazon Linux - ALAS-2012-133: medium priority package update for kernel</title><issued date="2012-10-08 10:43" /><updated date="2014-09-14 17:09" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1320 CVE-2012-3552: 1321 Race condition in the IP implementation in the Linux kernel before 3.0 might allow remote attackers to cause a denial of service (slab corruption and system crash) by sending packets to an application that sets socket options during the handling of network traffic. 1322 853465: 1323 CVE-2012-3552 kernel: net: slab corruption due to improper synchronization around inet-&gt;opt 1324 * A race condition was found in the way access to inet->opt ip_options was synchronized in the Linux kernel's TCP/IP protocol suite implementation. Depending on the network facing applications running on the system, a remote attacker could possibly trigger this flaw to cause a denial of service. A local, unprivileged user could use this flaw to cause a denial of service regardless of the applications the system runs. 1325 * A race condition in the way access to inet->opt ip_options was synchronized in the Linux kernel's TCP/IP protocol suite implementation. Depending on the network facing applications running on the system, a remote attacker could possibly trigger this flaw to cause a denial of service. A local, unprivileged user could use this flaw to cause a denial of service regardless of the applications the system runs. 1326 1327 CVE-2012-3430: 1328 820039: 1329 CVE-2012-3430 kernel: recv{from,msg}() on an rds socket can leak kernel memory 1330 * A flaw was found in the way the msg_namelen variable in the rds_recvmsg() function of the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was initialized. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space. 1331 1332 CVE-2012-2390: 1333 Memory leak in mm/hugetlb.c in the Linux kernel before 3.4.2 allows local users to cause a denial of service (memory consumption or system crash) via invalid MAP_HUGETLB mmap operations. 1334 * A memory leak flaw was found in the way the Linux kernel's memory subsystem handled resource clean up in the mmap() failure path when the MAP_HUGETLB flag was set. A local, unprivileged user could use this flaw to cause a denial of service. 1335 824345: 1336 CVE-2012-2390 kernel: huge pages: memory leak on mmap failure 1337 1338 CVE-2012-2384: 1339 * An integer overflow flaw was found in the i915_gem_do_execbuffer() function in the Intel i915 driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service. This issue only affected 32-bit systems. 1340 824178: 1341 CVE-2012-2384 kernel: drm/i915: integer overflow in i915_gem_do_execbuffer() 1342 Integer overflow in the i915_gem_do_execbuffer function in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.3.5 on 32-bit platforms allows local users to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted ioctl call. 1343 1344 CVE-2012-2313: 1345 * A flaw was found in the way the Linux kernel's dl2k driver, used by certain D-Link Gigabit Ethernet adapters, restricted IOCTLs. A local, unprivileged user could use this flaw to issue potentially harmful IOCTLs, which could cause Ethernet adapters using the dl2k driver to malfunction (for example, losing network connectivity). 1346 818820: 1347 CVE-2012-2313 kernel: unfiltered netdev rio_ioctl access by users 1348 The rio_ioctl function in drivers/net/ethernet/dlink/dl2k.c in the Linux kernel before 3.3.7 does not restrict access to the SIOCSMIIREG command, which allows local users to write data to an Ethernet adapter via an ioctl call. 1349 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2313" id="CVE-2012-2313" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2384" id="CVE-2012-2384" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2390" id="CVE-2012-2390" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3430" id="CVE-2012-3430" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3552" id="CVE-2012-3552" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1304.html" id="RHSA-2012:1304" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="kernel-doc" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-doc-3.2.30-49.59.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-tools-3.2.30-49.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-tools-debuginfo-3.2.30-49.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-devel-3.2.30-49.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-debuginfo-common-i686-3.2.30-49.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-3.2.30-49.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-headers-3.2.30-49.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-debuginfo-3.2.30-49.59.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-debuginfo-3.2.30-49.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-tools-3.2.30-49.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-3.2.30-49.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-devel-3.2.30-49.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-tools-debuginfo-3.2.30-49.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-headers-3.2.30-49.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="49.59.amzn1" version="3.2.30"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.30-49.59.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-134</id><title>Amazon Linux - ALAS-2012-134: medium priority package update for libxml2</title><issued date="2012-10-15 12:20" /><updated date="2014-09-14 17:10" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1350 CVE-2012-2807: 1351 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way libxml2 handled documents that enable entity expansion. A remote attacker could provide a large, specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 1352 Multiple integer overflows in libxml2, as used in Google Chrome before 20.0.1132.43, on 64-bit Linux platforms allow remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. 1353 835863: 1354 CVE-2012-2807 libxml2 (64-bit): Multiple integer overflows, leading to DoS or possibly other unspecified impact 1355 1356 CVE-2011-3102: 1357 A one byte buffer overflow was found in the way libxml2 evaluated certain parts of XML Pointer Language (XPointer) expressions. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 1358 822109: 1359 CVE-2011-3102 libxml: An off-by-one out-of-bounds write by XPointer part evaluation 1360 Off-by-one error in libxml2, as used in Google Chrome before 19.0.1084.46, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via unknown vectors. 1361 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102" id="CVE-2011-3102" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2807" id="CVE-2012-2807" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1288.html" id="RHSA-2012:1288" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="libxml2-debuginfo" release="9.22.amzn1" version="2.7.8"><filename>Packages/libxml2-debuginfo-2.7.8-9.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-static" release="9.22.amzn1" version="2.7.8"><filename>Packages/libxml2-static-2.7.8-9.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-devel" release="9.22.amzn1" version="2.7.8"><filename>Packages/libxml2-devel-2.7.8-9.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2" release="9.22.amzn1" version="2.7.8"><filename>Packages/libxml2-2.7.8-9.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-python" release="9.22.amzn1" version="2.7.8"><filename>Packages/libxml2-python-2.7.8-9.22.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2" release="9.22.amzn1" version="2.7.8"><filename>Packages/libxml2-2.7.8-9.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-debuginfo" release="9.22.amzn1" version="2.7.8"><filename>Packages/libxml2-debuginfo-2.7.8-9.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-devel" release="9.22.amzn1" version="2.7.8"><filename>Packages/libxml2-devel-2.7.8-9.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-python" release="9.22.amzn1" version="2.7.8"><filename>Packages/libxml2-python-2.7.8-9.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-static" release="9.22.amzn1" version="2.7.8"><filename>Packages/libxml2-static-2.7.8-9.22.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-135</id><title>Amazon Linux - ALAS-2012-135: low priority package update for puppet</title><issued date="2012-10-15 12:29" /><updated date="2014-09-14 17:11" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1362 CVE-2012-3867: 1363 839158: 1364 CVE-2012-3867 puppet: insufficient validation of agent names in CN of SSL certificate requests 1365 lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences. 1366 1367 CVE-2012-3866: 1368 lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file. 1369 839135: 1370 CVE-2012-3866 puppet: information leak via world readable last_run_report.yaml 1371 1372 CVE-2012-3865: 1373 839131: 1374 CVE-2012-3865 puppet: authenticated clients allowed to delete arbitrary files on the puppet master 1375 Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name. 1376 1377 CVE-2012-3864: 1378 Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request. 1379 839130: 1380 CVE-2012-3864 puppet: authenticated clients allowed to read arbitrary files from the puppet master 1381 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3865" id="CVE-2012-3865" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3864" id="CVE-2012-3864" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3867" id="CVE-2012-3867" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3866" id="CVE-2012-3866" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="puppet-server" release="1.9.amzn1" version="2.7.18"><filename>Packages/puppet-server-2.7.18-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet-debuginfo" release="1.9.amzn1" version="2.7.18"><filename>Packages/puppet-debuginfo-2.7.18-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet" release="1.9.amzn1" version="2.7.18"><filename>Packages/puppet-2.7.18-1.9.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet-debuginfo" release="1.9.amzn1" version="2.7.18"><filename>Packages/puppet-debuginfo-2.7.18-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet-server" release="1.9.amzn1" version="2.7.18"><filename>Packages/puppet-server-2.7.18-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet" release="1.9.amzn1" version="2.7.18"><filename>Packages/puppet-2.7.18-1.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-136</id><title>Amazon Linux - ALAS-2012-136: important priority package update for java-1.6.0-openjdk</title><issued date="2012-10-23 10:38" /><updated date="2014-09-14 17:13" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1382 CVE-2012-5086: 1383 Multiple improper permission check issues were discovered in the Beans, Libraries, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1384 865428: 1385 CVE-2012-5086 OpenJDK: XMLDecoder sandbox restriction bypass (Beans, 7195917) 1386 Multiple improper permission check issues were discovered in the Beans, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1387 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans. 1388 1389 CVE-2012-5085: 1390 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote authenticated users to have an unspecified impact via unknown vectors related to Networking. NOTE: the Oracle CPU states that this issue has a 0.0 CVSS score. If so, then this is not a vulnerability and this issue should not be included in CVE. 1391 865541: 1392 CVE-2012-5085 OpenJDK: disable Gopher support by default (Gopher, 7189567) 1393 This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true. 1394 1395 CVE-2012-5081: 1396 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect availability, related to JSSE. 1397 It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception. 1398 865370: 1399 CVE-2012-5081 OpenJDK: JSSE denial of service (JSSE, 7186286) 1400 1401 CVE-2012-5079: 1402 865568: 1403 CVE-2012-5079 OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919) 1404 It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 1405 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries. 1406 1407 CVE-2012-5077: 1408 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Security. 1409 865354: 1410 CVE-2012-5077 OpenJDK: SecureRandom mulitple seeders information disclosure (Security, 7167656) 1411 It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information. 1412 1413 CVE-2012-5075: 1414 865363: 1415 CVE-2012-5075 OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888) 1416 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality, related to JMX. 1417 It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information. 1418 1419 CVE-2012-5068: 1420 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. 1421 Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 1422 865348: 1423 CVE-2012-5068 OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535) 1424 1425 CVE-2012-4416: 1426 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Hotspot. 1427 856124: 1428 CVE-2012-4416 OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606) 1429 A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory. 1430 1431 CVE-2012-3216: 1432 865346: 1433 CVE-2012-3216 OpenJDK: java.io.FilePermission information leak (Libraries, 6631398) 1434 It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory. 1435 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries. 1436 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5068" id="CVE-2012-5068" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5085" id="CVE-2012-5085" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5079" id="CVE-2012-5079" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5086" id="CVE-2012-5086" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5081" id="CVE-2012-5081" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4416" id="CVE-2012-4416" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3216" id="CVE-2012-3216" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5075" id="CVE-2012-5075" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5077" id="CVE-2012-5077" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1384.html" id="RHSA-2012:1384" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="53.1.11.5.47.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-53.1.11.5.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="53.1.11.5.47.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-53.1.11.5.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="53.1.11.5.47.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-53.1.11.5.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="53.1.11.5.47.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-53.1.11.5.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="53.1.11.5.47.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-53.1.11.5.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="53.1.11.5.47.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-53.1.11.5.47.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="53.1.11.5.47.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-53.1.11.5.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="53.1.11.5.47.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-53.1.11.5.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="53.1.11.5.47.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-53.1.11.5.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="53.1.11.5.47.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-53.1.11.5.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="53.1.11.5.47.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-53.1.11.5.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="53.1.11.5.47.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-53.1.11.5.47.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-137</id><title>Amazon Linux - ALAS-2012-137: important priority package update for java-1.7.0-openjdk</title><issued date="2012-10-23 10:38" /><updated date="2014-09-14 17:14" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1437 CVE-2012-5086: 1438 Multiple improper permission check issues were discovered in the Beans, Libraries, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1439 865428: 1440 CVE-2012-5086 OpenJDK: XMLDecoder sandbox restriction bypass (Beans, 7195917) 1441 Multiple improper permission check issues were discovered in the Beans, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1442 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans. 1443 1444 CVE-2012-5085: 1445 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote authenticated users to have an unspecified impact via unknown vectors related to Networking. NOTE: the Oracle CPU states that this issue has a 0.0 CVSS score. If so, then this is not a vulnerability and this issue should not be included in CVE. 1446 865541: 1447 CVE-2012-5085 OpenJDK: disable Gopher support by default (Gopher, 7189567) 1448 This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true. 1449 1450 CVE-2012-5081: 1451 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect availability, related to JSSE. 1452 It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception. 1453 865370: 1454 CVE-2012-5081 OpenJDK: JSSE denial of service (JSSE, 7186286) 1455 1456 CVE-2012-5079: 1457 865568: 1458 CVE-2012-5079 OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919) 1459 It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 1460 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries. 1461 1462 CVE-2012-5077: 1463 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Security. 1464 865354: 1465 CVE-2012-5077 OpenJDK: SecureRandom mulitple seeders information disclosure (Security, 7167656) 1466 It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information. 1467 1468 CVE-2012-5075: 1469 865363: 1470 CVE-2012-5075 OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888) 1471 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality, related to JMX. 1472 It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information. 1473 1474 CVE-2012-5068: 1475 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. 1476 Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 1477 865348: 1478 CVE-2012-5068 OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535) 1479 1480 CVE-2012-4416: 1481 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Hotspot. 1482 856124: 1483 CVE-2012-4416 OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606) 1484 A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory. 1485 1486 CVE-2012-3216: 1487 865346: 1488 CVE-2012-3216 OpenJDK: java.io.FilePermission information leak (Libraries, 6631398) 1489 It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory. 1490 Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries. 1491 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5068" id="CVE-2012-5068" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5085" id="CVE-2012-5085" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5079" id="CVE-2012-5079" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5086" id="CVE-2012-5086" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5081" id="CVE-2012-5081" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4416" id="CVE-2012-4416" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3216" id="CVE-2012-3216" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5075" id="CVE-2012-5075" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5077" id="CVE-2012-5077" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1384.html" id="RHSA-2012:1384" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.3.3.13.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.3.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.3.3.13.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.3.3.13.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.3.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.3.3.13.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.3.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.3.3.13.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.3.13.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.3.3.13.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.3.3.13.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.3.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.3.3.13.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.3.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.3.3.13.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.3.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.3.3.13.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.3.13.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.3.3.13.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.3.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-138</id><title>Amazon Linux - ALAS-2012-138: important priority package update for bind</title><issued date="2012-10-23 10:39" /><updated date="2014-09-14 17:14" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1492 CVE-2012-5166: 1493 ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before 9.9.1-P4, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P4 allows remote attackers to cause a denial of service (named daemon hang) via unspecified combinations of resource records. 1494 864273: 1495 CVE-2012-5166 bind: Specially crafted DNS data can cause a lockup in named 1496 A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup. 1497 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166" id="CVE-2012-5166" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1363.html" id="RHSA-2012:1363" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="32" name="bind" release="0.10.rc1.25.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.10.rc1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.10.rc1.25.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.10.rc1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.10.rc1.25.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.10.rc1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.10.rc1.25.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.10.rc1.25.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.10.rc1.25.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.10.rc1.25.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.10.rc1.25.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.10.rc1.25.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.10.rc1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.10.rc1.25.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.10.rc1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.10.rc1.25.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.10.rc1.25.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.10.rc1.25.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.10.rc1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.10.rc1.25.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.10.rc1.25.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.10.rc1.25.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-139</id><title>Amazon Linux - ALAS-2012-139: medium priority package update for ruby</title><issued date="2012-10-23 10:43" /><updated date="2014-09-14 17:14" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1498 CVE-2012-4466: 1499 862614: 1500 CVE-2012-4466 ruby: safe level bypass via name_err_mesg_to_str() 1501 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4466" id="CVE-2012-4466" title="" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="ruby-libs" release="1.20.amzn1" version="1.8.7.371"><filename>Packages/ruby-libs-1.8.7.371-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby" release="1.20.amzn1" version="1.8.7.371"><filename>Packages/ruby-1.8.7.371-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-debuginfo" release="1.20.amzn1" version="1.8.7.371"><filename>Packages/ruby-debuginfo-1.8.7.371-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-devel" release="1.20.amzn1" version="1.8.7.371"><filename>Packages/ruby-devel-1.8.7.371-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-ri" release="1.20.amzn1" version="1.8.7.371"><filename>Packages/ruby-ri-1.8.7.371-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-static" release="1.20.amzn1" version="1.8.7.371"><filename>Packages/ruby-static-1.8.7.371-1.20.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-debuginfo" release="1.20.amzn1" version="1.8.7.371"><filename>Packages/ruby-debuginfo-1.8.7.371-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-devel" release="1.20.amzn1" version="1.8.7.371"><filename>Packages/ruby-devel-1.8.7.371-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-ri" release="1.20.amzn1" version="1.8.7.371"><filename>Packages/ruby-ri-1.8.7.371-1.20.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby-irb" release="1.20.amzn1" version="1.8.7.371"><filename>Packages/ruby-irb-1.8.7.371-1.20.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-libs" release="1.20.amzn1" version="1.8.7.371"><filename>Packages/ruby-libs-1.8.7.371-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby" release="1.20.amzn1" version="1.8.7.371"><filename>Packages/ruby-1.8.7.371-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-static" release="1.20.amzn1" version="1.8.7.371"><filename>Packages/ruby-static-1.8.7.371-1.20.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby-rdoc" release="1.20.amzn1" version="1.8.7.371"><filename>Packages/ruby-rdoc-1.8.7.371-1.20.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-140</id><title>Amazon Linux - ALAS-2012-140: medium priority package update for libproxy</title><issued date="2012-11-20 06:25" /><updated date="2014-09-14 17:15" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1502 CVE-2012-4505: 1503 864612: 1504 CVE-2012-4505 libproxy: PAC handling insufficient content length check leading to buffer overflow 1505 Heap-based buffer overflow in the px_pac_reload function in lib/pac.c in libproxy 0.2.x and 0.3.x allows remote servers to have an unspecified impact via a crafted Content-Length size in an HTTP response header for a proxy.pac file request, a different vulnerability than CVE-2012-4504. 1506 A buffer overflow flaw was found in the way libproxy handled the downloading of proxy auto-configuration (PAC) files. A malicious server hosting a PAC file or a man-in-the-middle attacker could use this flaw to cause an application using libproxy to crash or, possibly, execute arbitrary code, if the proxy settings obtained by libproxy (from the environment or the desktop environment settings) instructed the use of a PAC proxy configuration. 1507 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4505" id="CVE-2012-4505" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1461.html" id="RHSA-2012:1461" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="libproxy-bin" release="3.7.amzn1" version="0.3.0"><filename>Packages/libproxy-bin-0.3.0-3.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libproxy-devel" release="3.7.amzn1" version="0.3.0"><filename>Packages/libproxy-devel-0.3.0-3.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libproxy-python" release="3.7.amzn1" version="0.3.0"><filename>Packages/libproxy-python-0.3.0-3.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libproxy-debuginfo" release="3.7.amzn1" version="0.3.0"><filename>Packages/libproxy-debuginfo-0.3.0-3.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libproxy" release="3.7.amzn1" version="0.3.0"><filename>Packages/libproxy-0.3.0-3.7.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libproxy-python" release="3.7.amzn1" version="0.3.0"><filename>Packages/libproxy-python-0.3.0-3.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libproxy" release="3.7.amzn1" version="0.3.0"><filename>Packages/libproxy-0.3.0-3.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libproxy-bin" release="3.7.amzn1" version="0.3.0"><filename>Packages/libproxy-bin-0.3.0-3.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libproxy-devel" release="3.7.amzn1" version="0.3.0"><filename>Packages/libproxy-devel-0.3.0-3.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libproxy-debuginfo" release="3.7.amzn1" version="0.3.0"><filename>Packages/libproxy-debuginfo-0.3.0-3.7.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-141</id><title>Amazon Linux - ALAS-2012-141: important priority package update for mysql51</title><issued date="2012-11-20 06:26" /><updated date="2014-09-14 17:17" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1508 CVE-2012-1688: 1509 814285: 1510 CVE-2012-1688 mysql: unspecified DoS vulnerability related to DML (CPU Apr 2012) 1511 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability, related to Server DML. 1512 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory pages, listed in the References section. 1513 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1688" id="CVE-2012-1688" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1462.html" id="RHSA-2012:1462" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="mysql51-bench" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-bench-5.1.66-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-server" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-server-5.1.66-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-test" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-test-5.1.66-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded-devel" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-embedded-devel-5.1.66-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-libs" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-libs-5.1.66-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-devel" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-devel-5.1.66-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-common" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-common-5.1.66-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-debuginfo" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-debuginfo-5.1.66-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-5.1.66-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-embedded-5.1.66-1.56.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-embedded-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-debuginfo" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-debuginfo-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded-devel" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-embedded-devel-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-common" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-common-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-bench" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-bench-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-test" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-test-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-devel" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-devel-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-server" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-server-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-libs" release="1.56.amzn1" version="5.1.66"><filename>Packages/mysql51-libs-5.1.66-1.56.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-142</id><title>Amazon Linux - ALAS-2012-142: medium priority package update for kernel</title><issued date="2012-11-20 06:34" /><updated date="2014-09-14 17:18" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1514 CVE-2012-4565: 1515 * A divide-by-zero flaw was found in the TCP Illinois congestion control algorithm implementation in the Linux kernel. If the TCP Illinois congestion control algorithm were in use (the sysctl net.ipv4.tcp_congestion_control variable set to "illinois"), a local, unprivileged user could trigger this flaw and cause a denial of service. 1516 871848: 1517 CVE-2012-4565 kernel: net: divide by zero in tcp algorithm illinois 1518 1519 CVE-2012-4508: 1520 * A race condition in the way asynchronous I/O and fallocate() interacted when using ext4 could allow a local, unprivileged user to obtain random data from a deleted file. 1521 869904: 1522 CVE-2012-4508 kernel: ext4: AIO vs fallocate stale data exposure 1523 1524 CVE-2012-3511: 1525 Multiple race conditions in the madvise_remove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service (use-after-free and system crash) via vectors involving a (1) munmap or (2) close system call. 1526 849734: 1527 CVE-2012-3511 kernel: mm: use-after-free in madvise_remove() 1528 * A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. 1529 1530 CVE-2012-3400: 1531 843139: 1532 CVE-2012-3400 kernel: udf: buffer overflow when parsing sparing table 1533 * Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges. 1534 Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel before 3.4.5 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. 1535 1536 CVE-2012-2133: 1537 817430: 1538 CVE-2012-2133 kernel: use after free bug in "quota" handling 1539 * A use-after-free flaw was found in the Linux kernel's memory management subsystem in the way quota handling for huge pages was performed. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges. 1540 Use-after-free vulnerability in the Linux kernel before 3.3.6, when huge pages are enabled, allows local users to cause a denial of service (system crash) or possibly gain privileges by interacting with a hugetlbfs filesystem, as demonstrated by a umount operation that triggers improper handling of quota data. 1541 1542 CVE-2012-1568: 1543 * It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. 1544 804947: 1545 CVE-2012-1568 kernel: execshield: predictable ascii armour base address 1546 1547 CVE-2012-0957: 1548 862877: 1549 CVE-2012-0957 kernel: uts: stack memory leak in UNAME26 1550 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3511" id="CVE-2012-3511" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1568" id="CVE-2012-1568" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4508" id="CVE-2012-4508" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4565" id="CVE-2012-4565" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2133" id="CVE-2012-2133" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3400" id="CVE-2012-3400" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0957" id="CVE-2012-0957" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1426.html" id="RHSA-2012:1426" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="noarch" epoch="0" name="kernel-doc" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-doc-3.2.34-55.46.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-devel-3.2.34-55.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-debuginfo-3.2.34-55.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-3.2.34-55.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-tools-3.2.34-55.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-headers-3.2.34-55.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-debuginfo-common-i686-3.2.34-55.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-tools-debuginfo-3.2.34-55.46.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-devel-3.2.34-55.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-tools-3.2.34-55.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-debuginfo-3.2.34-55.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-headers-3.2.34-55.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.34-55.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-3.2.34-55.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="55.46.amzn1" version="3.2.34"><filename>Packages/kernel-tools-debuginfo-3.2.34-55.46.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-143</id><title>Amazon Linux - ALAS-2012-143: important priority package update for libxml2</title><issued date="2012-12-06 21:22" /><updated date="2014-09-14 17:18" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1551 CVE-2012-5134: 1552 A heap-based buffer underflow flaw was found in the way libxml2 decoded certain entities. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 1553 Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document. 1554 880466: 1555 CVE-2012-5134 libxml2: Heap-buffer-underflow in xmlParseAttValueComplex 1556 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5134" id="CVE-2012-5134" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1512.html" id="RHSA-2012:1512" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="libxml2-python" release="10.25.amzn1" version="2.7.8"><filename>Packages/libxml2-python-2.7.8-10.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-static" release="10.25.amzn1" version="2.7.8"><filename>Packages/libxml2-static-2.7.8-10.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2" release="10.25.amzn1" version="2.7.8"><filename>Packages/libxml2-2.7.8-10.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-debuginfo" release="10.25.amzn1" version="2.7.8"><filename>Packages/libxml2-debuginfo-2.7.8-10.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-devel" release="10.25.amzn1" version="2.7.8"><filename>Packages/libxml2-devel-2.7.8-10.25.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-static" release="10.25.amzn1" version="2.7.8"><filename>Packages/libxml2-static-2.7.8-10.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-debuginfo" release="10.25.amzn1" version="2.7.8"><filename>Packages/libxml2-debuginfo-2.7.8-10.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2" release="10.25.amzn1" version="2.7.8"><filename>Packages/libxml2-2.7.8-10.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-python" release="10.25.amzn1" version="2.7.8"><filename>Packages/libxml2-python-2.7.8-10.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-devel" release="10.25.amzn1" version="2.7.8"><filename>Packages/libxml2-devel-2.7.8-10.25.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-144</id><title>Amazon Linux - ALAS-2012-144: important priority package update for mysql55</title><issued date="2012-12-06 21:24" /><updated date="2014-09-14 17:19" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1557 CVE-2012-5611: 1558 Stack-based buffer overflow in MySQL 5.5.19, 5.1.53, and possibly other versions, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to execute arbitrary code via a long argument to the GRANT FILE command. 1559 A stack-based buffer overflow flaw was found in the user permission checking code in MySQL. An authenticated database user could use this flaw to crash the mysqld daemon or, potentially, execute arbitrary code with the privileges of the user running the mysqld daemon. 1560 881064: 1561 CVE-2012-5611 mysql: acl_get() stack-based buffer overflow 1562 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5611" id="CVE-2012-5611" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1551.html" id="RHSA-2012:1551" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-embedded-devel-5.5.28-2.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-server-5.5.28-2.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-bench-5.5.28-2.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-libs-5.5.28-2.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-test-5.5.28-2.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-common" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-common-5.5.28-2.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-embedded-5.5.28-2.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-debuginfo-5.5.28-2.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-devel-5.5.28-2.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-5.5.28-2.26.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-common" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-common-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-embedded-devel-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-devel-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-libs-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-debuginfo-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-server" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-server-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-test" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-test-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-bench" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-bench-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded" release="2.26.amzn1" version="5.5.28"><filename>Packages/mysql55-embedded-5.5.28-2.26.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-145</id><title>Amazon Linux - ALAS-2012-145: important priority package update for mysql51</title><issued date="2012-12-06 21:25" /><updated date="2014-09-14 17:19" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1563 CVE-2012-5611: 1564 Stack-based buffer overflow in MySQL 5.5.19, 5.1.53, and possibly other versions, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to execute arbitrary code via a long argument to the GRANT FILE command. 1565 A stack-based buffer overflow flaw was found in the user permission checking code in MySQL. An authenticated database user could use this flaw to crash the mysqld daemon or, potentially, execute arbitrary code with the privileges of the user running the mysqld daemon. 1566 881064: 1567 CVE-2012-5611 mysql: acl_get() stack-based buffer overflow 1568 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5611" id="CVE-2012-5611" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1551.html" id="RHSA-2012:1551" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="mysql51-bench" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-bench-5.1.66-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-5.1.66-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-embedded-5.1.66-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded-devel" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-embedded-devel-5.1.66-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-libs" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-libs-5.1.66-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-debuginfo" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-debuginfo-5.1.66-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-common" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-common-5.1.66-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-test" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-test-5.1.66-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-devel" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-devel-5.1.66-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-server" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-server-5.1.66-1.57.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-debuginfo" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-debuginfo-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-embedded-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-server" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-server-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-libs" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-libs-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded-devel" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-embedded-devel-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-devel" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-devel-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-common" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-common-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-test" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-test-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-bench" release="1.57.amzn1" version="5.1.66"><filename>Packages/mysql51-bench-5.1.66-1.57.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-146</id><title>Amazon Linux - ALAS-2012-146: important priority package update for bind</title><issued date="2012-12-07 09:28" /><updated date="2014-09-14 17:19" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1569 CVE-2012-5688: 1570 ISC BIND 9.8.x before 9.8.4-P1 and 9.9.x before 9.9.2-P1, when DNS64 is enabled, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query. 1571 883533: 1572 CVE-2012-5688 bind: DoS on servers using DNS64 1573 A flaw was found in the DNS64 implementation in BIND. If a remote attacker sent a specially-crafted query to a named server, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default. 1574 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5688" id="CVE-2012-5688" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1549.html" id="RHSA-2012:1549" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="32" name="bind-chroot" release="0.10.rc1.26.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.10.rc1.26.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.10.rc1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.10.rc1.26.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.10.rc1.26.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.10.rc1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.10.rc1.26.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.10.rc1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.10.rc1.26.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.10.rc1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.10.rc1.26.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.26.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.10.rc1.26.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.10.rc1.26.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.10.rc1.26.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.10.rc1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.10.rc1.26.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.10.rc1.26.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.10.rc1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.10.rc1.26.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.10.rc1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.10.rc1.26.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.10.rc1.26.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2012-147</id><title>Amazon Linux - ALAS-2012-147: medium priority package update for libtiff</title><issued date="2012-12-20 13:55" /><updated date="2014-09-14 17:20" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1575 CVE-2012-5581: 1576 Stack-based buffer overflow in tif_dir.c in LibTIFF before 4.0.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DOTRANGE tag in a TIFF image. 1577 867235: 1578 CVE-2012-5581 libtiff: Stack-based buffer overflow when reading a tiled tiff file 1579 A stack-based buffer overflow flaw was found in the way libtiff handled DOTRANGE tags. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code. 1580 1581 CVE-2012-4564: 1582 A missing return value check flaw, leading to a heap-based buffer overflow, was found in the ppm2tiff tool. An attacker could use this flaw to create a specially-crafted PPM (Portable Pixel Map) file that would cause ppm2tiff to crash or, possibly, execute arbitrary code. 1583 ppm2tiff does not check the return value of the TIFFScanlineSize function, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PPM image that triggers an integer overflow, a zero-memory allocation, and a heap-based buffer overflow. 1584 871700: 1585 CVE-2012-4564 libtiff: Missing return value check in ppm2tiff leading to heap-buffer overflow when reading a tiff file 1586 1587 CVE-2012-4447: 1588 860198: 1589 CVE-2012-4447 libtiff: Heap-buffer overflow when processing a TIFF image with PixarLog Compression 1590 A heap-based buffer overflow flaw was found in the way libtiff processed certain TIFF images using the Pixar Log Format encoding. An attacker could create a specially-crafted TIFF file that, when opened, could cause an application using libtiff to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 1591 Heap-based buffer overflow in tif_pixarlog.c in LibTIFF before 4.0.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF image using the PixarLog Compression format. 1592 1593 CVE-2012-3401: 1594 A heap-based buffer overflow flaw was found in the tiff2pdf tool. An attacker could use this flaw to create a specially-crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code. 1595 837577: 1596 CVE-2012-3401 libtiff (tiff2pdf): Heap-based buffer overflow due to improper initialization of T2P context struct pointer 1597 The t2p_read_tiff_init function in tiff2pdf (tools/tiff2pdf.c) in LibTIFF 4.0.2 and earlier does not properly initialize the T2P context struct pointer in certain error conditions, which allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers a heap-based buffer overflow. 1598 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4447" id="CVE-2012-4447" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3401" id="CVE-2012-3401" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4564" id="CVE-2012-4564" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5581" id="CVE-2012-5581" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1590.html" id="RHSA-2012:1590" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="i686" epoch="0" name="libtiff-static" release="9.11.amzn1" version="3.9.4"><filename>Packages/libtiff-static-3.9.4-9.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-debuginfo" release="9.11.amzn1" version="3.9.4"><filename>Packages/libtiff-debuginfo-3.9.4-9.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff" release="9.11.amzn1" version="3.9.4"><filename>Packages/libtiff-3.9.4-9.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-devel" release="9.11.amzn1" version="3.9.4"><filename>Packages/libtiff-devel-3.9.4-9.11.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-debuginfo" release="9.11.amzn1" version="3.9.4"><filename>Packages/libtiff-debuginfo-3.9.4-9.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff" release="9.11.amzn1" version="3.9.4"><filename>Packages/libtiff-3.9.4-9.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-static" release="9.11.amzn1" version="3.9.4"><filename>Packages/libtiff-static-3.9.4-9.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-devel" release="9.11.amzn1" version="3.9.4"><filename>Packages/libtiff-devel-3.9.4-9.11.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-148</id><title>Amazon Linux - ALAS-2013-148: medium priority package update for kernel nvidia</title><issued date="2013-01-14 01:14" /><updated date="2014-09-14 17:22" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities: 1599 CVE-2012-5517: 1600 * A NULL pointer dereference flaw was found in the way a new node's hot added memory was propagated to other nodes' zonelists. By utilizing this newly added memory from one of the remaining nodes, a local, unprivileged user could use this flaw to cause a denial of service. 1601 The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator. 1602 875374: 1603 CVE-2012-5517 kernel: mm/hotplug: failure in propagating hot-added memory to other nodes 1604 1605 CVE-2012-4565: 1606 * A divide-by-zero flaw was found in the TCP Illinois congestion control algorithm implementation in the Linux kernel. If the TCP Illinois congestion control algorithm were in use (the sysctl net.ipv4.tcp_congestion_control variable set to "illinois"), a local, unprivileged user could trigger this flaw and cause a denial of service. 1607 871848: 1608 CVE-2012-4565 kernel: net: divide by zero in tcp algorithm illinois 1609 1610 CVE-2012-4444: 1611 * A flaw was found in the way the Linux kernel's IPv6 implementation handled overlapping, fragmented IPv6 packets. A remote attacker could potentially use this flaw to bypass protection mechanisms (such as a firewall or intrusion detection system (IDS)) when sending network packets to a target system. 1612 874835: 1613 CVE-2012-4444 kernel: net: acceptation of overlapping ipv6 fragments 1614 The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments. 1615 1616 CVE-2012-2375: 1617 * It was found that the RHSA-2012:0862 update did not correctly fix the CVE-2011-4131 issue. A malicious Network File System version 4 (NFSv4) server could return a crafted reply to a GETACL request, causing a denial of service on the client. 1618 822869: 1619 CVE-2012-2375 kernel: incomplete fix for CVE-2011-4131 1620 The __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the NFSv4 implementation in the Linux kernel before 3.3.2 uses an incorrect length variable during a copy operation, which allows remote NFS servers to cause a denial of service (OOPS) by sending an excessive number of bitmap words in an FATTR4_ACL reply. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-4131. 1621 1622 CVE-2012-2100: 1623 809687: 1624 CVE-2012-2100 kernel: ext4: fix inconsistency in ext4_fill_flex_info() 1625 * It was found that the initial release of Red Hat Enterprise Linux 6 did not correctly fix the CVE-2009-4307 issue, a divide-by-zero flaw in the ext4 file system code. A local, unprivileged user with the ability to mount an ext4 file system could use this flaw to cause a denial of service. 1626 * It was found that the RHSA-2010:0178 update did not correctly fix the CVE-2009-4307 issue, a divide-by-zero flaw in the ext4 file system code. A local, unprivileged user with the ability to mount an ext4 file system could use this flaw to cause a denial of service. 1627 The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 3.2.2, on the x86 platform and unspecified other platforms, allows user-assisted remote attackers to trigger inconsistent filesystem-groups data and possibly cause a denial of service via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value). NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4307. 1628 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5517" id="CVE-2012-5517" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2100" id="CVE-2012-2100" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4444" id="CVE-2012-4444" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4565" id="CVE-2012-4565" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2375" id="CVE-2012-2375" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1580.html" id="RHSA-2012:1580" title="" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package arch="x86_64" epoch="0" name="kernel-devel" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-devel-3.2.36-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.36-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-tools-3.2.36-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-debuginfo-3.2.36-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-3.2.36-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-tools-debuginfo-3.2.36-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-headers-3.2.36-1.46.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-devel-3.2.36-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-headers-3.2.36-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-tools-debuginfo-3.2.36-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-tools-3.2.36-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-debuginfo-3.2.36-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-3.2.36-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-debuginfo-common-i686-3.2.36-1.46.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="1.46.amzn1" version="3.2.36"><filename>Packages/kernel-doc-3.2.36-1.46.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="nvidia" release="2012.09.10.amzn1" version="310.19"><filename>Packages/nvidia-310.19-2012.09.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nvidia-kmod-3.2.36-1.46.amzn1" release="2012.09.10.amzn1" version="310.19"><filename>Packages/nvidia-kmod-3.2.36-1.46.amzn1-310.19-2012.09.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-149</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-149: important priority package update for nss</title><issued date="2013-02-03 12:33" /><updated date="2014-09-14 17:22" /><severity>important</severity><description /><references><reference href="https://rhn.redhat.com/errata/RHSA-2013:0213.html" id="RHSA-2013:0213" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="i686" epoch="0" name="nss-devel" release="2.27.amzn1" version="3.13.6"><filename>Packages/nss-devel-3.13.6-2.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="2.27.amzn1" version="3.13.6"><filename>Packages/nss-debuginfo-3.13.6-2.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="2.27.amzn1" version="3.13.6"><filename>Packages/nss-tools-3.13.6-2.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="2.27.amzn1" version="3.13.6"><filename>Packages/nss-pkcs11-devel-3.13.6-2.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="2.27.amzn1" version="3.13.6"><filename>Packages/nss-sysinit-3.13.6-2.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="2.27.amzn1" version="3.13.6"><filename>Packages/nss-3.13.6-2.27.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="2.27.amzn1" version="3.13.6"><filename>Packages/nss-3.13.6-2.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="2.27.amzn1" version="3.13.6"><filename>Packages/nss-devel-3.13.6-2.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="2.27.amzn1" version="3.13.6"><filename>Packages/nss-pkcs11-devel-3.13.6-2.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="2.27.amzn1" version="3.13.6"><filename>Packages/nss-tools-3.13.6-2.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="2.27.amzn1" version="3.13.6"><filename>Packages/nss-debuginfo-3.13.6-2.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="2.27.amzn1" version="3.13.6"><filename>Packages/nss-sysinit-3.13.6-2.27.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-150</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-150: important priority package update for freetype</title><issued date="2013-02-03 12:34" /><updated date="2014-09-14 17:22" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1629 CVE-2012-5669: 1630 A flaw was found in the way the FreeType font rendering engine processed certain Glyph Bitmap Distribution Format (BDF) fonts. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 1631 The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read. 1632 890088: 1633 CVE-2012-5669 freetype: heap buffer over-read in BDF parsing _bdf_parse_glyphs() (#37906) 1634 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5669" id="CVE-2012-5669" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0216.html" id="RHSA-2013:0216" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="i686" epoch="0" name="freetype-devel" release="14.13.amzn1" version="2.3.11"><filename>Packages/freetype-devel-2.3.11-14.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype-debuginfo" release="14.13.amzn1" version="2.3.11"><filename>Packages/freetype-debuginfo-2.3.11-14.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype" release="14.13.amzn1" version="2.3.11"><filename>Packages/freetype-2.3.11-14.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype-demos" release="14.13.amzn1" version="2.3.11"><filename>Packages/freetype-demos-2.3.11-14.13.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype-devel" release="14.13.amzn1" version="2.3.11"><filename>Packages/freetype-devel-2.3.11-14.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype" release="14.13.amzn1" version="2.3.11"><filename>Packages/freetype-2.3.11-14.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype-demos" release="14.13.amzn1" version="2.3.11"><filename>Packages/freetype-demos-2.3.11-14.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype-debuginfo" release="14.13.amzn1" version="2.3.11"><filename>Packages/freetype-debuginfo-2.3.11-14.13.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-151</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-151: important priority package update for java-1.7.0-openjdk</title><issued date="2013-02-03 12:35" /><updated date="2014-09-15 22:21" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1635 CVE-2012-3174: 1636 894934: 1637 CVE-2012-3174 OpenJDK: MethodHandles incorrect permission checks (Libraries, 8004933) 1638 This update fixes two vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Security Alert page, listed in the References section. 1639 Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-0422. NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422. This identifier is for a different vulnerability whose details are not public as of 20130114. 1640 Two improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1641 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3174" id="CVE-2012-3174" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0165.html" id="RHSA-2013:0165" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.3.4.1.15.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.4.1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.3.4.1.15.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.4.1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.3.4.1.15.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.3.4.1.15.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.4.1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.3.4.1.15.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.1.15.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.3.4.1.15.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.4.1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.3.4.1.15.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.4.1.15.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.3.4.1.15.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.4.1.15.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.3.4.1.15.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.3.4.1.15.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.3.4.1.15.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.4.1.15.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-152</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-152: medium priority package update for mysql51</title><issued date="2013-02-03 12:41" /><updated date="2014-09-15 22:23" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1642 CVE-2012-0572: 1643 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 1644 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0572" id="CVE-2012-0572" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0219.html" id="RHSA-2013:0219" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="i686" epoch="0" name="mysql51" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-5.1.67-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-libs" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-libs-5.1.67-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-devel" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-devel-5.1.67-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded-devel" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-embedded-devel-5.1.67-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-embedded-5.1.67-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-common" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-common-5.1.67-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-bench" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-bench-5.1.67-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-test" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-test-5.1.67-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-server" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-server-5.1.67-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-debuginfo" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-debuginfo-5.1.67-1.60.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded-devel" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-embedded-devel-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-common" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-common-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-embedded-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-test" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-test-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-libs" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-libs-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-bench" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-bench-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-server" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-server-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-debuginfo" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-debuginfo-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-devel" release="1.60.amzn1" version="5.1.67"><filename>Packages/mysql51-devel-5.1.67-1.60.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-153</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-153: medium priority package update for php-ZendFramework</title><issued date="2013-02-04 15:19" /><updated date="2014-09-15 22:24" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1645 CVE-2012-5657: 1646 889037: 1647 CVE-2012-5657 php-ZendFramework: information disclosure flaw due to error when processing XML data 1648 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5657" id="CVE-2012-5657" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="php-ZendFramework-Serializer-Adapter-Igbinary" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Serializer-Adapter-Igbinary-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Mysql" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-demos" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-demos-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Memcached" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Cache-Backend-Memcached-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Search-Lucene" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Search-Lucene-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Pdf" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Pdf-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Captcha" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Captcha-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Services" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Services-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Ldap" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Ldap-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Apc" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Cache-Backend-Apc-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Auth-Adapter-Ldap" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Auth-Adapter-Ldap-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-extras" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-extras-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Feed" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Feed-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Pgsql" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Soap" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Soap-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-full" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-full-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Dojo" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Dojo-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Mysqli" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Db-Adapter-Mysqli-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Libmemcached" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Cache-Backend-Libmemcached-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Mssql" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo" release="1.6.amzn1" version="1.12.1"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-1.12.1-1.6.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-154</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-154: medium priority package update for kernel nvidia</title><issued date="2013-02-04 15:45" /><updated date="2014-09-15 22:27" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1649 CVE-2013-0190: 1650 896038: 1651 CVE-2013-0190 kernel: stack corruption in xen_failsafe_callback() 1652 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0190" id="CVE-2013-0190" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.37-2.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-devel-3.2.37-2.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-3.2.37-2.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-debuginfo-3.2.37-2.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-tools-debuginfo-3.2.37-2.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-headers-3.2.37-2.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-tools-3.2.37-2.47.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-tools-3.2.37-2.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-headers-3.2.37-2.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-debuginfo-3.2.37-2.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-devel-3.2.37-2.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-tools-debuginfo-3.2.37-2.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-3.2.37-2.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-debuginfo-common-i686-3.2.37-2.47.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="2.47.amzn1" version="3.2.37"><filename>Packages/kernel-doc-3.2.37-2.47.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="nvidia-kmod-3.2.37-2.47.amzn1" release="2012.09.0.amzn1" version="313.18"><filename>Packages/nvidia-kmod-3.2.37-2.47.amzn1-313.18-2012.09.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nvidia" release="2012.09.0.amzn1" version="313.18"><filename>Packages/nvidia-313.18-2012.09.0.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-155</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-155: important priority package update for java-1.6.0-openjdk</title><issued date="2013-02-17 15:35" /><updated date="2014-09-15 22:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1653 CVE-2013-1478: 1654 Multiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially-crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges. 1655 1656 CVE-2013-0443: 1657 It was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack. 1658 1659 CVE-2013-0442: 1660 Multiple improper permission check issues were discovered in the AWT, CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1661 1662 CVE-2013-0440: 1663 It was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake. 1664 1665 CVE-2013-0435: 1666 The default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted. 1667 1668 CVE-2013-0432: 1669 A flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions. 1670 1671 CVE-2013-0427: 1672 Multiple improper permission check issues were discovered in the Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 1673 1674 CVE-2013-0424: 1675 It was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack. 1676 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1478" id="CVE-2013-1478" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0440" id="CVE-2013-0440" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0443" id="CVE-2013-0443" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0442" id="CVE-2013-0442" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0427" id="CVE-2013-0427" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0432" id="CVE-2013-0432" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0424" id="CVE-2013-0424" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0435" id="CVE-2013-0435" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0245.html" id="RHSA-2013:0245" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="54.1.11.6.48.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-54.1.11.6.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="54.1.11.6.48.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-54.1.11.6.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="54.1.11.6.48.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-54.1.11.6.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="54.1.11.6.48.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-54.1.11.6.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="54.1.11.6.48.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-54.1.11.6.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="54.1.11.6.48.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-54.1.11.6.48.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="54.1.11.6.48.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-54.1.11.6.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="54.1.11.6.48.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-54.1.11.6.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="54.1.11.6.48.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-54.1.11.6.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="54.1.11.6.48.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-54.1.11.6.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="54.1.11.6.48.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-54.1.11.6.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="54.1.11.6.48.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-54.1.11.6.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-156</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-156: important priority package update for java-1.7.0-openjdk</title><issued date="2013-02-17 15:35" /><updated date="2014-09-15 22:31" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1677 CVE-2013-1478: 1678 Multiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially-crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges. 1679 1680 CVE-2013-0443: 1681 It was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack. 1682 1683 CVE-2013-0442: 1684 Multiple improper permission check issues were discovered in the AWT, CORBA, JMX, Libraries, and Beans components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1685 1686 CVE-2013-0440: 1687 It was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake. 1688 1689 CVE-2013-0435: 1690 The default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted. 1691 1692 CVE-2013-0432: 1693 A flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions. 1694 1695 CVE-2013-0431: 1696 Multiple improper permission check issues were discovered in the JMX, Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 1697 1698 CVE-2013-0424: 1699 It was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack. 1700 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1478" id="CVE-2013-1478" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0440" id="CVE-2013-0440" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0443" id="CVE-2013-0443" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0442" id="CVE-2013-0442" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0431" id="CVE-2013-0431" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0432" id="CVE-2013-0432" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0424" id="CVE-2013-0424" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0435" id="CVE-2013-0435" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0247.html" id="RHSA-2013:0247" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.3.5.3.17.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.17.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.3.5.3.17.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.5.3.17.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.3.5.3.17.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.5.3.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.3.5.3.17.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.3.5.3.17.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.3.5.3.17.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.3.5.3.17.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.3.5.3.17.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.3.5.3.17.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.3.5.3.17.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.3.5.3.17.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.5.3.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-157</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-157: low priority package update for dhcp</title><issued date="2013-03-02 16:47" /><updated date="2014-09-15 22:31" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1701 CVE-2012-3955: 1702 A flaw was found in the way the dhcpd daemon handled the expiration time of IPv6 leases. If dhcpd's configuration was changed to reduce the default IPv6 lease time, lease renewal requests for previously assigned leases could cause dhcpd to crash. 1703 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3955" id="CVE-2012-3955" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0504.html" id="RHSA-2013:0504" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="12" name="dhcp-common" release="34.P1.18.amzn1" version="4.1.1"><filename>Packages/dhcp-common-4.1.1-34.P1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhclient" release="34.P1.18.amzn1" version="4.1.1"><filename>Packages/dhclient-4.1.1-34.P1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp" release="34.P1.18.amzn1" version="4.1.1"><filename>Packages/dhcp-4.1.1-34.P1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp-debuginfo" release="34.P1.18.amzn1" version="4.1.1"><filename>Packages/dhcp-debuginfo-4.1.1-34.P1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp-devel" release="34.P1.18.amzn1" version="4.1.1"><filename>Packages/dhcp-devel-4.1.1-34.P1.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-debuginfo" release="34.P1.18.amzn1" version="4.1.1"><filename>Packages/dhcp-debuginfo-4.1.1-34.P1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-common" release="34.P1.18.amzn1" version="4.1.1"><filename>Packages/dhcp-common-4.1.1-34.P1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp" release="34.P1.18.amzn1" version="4.1.1"><filename>Packages/dhcp-4.1.1-34.P1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhclient" release="34.P1.18.amzn1" version="4.1.1"><filename>Packages/dhclient-4.1.1-34.P1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-devel" release="34.P1.18.amzn1" version="4.1.1"><filename>Packages/dhcp-devel-4.1.1-34.P1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-158</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-158: medium priority package update for bind</title><issued date="2013-03-02 16:48" /><updated date="2014-09-15 22:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1704 CVE-2012-5689: 1705 A flaw was found in the DNS64 implementation in BIND when using Response Policy Zones (RPZ). If a remote attacker sent a specially-crafted query to a named server that is using RPZ rewrite rules, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default. 1706 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5689" id="CVE-2012-5689" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0550.html" id="RHSA-2013:0550" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.17.rc1.27.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.17.rc1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.17.rc1.27.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.17.rc1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.17.rc1.27.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.17.rc1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.17.rc1.27.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.17.rc1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.17.rc1.27.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.17.rc1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.17.rc1.27.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.17.rc1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.17.rc1.27.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.17.rc1.27.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.17.rc1.27.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.17.rc1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.17.rc1.27.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.17.rc1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.17.rc1.27.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.17.rc1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.17.rc1.27.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.17.rc1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.17.rc1.27.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.17.rc1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.17.rc1.27.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.17.rc1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.17.rc1.27.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.17.rc1.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-159</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-159: medium priority package update for gdb</title><issued date="2013-03-02 16:48" /><updated date="2014-09-15 22:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1707 CVE-2011-4355: 1708 GDB tried to auto-load certain files (such as GDB scripts, Python scripts, and a thread debugging library) from the current working directory when debugging programs. This could result in the execution of arbitrary code with the user's privileges when GDB was run in a directory that has untrusted content. 1709 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4355" id="CVE-2011-4355" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0522.html" id="RHSA-2013:0522" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gdb-debuginfo" release="60.13.amzn1" version="7.2"><filename>Packages/gdb-debuginfo-7.2-60.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gdb-gdbserver" release="60.13.amzn1" version="7.2"><filename>Packages/gdb-gdbserver-7.2-60.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gdb" release="60.13.amzn1" version="7.2"><filename>Packages/gdb-7.2-60.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gdb" release="60.13.amzn1" version="7.2"><filename>Packages/gdb-7.2-60.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gdb-gdbserver" release="60.13.amzn1" version="7.2"><filename>Packages/gdb-gdbserver-7.2-60.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gdb-debuginfo" release="60.13.amzn1" version="7.2"><filename>Packages/gdb-debuginfo-7.2-60.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-160</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-160: medium priority package update for pam</title><issued date="2013-03-02 16:48" /><updated date="2014-09-15 22:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1710 CVE-2011-3149: 1711 A denial of service flaw was found in the way the pam_env module expanded certain environment variables. If an application's PAM configuration contained "user_readenv=1" (this is not the default), a local attacker could use this flaw to cause the application to enter an infinite loop. 1712 1713 CVE-2011-3148: 1714 A stack-based buffer overflow flaw was found in the way the pam_env module parsed users' "~/.pam_environment" files. If an application's PAM configuration contained "user_readenv=1" (this is not the default), a local attacker could use this flaw to crash the application or, possibly, escalate their privileges. 1715 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3149" id="CVE-2011-3149" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3148" id="CVE-2011-3148" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0521.html" id="RHSA-2013:0521" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="pam" release="13.20.amzn1" version="1.1.1"><filename>Packages/pam-1.1.1-13.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam-debuginfo" release="13.20.amzn1" version="1.1.1"><filename>Packages/pam-debuginfo-1.1.1-13.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam-devel" release="13.20.amzn1" version="1.1.1"><filename>Packages/pam-devel-1.1.1-13.20.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="pam-debuginfo" release="13.20.amzn1" version="1.1.1"><filename>Packages/pam-debuginfo-1.1.1-13.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam" release="13.20.amzn1" version="1.1.1"><filename>Packages/pam-1.1.1-13.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam-devel" release="13.20.amzn1" version="1.1.1"><filename>Packages/pam-devel-1.1.1-13.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-161</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-161: medium priority package update for dnsmasq</title><issued date="2013-03-02 16:49" /><updated date="2014-09-15 22:34" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1716 CVE-2012-3411: 1717 It was discovered that dnsmasq, when used in combination with certain libvirtd configurations, could incorrectly process network packets from network interfaces that were intended to be prohibited. A remote, unauthenticated attacker could exploit this flaw to cause a denial of service via DNS amplification attacks. 1718 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3411" id="CVE-2012-3411" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0277.html" id="RHSA-2013:0277" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="dnsmasq" release="13.9.amzn1" version="2.48"><filename>Packages/dnsmasq-2.48-13.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="dnsmasq-utils" release="13.9.amzn1" version="2.48"><filename>Packages/dnsmasq-utils-2.48-13.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="dnsmasq-debuginfo" release="13.9.amzn1" version="2.48"><filename>Packages/dnsmasq-debuginfo-2.48-13.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="dnsmasq" release="13.9.amzn1" version="2.48"><filename>Packages/dnsmasq-2.48-13.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="dnsmasq-debuginfo" release="13.9.amzn1" version="2.48"><filename>Packages/dnsmasq-debuginfo-2.48-13.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="dnsmasq-utils" release="13.9.amzn1" version="2.48"><filename>Packages/dnsmasq-utils-2.48-13.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-162</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-162: important priority package update for java-1.7.0-openjdk</title><issued date="2013-03-02 16:49" /><updated date="2014-09-15 22:34" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1719 CVE-2013-1486: 1720 Multiple improper permission check issues were discovered in the JMX and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1721 1722 CVE-2013-1485: 1723 An improper permission check issue was discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 1724 1725 CVE-2013-0169: 1726 It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. 1727 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169" id="CVE-2013-0169" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1486" id="CVE-2013-1486" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1485" id="CVE-2013-1485" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0275.html" id="RHSA-2013:0275" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.3.7.1.20.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.7.1.20.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.3.7.1.20.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.7.1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.3.7.1.20.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.3.7.1.20.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.7.1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.3.7.1.20.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.3.7.1.20.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.20.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.3.7.1.20.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.7.1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.3.7.1.20.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.7.1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.3.7.1.20.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.3.7.1.20.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.3.7.1.20.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-163</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-163: important priority package update for java-1.6.0-openjdk</title><issued date="2013-03-02 16:50" /><updated date="2014-09-15 22:35" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1728 CVE-2013-1486: 1729 An improper permission check issue was discovered in the JMX component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. 1730 1731 CVE-2013-0169: 1732 It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. 1733 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169" id="CVE-2013-0169" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1486" id="CVE-2013-1486" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0273.html" id="RHSA-2013:0273" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="56.1.11.8.51.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-56.1.11.8.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="56.1.11.8.51.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-56.1.11.8.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="56.1.11.8.51.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-56.1.11.8.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="56.1.11.8.51.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-56.1.11.8.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="56.1.11.8.51.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-56.1.11.8.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="56.1.11.8.51.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-56.1.11.8.51.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="56.1.11.8.51.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-56.1.11.8.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="56.1.11.8.51.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-56.1.11.8.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="56.1.11.8.51.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-56.1.11.8.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="56.1.11.8.51.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-56.1.11.8.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="56.1.11.8.51.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-56.1.11.8.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="56.1.11.8.51.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-56.1.11.8.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-164</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-164: medium priority package update for axis</title><issued date="2013-03-02 16:50" /><updated date="2014-09-15 22:35" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1734 CVE-2012-5784: 1735 Apache Axis did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. 1736 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784" id="CVE-2012-5784" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0269.html" id="RHSA-2013:0269" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="axis-manual" release="7.3.11.amzn1" version="1.2.1"><filename>Packages/axis-manual-1.2.1-7.3.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="axis" release="7.3.11.amzn1" version="1.2.1"><filename>Packages/axis-1.2.1-7.3.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="axis-javadoc" release="7.3.11.amzn1" version="1.2.1"><filename>Packages/axis-javadoc-1.2.1-7.3.11.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-165</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-165: medium priority package update for openssh</title><issued date="2013-03-02 16:51" /><updated date="2014-09-15 22:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1737 CVE-2012-5536: 1738 Due to the way the pam_ssh_agent_auth PAM module was built in Red Hat Enterprise Linux 6, the glibc's error() function was called rather than the intended error() function in pam_ssh_agent_auth to report errors. As these two functions expect different arguments, it was possible for an attacker to cause an application using pam_ssh_agent_auth to crash, disclose portions of its memory or, potentially, execute arbitrary code. 1739 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5536" id="CVE-2012-5536" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0519.html" id="RHSA-2013:0519" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openssh-clients" release="84.20.amzn1" version="5.3p1"><filename>Packages/openssh-clients-5.3p1-84.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-ldap" release="84.20.amzn1" version="5.3p1"><filename>Packages/openssh-ldap-5.3p1-84.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-server" release="84.20.amzn1" version="5.3p1"><filename>Packages/openssh-server-5.3p1-84.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh" release="84.20.amzn1" version="5.3p1"><filename>Packages/openssh-5.3p1-84.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-debuginfo" release="84.20.amzn1" version="5.3p1"><filename>Packages/openssh-debuginfo-5.3p1-84.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam_ssh_agent_auth" release="84.20.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-84.20.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssh-ldap" release="84.20.amzn1" version="5.3p1"><filename>Packages/openssh-ldap-5.3p1-84.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam_ssh_agent_auth" release="84.20.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-84.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-server" release="84.20.amzn1" version="5.3p1"><filename>Packages/openssh-server-5.3p1-84.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-clients" release="84.20.amzn1" version="5.3p1"><filename>Packages/openssh-clients-5.3p1-84.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-debuginfo" release="84.20.amzn1" version="5.3p1"><filename>Packages/openssh-debuginfo-5.3p1-84.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh" release="84.20.amzn1" version="5.3p1"><filename>Packages/openssh-5.3p1-84.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-166</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-166: medium priority package update for kernel</title><issued date="2013-03-02 16:54" /><updated date="2014-09-15 22:38" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1740 CVE-2013-0871: 1741 * A race condition was found in the way the Linux kernel's ptrace implementation handled PTRACE_SETREGS requests when the debuggee was woken due to a SIGKILL signal instead of being stopped. A local, unprivileged user could use this flaw to escalate their privileges. 1742 1743 CVE-2012-4530: 1744 868285: 1745 CVE-2012-4530 kernel: stack disclosure in binfmt_script load_script() 1746 * A memory disclosure flaw was found in the way the load_script() function in the binfmt_script binary format handler handled excessive recursions. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space by executing specially-crafted scripts. 1747 1748 CVE-2012-4461: 1749 * A flaw was found in the way the KVM (Kernel-based Virtual Machine) subsystem handled guests attempting to run with the X86_CR4_OSXSAVE CPU feature flag set. On hosts without the XSAVE CPU feature, a local, unprivileged user could use this flaw to crash the host system. (The "grep --color xsave /proc/cpuinfo" command can be used to verify if your system has the XSAVE CPU feature.) 1750 1751 CVE-2012-4398: 1752 * It was found that a deadlock could occur in the Out of Memory (OOM) killer. A process could trigger this deadlock by consuming a large amount of memory, and then causing request_module() to be called. A local, unprivileged user could use this flaw to cause a denial of service (excessive memory consumption). 1753 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871" id="CVE-2013-0871" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4461" id="CVE-2012-4461" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4398" id="CVE-2012-4398" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4530" id="CVE-2012-4530" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0223.html" id="RHSA-2013:0223" title="" type="redhat" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0567.html" id="RHSA-2013:0567" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-devel" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-devel-3.2.39-6.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-tools-3.2.39-6.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-debuginfo-3.2.39-6.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-tools-debuginfo-3.2.39-6.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.39-6.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-headers-3.2.39-6.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-3.2.39-6.88.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-tools-3.2.39-6.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-debuginfo-3.2.39-6.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-devel-3.2.39-6.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-3.2.39-6.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-headers-3.2.39-6.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-debuginfo-common-i686-3.2.39-6.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-tools-debuginfo-3.2.39-6.88.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="6.88.amzn1" version="3.2.39"><filename>Packages/kernel-doc-3.2.39-6.88.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-167</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-167: important priority package update for java-1.6.0-openjdk</title><issued date="2013-03-14 22:03" /><updated date="2014-09-15 22:39" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1754 CVE-2013-1493: 1755 It was discovered that the 2D component did not properly reject certain malformed images. Specially-crafted raster parameters could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with virtual machine privileges. 1756 1757 CVE-2013-0809: 1758 An integer overflow flaw was found in the way the 2D component handled certain sample model instances. A specially-crafted sample model instance could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with virtual machine privileges. 1759 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493" id="CVE-2013-1493" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0809" id="CVE-2013-0809" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0605.html" id="RHSA-2013:0605" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="57.1.11.9.52.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-57.1.11.9.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="57.1.11.9.52.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-57.1.11.9.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="57.1.11.9.52.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-57.1.11.9.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="57.1.11.9.52.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-57.1.11.9.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="57.1.11.9.52.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-57.1.11.9.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="57.1.11.9.52.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-57.1.11.9.52.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="57.1.11.9.52.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-57.1.11.9.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="57.1.11.9.52.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-57.1.11.9.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="57.1.11.9.52.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-57.1.11.9.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="57.1.11.9.52.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-57.1.11.9.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="57.1.11.9.52.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-57.1.11.9.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="57.1.11.9.52.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-57.1.11.9.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-168</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-168: important priority package update for java-1.7.0-openjdk</title><issued date="2013-03-14 22:03" /><updated date="2014-09-15 22:39" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1760 CVE-2013-1493: 1761 It was discovered that the 2D component did not properly reject certain malformed images. Specially-crafted raster parameters could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with virtual machine privileges. 1762 1763 CVE-2013-0809: 1764 An integer overflow flaw was found in the way the 2D component handled certain sample model instances. A specially-crafted sample model instance could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with virtual machine privileges. 1765 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493" id="CVE-2013-1493" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0809" id="CVE-2013-0809" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0602.html" id="RHSA-2013:0602" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.3.8.0.22.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.8.0.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.3.8.0.22.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.8.0.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.3.8.0.22.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.8.0.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.3.8.0.22.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.8.0.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.3.8.0.22.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.8.0.22.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.3.8.0.22.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.8.0.22.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.3.8.0.22.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.8.0.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.3.8.0.22.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.8.0.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.3.8.0.22.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.8.0.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.3.8.0.22.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.8.0.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.3.8.0.22.amzn1" version="1.7.0.9"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.8.0.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-169</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-169: medium priority package update for jakarta-commons-httpclient</title><issued date="2013-03-14 22:04" /><updated date="2014-09-15 22:40" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1766 CVE-2012-5783: 1767 The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. 1768 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783" id="CVE-2012-5783" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0270.html" id="RHSA-2013:0270" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="jakarta-commons-httpclient-javadoc" release="12.6.amzn1" version="3.1"><filename>Packages/jakarta-commons-httpclient-javadoc-3.1-12.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="1" name="jakarta-commons-httpclient" release="12.6.amzn1" version="3.1"><filename>Packages/jakarta-commons-httpclient-3.1-12.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="1" name="jakarta-commons-httpclient-manual" release="12.6.amzn1" version="3.1"><filename>Packages/jakarta-commons-httpclient-manual-3.1-12.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="1" name="jakarta-commons-httpclient-demo" release="12.6.amzn1" version="3.1"><filename>Packages/jakarta-commons-httpclient-demo-3.1-12.6.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-170</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-170: medium priority package update for cups</title><issued date="2013-03-14 22:04" /><updated date="2014-09-15 22:40" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1769 CVE-2012-5519: 1770 It was discovered that CUPS administrative users (members of the SystemGroups groups) who are permitted to perform CUPS configuration changes via the CUPS web interface could manipulate the CUPS configuration to gain unintended privileges. Such users could read or write arbitrary files with the privileges of the CUPS daemon, possibly allowing them to run arbitrary code with root privileges. 1771 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5519" id="CVE-2012-5519" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0580.html" id="RHSA-2013:0580" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="cups" release="50.18.amzn1" version="1.4.2"><filename>Packages/cups-1.4.2-50.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups-devel" release="50.18.amzn1" version="1.4.2"><filename>Packages/cups-devel-1.4.2-50.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups-php" release="50.18.amzn1" version="1.4.2"><filename>Packages/cups-php-1.4.2-50.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups-debuginfo" release="50.18.amzn1" version="1.4.2"><filename>Packages/cups-debuginfo-1.4.2-50.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups-lpd" release="50.18.amzn1" version="1.4.2"><filename>Packages/cups-lpd-1.4.2-50.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups-libs" release="50.18.amzn1" version="1.4.2"><filename>Packages/cups-libs-1.4.2-50.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="cups-debuginfo" release="50.18.amzn1" version="1.4.2"><filename>Packages/cups-debuginfo-1.4.2-50.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups-libs" release="50.18.amzn1" version="1.4.2"><filename>Packages/cups-libs-1.4.2-50.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups-devel" release="50.18.amzn1" version="1.4.2"><filename>Packages/cups-devel-1.4.2-50.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups-lpd" release="50.18.amzn1" version="1.4.2"><filename>Packages/cups-lpd-1.4.2-50.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups-php" release="50.18.amzn1" version="1.4.2"><filename>Packages/cups-php-1.4.2-50.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups" release="50.18.amzn1" version="1.4.2"><filename>Packages/cups-1.4.2-50.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-171</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-171: medium priority package update for openssl</title><issued date="2013-03-14 22:04" /><updated date="2014-09-15 22:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1772 CVE-2013-0169: 1773 It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. 1774 1775 CVE-2013-0166: 1776 A NULL pointer dereference flaw was found in the OCSP response verification in OpenSSL. A malicious OCSP server could use this flaw to crash applications performing OCSP verification by sending a specially-crafted response. 1777 1778 CVE-2012-4929: 1779 It was discovered that the TLS/SSL protocol could leak information about plain text when optional compression was used. An attacker able to control part of the plain text sent over an encrypted TLS/SSL connection could possibly use this flaw to recover other portions of the plain text. 1780 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929" id="CVE-2012-4929" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169" id="CVE-2013-0169" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166" id="CVE-2013-0166" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0587.html" id="RHSA-2013:0587" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openssl-debuginfo" release="1.48.amzn1" version="1.0.0k"><filename>Packages/openssl-debuginfo-1.0.0k-1.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl" release="1.48.amzn1" version="1.0.0k"><filename>Packages/openssl-1.0.0k-1.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-devel" release="1.48.amzn1" version="1.0.0k"><filename>Packages/openssl-devel-1.0.0k-1.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-perl" release="1.48.amzn1" version="1.0.0k"><filename>Packages/openssl-perl-1.0.0k-1.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl-static" release="1.48.amzn1" version="1.0.0k"><filename>Packages/openssl-static-1.0.0k-1.48.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssl-devel" release="1.48.amzn1" version="1.0.0k"><filename>Packages/openssl-devel-1.0.0k-1.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-static" release="1.48.amzn1" version="1.0.0k"><filename>Packages/openssl-static-1.0.0k-1.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl" release="1.48.amzn1" version="1.0.0k"><filename>Packages/openssl-1.0.0k-1.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-debuginfo" release="1.48.amzn1" version="1.0.0k"><filename>Packages/openssl-debuginfo-1.0.0k-1.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl-perl" release="1.48.amzn1" version="1.0.0k"><filename>Packages/openssl-perl-1.0.0k-1.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-172</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-172: medium priority package update for gnutls</title><issued date="2013-03-14 22:04" /><updated date="2014-09-15 22:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1781 CVE-2013-1619: 1782 It was discovered that GnuTLS leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. 1783 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1619" id="CVE-2013-1619" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0588.html" id="RHSA-2013:0588" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnutls-utils" release="10.9.amzn1" version="2.8.5"><filename>Packages/gnutls-utils-2.8.5-10.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls" release="10.9.amzn1" version="2.8.5"><filename>Packages/gnutls-2.8.5-10.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-devel" release="10.9.amzn1" version="2.8.5"><filename>Packages/gnutls-devel-2.8.5-10.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-debuginfo" release="10.9.amzn1" version="2.8.5"><filename>Packages/gnutls-debuginfo-2.8.5-10.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-guile" release="10.9.amzn1" version="2.8.5"><filename>Packages/gnutls-guile-2.8.5-10.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-guile" release="10.9.amzn1" version="2.8.5"><filename>Packages/gnutls-guile-2.8.5-10.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls" release="10.9.amzn1" version="2.8.5"><filename>Packages/gnutls-2.8.5-10.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-debuginfo" release="10.9.amzn1" version="2.8.5"><filename>Packages/gnutls-debuginfo-2.8.5-10.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-utils" release="10.9.amzn1" version="2.8.5"><filename>Packages/gnutls-utils-2.8.5-10.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-devel" release="10.9.amzn1" version="2.8.5"><filename>Packages/gnutls-devel-2.8.5-10.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-173</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-173: medium priority package update for ruby</title><issued date="2013-03-14 22:04" /><updated date="2014-09-15 22:42" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1784 CVE-2013-1821: 1785 It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. 1786 1787 CVE-2012-4481: 1788 It was found that the RHSA-2011:0910 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. 1789 1790 CVE-2011-1005: 1791 It was found that the RHSA-2011:0910 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. 1792 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4481" id="CVE-2012-4481" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1005" id="CVE-2011-1005" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821" id="CVE-2013-1821" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0612.html" id="RHSA-2013:0612" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ruby-ri" release="2.25.amzn1" version="1.8.7.371"><filename>Packages/ruby-ri-1.8.7.371-2.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-libs" release="2.25.amzn1" version="1.8.7.371"><filename>Packages/ruby-libs-1.8.7.371-2.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-static" release="2.25.amzn1" version="1.8.7.371"><filename>Packages/ruby-static-1.8.7.371-2.25.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby-irb" release="2.25.amzn1" version="1.8.7.371"><filename>Packages/ruby-irb-1.8.7.371-2.25.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby" release="2.25.amzn1" version="1.8.7.371"><filename>Packages/ruby-1.8.7.371-2.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-devel" release="2.25.amzn1" version="1.8.7.371"><filename>Packages/ruby-devel-1.8.7.371-2.25.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby-rdoc" release="2.25.amzn1" version="1.8.7.371"><filename>Packages/ruby-rdoc-1.8.7.371-2.25.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-debuginfo" release="2.25.amzn1" version="1.8.7.371"><filename>Packages/ruby-debuginfo-1.8.7.371-2.25.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ruby-ri" release="2.25.amzn1" version="1.8.7.371"><filename>Packages/ruby-ri-1.8.7.371-2.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby" release="2.25.amzn1" version="1.8.7.371"><filename>Packages/ruby-1.8.7.371-2.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-devel" release="2.25.amzn1" version="1.8.7.371"><filename>Packages/ruby-devel-1.8.7.371-2.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-libs" release="2.25.amzn1" version="1.8.7.371"><filename>Packages/ruby-libs-1.8.7.371-2.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-static" release="2.25.amzn1" version="1.8.7.371"><filename>Packages/ruby-static-1.8.7.371-2.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-debuginfo" release="2.25.amzn1" version="1.8.7.371"><filename>Packages/ruby-debuginfo-1.8.7.371-2.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-174</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-174: medium priority package update for httpd</title><issued date="2013-03-26 21:25" /><updated date="2014-09-15 22:43" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1793 CVE-2012-4558: 1794 915884: 1795 CVE-2012-4558 httpd: XSS flaw in mod_proxy_balancer manager interface 1796 Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string. 1797 1798 CVE-2012-3499: 1799 915883: 1800 CVE-2012-3499 httpd: multiple XSS flaws due to unescaped hostnames 1801 Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules. 1802 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558" id="CVE-2012-4558" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499" id="CVE-2012-3499" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="httpd" release="1.29.amzn1" version="2.2.24"><filename>Packages/httpd-2.2.24-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-tools" release="1.29.amzn1" version="2.2.24"><filename>Packages/httpd-tools-2.2.24-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.29.amzn1" version="2.2.24"><filename>Packages/httpd-debuginfo-2.2.24-1.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd-manual" release="1.29.amzn1" version="2.2.24"><filename>Packages/httpd-manual-2.2.24-1.29.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="mod_ssl" release="1.29.amzn1" version="2.2.24"><filename>Packages/mod_ssl-2.2.24-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-devel" release="1.29.amzn1" version="2.2.24"><filename>Packages/httpd-devel-2.2.24-1.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="mod_ssl" release="1.29.amzn1" version="2.2.24"><filename>Packages/mod_ssl-2.2.24-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-debuginfo" release="1.29.amzn1" version="2.2.24"><filename>Packages/httpd-debuginfo-2.2.24-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-devel" release="1.29.amzn1" version="2.2.24"><filename>Packages/httpd-devel-2.2.24-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-tools" release="1.29.amzn1" version="2.2.24"><filename>Packages/httpd-tools-2.2.24-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd" release="1.29.amzn1" version="2.2.24"><filename>Packages/httpd-2.2.24-1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-175</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-175: medium priority package update for httpd24</title><issued date="2013-03-26 21:29" /><updated date="2014-09-15 22:43" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1803 CVE-2012-4558: 1804 915884: 1805 CVE-2012-4558 httpd: XSS flaw in mod_proxy_balancer manager interface 1806 Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string. 1807 1808 CVE-2012-3499: 1809 915883: 1810 CVE-2012-3499 httpd: multiple XSS flaws due to unescaped hostnames 1811 Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules. 1812 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558" id="CVE-2012-4558" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499" id="CVE-2012-3499" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="mod24_ssl" release="2.41.amzn1" version="2.4.4"><filename>Packages/mod24_ssl-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="2.41.amzn1" version="2.4.4"><filename>Packages/mod24_proxy_html-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="2.41.amzn1" version="2.4.4"><filename>Packages/mod24_session-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-tools" release="2.41.amzn1" version="2.4.4"><filename>Packages/httpd24-tools-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_ldap" release="2.41.amzn1" version="2.4.4"><filename>Packages/mod24_ldap-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24" release="2.41.amzn1" version="2.4.4"><filename>Packages/httpd24-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="2.41.amzn1" version="2.4.4"><filename>Packages/httpd24-debuginfo-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd24-manual" release="2.41.amzn1" version="2.4.4"><filename>Packages/httpd24-manual-2.4.4-2.41.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-devel" release="2.41.amzn1" version="2.4.4"><filename>Packages/httpd24-devel-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="2.41.amzn1" version="2.4.4"><filename>Packages/mod24_proxy_html-2.4.4-2.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="2.41.amzn1" version="2.4.4"><filename>Packages/httpd24-tools-2.4.4-2.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="2.41.amzn1" version="2.4.4"><filename>Packages/mod24_ldap-2.4.4-2.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="2.41.amzn1" version="2.4.4"><filename>Packages/mod24_ssl-2.4.4-2.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="2.41.amzn1" version="2.4.4"><filename>Packages/httpd24-devel-2.4.4-2.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="2.41.amzn1" version="2.4.4"><filename>Packages/httpd24-2.4.4-2.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="2.41.amzn1" version="2.4.4"><filename>Packages/mod24_session-2.4.4-2.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="2.41.amzn1" version="2.4.4"><filename>Packages/httpd24-debuginfo-2.4.4-2.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-176</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-176: important priority package update for bind</title><issued date="2013-04-04 11:09" /><updated date="2014-09-15 22:48" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1813 CVE-2013-2266: 1814 A denial of service flaw was found in the libdns library. A remote attacker could use this flaw to send a specially-crafted DNS query to named that, when processed, would cause named to use an excessive amount of memory, or possibly crash. 1815 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266" id="CVE-2013-2266" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0689.html" id="RHSA-2013:0689" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.17.rc1.29.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.17.rc1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.17.rc1.29.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.17.rc1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.17.rc1.29.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.17.rc1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.17.rc1.29.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.17.rc1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.17.rc1.29.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.17.rc1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.17.rc1.29.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.17.rc1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.17.rc1.29.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.17.rc1.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.17.rc1.29.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.17.rc1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.17.rc1.29.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.17.rc1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.17.rc1.29.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.17.rc1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.17.rc1.29.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.17.rc1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.17.rc1.29.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.17.rc1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.17.rc1.29.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.17.rc1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.17.rc1.29.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.17.rc1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-177</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-177: medium priority package update for perl</title><issued date="2013-04-04 11:10" /><updated date="2014-09-15 22:48" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1816 CVE-2013-1667: 1817 A denial of service flaw was found in the way Perl's rehashing code implementation, responsible for recalculation of hash keys and redistribution of hash content, handled certain input. If an attacker supplied specially-crafted input to be used as hash keys by a Perl application, it could cause excessive memory consumption. 1818 1819 CVE-2012-6329: 1820 It was found that the Perl Locale::Maketext module, used to localize Perl applications, did not properly handle backslashes or fully-qualified method names. An attacker could possibly use this flaw to execute arbitrary Perl code with the privileges of a Perl application that uses untrusted Locale::Maketext templates. 1821 1822 CVE-2012-5526: 1823 It was found that the Perl CGI module, used to handle Common Gateway Interface requests and responses, incorrectly sanitized the values for Set-Cookie and P3P headers. If a Perl application using the CGI module reused cookies values and accepted untrusted input from web browsers, a remote attacker could use this flaw to alter member items of the cookie or add new items. 1824 1825 CVE-2012-5195: 1826 A heap overflow flaw was found in Perl. If a Perl application allowed user input to control the count argument of the string repeat operator, an attacker could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 1827 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329" id="CVE-2012-6329" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1667" id="CVE-2013-1667" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5526" id="CVE-2012-5526" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5195" id="CVE-2012-5195" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0685.html" id="RHSA-2013:0685" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perl-Compress-Raw-Zlib" release="130.17.amzn1" version="2.023"><filename>Packages/perl-Compress-Raw-Zlib-2.023-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Archive-Tar" release="130.17.amzn1" version="1.58"><filename>Packages/perl-Archive-Tar-1.58-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-CGI" release="130.17.amzn1" version="3.51"><filename>Packages/perl-CGI-3.51-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-devel" release="130.17.amzn1" version="5.10.1"><filename>Packages/perl-devel-5.10.1-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-ExtUtils-Embed" release="130.17.amzn1" version="1.28"><filename>Packages/perl-ExtUtils-Embed-1.28-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-CPAN" release="130.17.amzn1" version="1.9402"><filename>Packages/perl-CPAN-1.9402-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Pod-Escapes" release="130.17.amzn1" version="1.04"><filename>Packages/perl-Pod-Escapes-1.04-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-parent" release="130.17.amzn1" version="0.221"><filename>Packages/perl-parent-0.221-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Module-Loaded" release="130.17.amzn1" version="0.02"><filename>Packages/perl-Module-Loaded-0.02-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Module-Pluggable" release="130.17.amzn1" version="3.90"><filename>Packages/perl-Module-Pluggable-3.90-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Module-CoreList" release="130.17.amzn1" version="2.18"><filename>Packages/perl-Module-CoreList-2.18-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Archive-Extract" release="130.17.amzn1" version="0.38"><filename>Packages/perl-Archive-Extract-0.38-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-IO-Zlib" release="130.17.amzn1" version="1.09"><filename>Packages/perl-IO-Zlib-1.09-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-IO-Compress-Base" release="130.17.amzn1" version="2.020"><filename>Packages/perl-IO-Compress-Base-2.020-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Log-Message-Simple" release="130.17.amzn1" version="0.04"><filename>Packages/perl-Log-Message-Simple-0.04-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-CPANPLUS" release="130.17.amzn1" version="0.88"><filename>Packages/perl-CPANPLUS-0.88-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Test-Simple" release="130.17.amzn1" version="0.92"><filename>Packages/perl-Test-Simple-0.92-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-suidperl" release="130.17.amzn1" version="5.10.1"><filename>Packages/perl-suidperl-5.10.1-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-debuginfo" release="130.17.amzn1" version="5.10.1"><filename>Packages/perl-debuginfo-5.10.1-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Params-Check" release="130.17.amzn1" version="0.26"><filename>Packages/perl-Params-Check-0.26-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Compress-Raw-Bzip2" release="130.17.amzn1" version="2.020"><filename>Packages/perl-Compress-Raw-Bzip2-2.020-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Term-UI" release="130.17.amzn1" version="0.20"><filename>Packages/perl-Term-UI-0.20-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-ExtUtils-CBuilder" release="130.17.amzn1" version="0.27"><filename>Packages/perl-ExtUtils-CBuilder-0.27-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-Time-HiRes" release="130.17.amzn1" version="1.9721"><filename>Packages/perl-Time-HiRes-1.9721-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Digest-SHA" release="130.17.amzn1" version="5.47"><filename>Packages/perl-Digest-SHA-5.47-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Object-Accessor" release="130.17.amzn1" version="0.34"><filename>Packages/perl-Object-Accessor-0.34-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Log-Message" release="130.17.amzn1" version="0.02"><filename>Packages/perl-Log-Message-0.02-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Time-Piece" release="130.17.amzn1" version="1.15"><filename>Packages/perl-Time-Piece-1.15-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Module-Build" release="130.17.amzn1" version="0.3500"><filename>Packages/perl-Module-Build-0.3500-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Compress-Zlib" release="130.17.amzn1" version="2.020"><filename>Packages/perl-Compress-Zlib-2.020-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-libs" release="130.17.amzn1" version="5.10.1"><filename>Packages/perl-libs-5.10.1-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="3" name="perl-version" release="130.17.amzn1" version="0.77"><filename>Packages/perl-version-0.77-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Module-Load-Conditional" release="130.17.amzn1" version="0.30"><filename>Packages/perl-Module-Load-Conditional-0.30-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-IO-Compress-Zlib" release="130.17.amzn1" version="2.020"><filename>Packages/perl-IO-Compress-Zlib-2.020-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-File-Fetch" release="130.17.amzn1" version="0.26"><filename>Packages/perl-File-Fetch-0.26-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-ExtUtils-ParseXS" release="130.17.amzn1" version="2.2003.0"><filename>Packages/perl-ExtUtils-ParseXS-2.2003.0-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Parse-CPAN-Meta" release="130.17.amzn1" version="1.40"><filename>Packages/perl-Parse-CPAN-Meta-1.40-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Package-Constants" release="130.17.amzn1" version="0.02"><filename>Packages/perl-Package-Constants-0.02-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-IPC-Cmd" release="130.17.amzn1" version="0.56"><filename>Packages/perl-IPC-Cmd-0.56-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-core" release="130.17.amzn1" version="5.10.1"><filename>Packages/perl-core-5.10.1-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Module-Load" release="130.17.amzn1" version="0.16"><filename>Packages/perl-Module-Load-0.16-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Test-Harness" release="130.17.amzn1" version="3.17"><filename>Packages/perl-Test-Harness-3.17-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-ExtUtils-MakeMaker" release="130.17.amzn1" version="6.55"><filename>Packages/perl-ExtUtils-MakeMaker-6.55-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl" release="130.17.amzn1" version="5.10.1"><filename>Packages/perl-5.10.1-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-IO-Compress-Bzip2" release="130.17.amzn1" version="2.020"><filename>Packages/perl-IO-Compress-Bzip2-2.020-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Locale-Maketext-Simple" release="130.17.amzn1" version="0.18"><filename>Packages/perl-Locale-Maketext-Simple-0.18-130.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="perl-Pod-Simple" release="130.17.amzn1" version="3.13"><filename>Packages/perl-Pod-Simple-3.13-130.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="4" name="perl-suidperl" release="130.17.amzn1" version="5.10.1"><filename>Packages/perl-suidperl-5.10.1-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Pod-Escapes" release="130.17.amzn1" version="1.04"><filename>Packages/perl-Pod-Escapes-1.04-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl-libs" release="130.17.amzn1" version="5.10.1"><filename>Packages/perl-libs-5.10.1-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="3" name="perl-version" release="130.17.amzn1" version="0.77"><filename>Packages/perl-version-0.77-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-IO-Compress-Base" release="130.17.amzn1" version="2.020"><filename>Packages/perl-IO-Compress-Base-2.020-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Archive-Tar" release="130.17.amzn1" version="1.58"><filename>Packages/perl-Archive-Tar-1.58-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Test-Harness" release="130.17.amzn1" version="3.17"><filename>Packages/perl-Test-Harness-3.17-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Module-Load" release="130.17.amzn1" version="0.16"><filename>Packages/perl-Module-Load-0.16-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Compress-Raw-Bzip2" release="130.17.amzn1" version="2.020"><filename>Packages/perl-Compress-Raw-Bzip2-2.020-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Archive-Extract" release="130.17.amzn1" version="0.38"><filename>Packages/perl-Archive-Extract-0.38-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-IO-Compress-Bzip2" release="130.17.amzn1" version="2.020"><filename>Packages/perl-IO-Compress-Bzip2-2.020-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-IPC-Cmd" release="130.17.amzn1" version="0.56"><filename>Packages/perl-IPC-Cmd-0.56-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-CGI" release="130.17.amzn1" version="3.51"><filename>Packages/perl-CGI-3.51-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Term-UI" release="130.17.amzn1" version="0.20"><filename>Packages/perl-Term-UI-0.20-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl" release="130.17.amzn1" version="5.10.1"><filename>Packages/perl-5.10.1-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-ExtUtils-CBuilder" release="130.17.amzn1" version="0.27"><filename>Packages/perl-ExtUtils-CBuilder-0.27-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Package-Constants" release="130.17.amzn1" version="0.02"><filename>Packages/perl-Package-Constants-0.02-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Module-Loaded" release="130.17.amzn1" version="0.02"><filename>Packages/perl-Module-Loaded-0.02-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-core" release="130.17.amzn1" version="5.10.1"><filename>Packages/perl-core-5.10.1-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Object-Accessor" release="130.17.amzn1" version="0.34"><filename>Packages/perl-Object-Accessor-0.34-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Compress-Raw-Zlib" release="130.17.amzn1" version="2.023"><filename>Packages/perl-Compress-Raw-Zlib-2.023-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl-devel" release="130.17.amzn1" version="5.10.1"><filename>Packages/perl-devel-5.10.1-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Module-CoreList" release="130.17.amzn1" version="2.18"><filename>Packages/perl-Module-CoreList-2.18-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Test-Simple" release="130.17.amzn1" version="0.92"><filename>Packages/perl-Test-Simple-0.92-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl-debuginfo" release="130.17.amzn1" version="5.10.1"><filename>Packages/perl-debuginfo-5.10.1-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Locale-Maketext-Simple" release="130.17.amzn1" version="0.18"><filename>Packages/perl-Locale-Maketext-Simple-0.18-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-CPANPLUS" release="130.17.amzn1" version="0.88"><filename>Packages/perl-CPANPLUS-0.88-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Parse-CPAN-Meta" release="130.17.amzn1" version="1.40"><filename>Packages/perl-Parse-CPAN-Meta-1.40-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-IO-Zlib" release="130.17.amzn1" version="1.09"><filename>Packages/perl-IO-Zlib-1.09-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-ExtUtils-Embed" release="130.17.amzn1" version="1.28"><filename>Packages/perl-ExtUtils-Embed-1.28-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Digest-SHA" release="130.17.amzn1" version="5.47"><filename>Packages/perl-Digest-SHA-5.47-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Compress-Zlib" release="130.17.amzn1" version="2.020"><filename>Packages/perl-Compress-Zlib-2.020-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Params-Check" release="130.17.amzn1" version="0.26"><filename>Packages/perl-Params-Check-0.26-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl-Time-HiRes" release="130.17.amzn1" version="1.9721"><filename>Packages/perl-Time-HiRes-1.9721-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Module-Build" release="130.17.amzn1" version="0.3500"><filename>Packages/perl-Module-Build-0.3500-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Time-Piece" release="130.17.amzn1" version="1.15"><filename>Packages/perl-Time-Piece-1.15-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Log-Message" release="130.17.amzn1" version="0.02"><filename>Packages/perl-Log-Message-0.02-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Module-Pluggable" release="130.17.amzn1" version="3.90"><filename>Packages/perl-Module-Pluggable-3.90-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-CPAN" release="130.17.amzn1" version="1.9402"><filename>Packages/perl-CPAN-1.9402-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-ExtUtils-ParseXS" release="130.17.amzn1" version="2.2003.0"><filename>Packages/perl-ExtUtils-ParseXS-2.2003.0-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Log-Message-Simple" release="130.17.amzn1" version="0.04"><filename>Packages/perl-Log-Message-Simple-0.04-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-Pod-Simple" release="130.17.amzn1" version="3.13"><filename>Packages/perl-Pod-Simple-3.13-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-ExtUtils-MakeMaker" release="130.17.amzn1" version="6.55"><filename>Packages/perl-ExtUtils-MakeMaker-6.55-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Module-Load-Conditional" release="130.17.amzn1" version="0.30"><filename>Packages/perl-Module-Load-Conditional-0.30-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-IO-Compress-Zlib" release="130.17.amzn1" version="2.020"><filename>Packages/perl-IO-Compress-Zlib-2.020-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="perl-parent" release="130.17.amzn1" version="0.221"><filename>Packages/perl-parent-0.221-130.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-File-Fetch" release="130.17.amzn1" version="0.26"><filename>Packages/perl-File-Fetch-0.26-130.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-178</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-178: critical priority package update for postgresql9</title><issued date="2013-04-04 11:49" /><updated date="2014-09-15 22:49" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1828 CVE-2013-1901: 1829 929328: 1830 CVE-2013-1901 postgresql: Improper user privilege check for on-line backups 1831 1832 CVE-2013-1900: 1833 929255: 1834 CVE-2013-1900 postgresql: Improper randomization of pgcrypto functions (requiring random seed) 1835 1836 CVE-2013-1899: 1837 929223: 1838 CVE-2013-1899 postgresql: Insecure switch parsing 1839 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899" id="CVE-2013-1899" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901" id="CVE-2013-1901" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900" id="CVE-2013-1900" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql9-test" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-test-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-server" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-server-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-docs" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-docs-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-debuginfo" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-debuginfo-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-pltcl" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-pltcl-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-upgrade" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-upgrade-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-devel" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-devel-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-libs" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-libs-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-plperl" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-plperl-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-plpython" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-plpython-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-contrib" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-contrib-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-libs" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-libs-9.2.4-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-plperl" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-plperl-9.2.4-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-docs" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-docs-9.2.4-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-contrib" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-contrib-9.2.4-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-pltcl" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-pltcl-9.2.4-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-test" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-test-9.2.4-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-devel" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-devel-9.2.4-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-9.2.4-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-plpython" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-plpython-9.2.4-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-upgrade" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-upgrade-9.2.4-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-debuginfo" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-debuginfo-9.2.4-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-server" release="1.35.amzn1" version="9.2.4"><filename>Packages/postgresql9-server-9.2.4-1.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-179</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-179: medium priority package update for lighttpd</title><issued date="2013-04-11 17:24" /><updated date="2014-09-15 22:49" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1840 CVE-2012-5533: 1841 The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header. 1842 878213: 1843 CVE-2012-5533 lighttpd: Denial of Service via malformed Connection headers 1844 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5533" id="CVE-2012-5533" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="lighttpd-debuginfo" release="1.5.amzn1" version="1.4.31"><filename>Packages/lighttpd-debuginfo-1.4.31-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-mod_mysql_vhost" release="1.5.amzn1" version="1.4.31"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.31-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-mod_geoip" release="1.5.amzn1" version="1.4.31"><filename>Packages/lighttpd-mod_geoip-1.4.31-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-fastcgi" release="1.5.amzn1" version="1.4.31"><filename>Packages/lighttpd-fastcgi-1.4.31-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd" release="1.5.amzn1" version="1.4.31"><filename>Packages/lighttpd-1.4.31-1.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_geoip" release="1.5.amzn1" version="1.4.31"><filename>Packages/lighttpd-mod_geoip-1.4.31-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-debuginfo" release="1.5.amzn1" version="1.4.31"><filename>Packages/lighttpd-debuginfo-1.4.31-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd" release="1.5.amzn1" version="1.4.31"><filename>Packages/lighttpd-1.4.31-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_mysql_vhost" release="1.5.amzn1" version="1.4.31"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.31-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-fastcgi" release="1.5.amzn1" version="1.4.31"><filename>Packages/lighttpd-fastcgi-1.4.31-1.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-180</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-180: medium priority package update for subversion</title><issued date="2013-04-11 17:27" /><updated date="2014-09-15 22:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1845 CVE-2013-1849: 1846 A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled PROPFIND requests on activity URLs. A remote attacker could use this flaw to cause the httpd process serving the request to crash. 1847 1848 CVE-2013-1847: 1849 Two NULL pointer dereference flaws were found in the way the mod_dav_svn module handled LOCK requests on certain types of URLs. A malicious, remote user could use these flaws to cause the httpd process serving the request to crash. 1850 1851 CVE-2013-1846: 1852 Two NULL pointer dereference flaws were found in the way the mod_dav_svn module handled LOCK requests on certain types of URLs. A malicious, remote user could use these flaws to cause the httpd process serving the request to crash. 1853 1854 CVE-2013-1845: 1855 A flaw was found in the way the mod_dav_svn module handled large numbers of properties (such as those set with the "svn propset" command). A malicious, remote user could use this flaw to cause the httpd process serving the request to consume an excessive amount of system memory. 1856 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1849" id="CVE-2013-1849" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1846" id="CVE-2013-1846" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1847" id="CVE-2013-1847" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1845" id="CVE-2013-1845" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0737.html" id="RHSA-2013:0737" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="subversion-debuginfo" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-debuginfo-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-javahl" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-javahl-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-tools" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-tools-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-perl" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-perl-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_dav_svn" release="1.28.amzn1" version="1.7.9"><filename>Packages/mod_dav_svn-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-devel" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-devel-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-python-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-ruby" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-ruby-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-libs" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-libs-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="subversion-devel" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-devel-1.7.9-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-javahl" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-javahl-1.7.9-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-perl" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-perl-1.7.9-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-ruby" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-ruby-1.7.9-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn" release="1.28.amzn1" version="1.7.9"><filename>Packages/mod_dav_svn-1.7.9-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-libs" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-libs-1.7.9-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-debuginfo" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-debuginfo-1.7.9-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-tools" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-tools-1.7.9-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-python-1.7.9-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion" release="1.28.amzn1" version="1.7.9"><filename>Packages/subversion-1.7.9-1.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-181</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-181: medium priority package update for puppet</title><issued date="2013-04-11 17:32" /><updated date="2014-09-15 22:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1857 CVE-2013-1640: 1858 The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request. 1859 919783: 1860 CVE-2013-1640 Puppet: catalog request code execution 1861 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1640" id="CVE-2013-1640" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="puppet-debuginfo" release="2.11.amzn1" version="2.7.21"><filename>Packages/puppet-debuginfo-2.7.21-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet" release="2.11.amzn1" version="2.7.21"><filename>Packages/puppet-2.7.21-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet-server" release="2.11.amzn1" version="2.7.21"><filename>Packages/puppet-server-2.7.21-2.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="puppet-debuginfo" release="2.11.amzn1" version="2.7.21"><filename>Packages/puppet-debuginfo-2.7.21-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet-server" release="2.11.amzn1" version="2.7.21"><filename>Packages/puppet-server-2.7.21-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet" release="2.11.amzn1" version="2.7.21"><filename>Packages/puppet-2.7.21-2.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-182</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-182: medium priority package update for krb5</title><issued date="2013-04-18 13:58" /><updated date="2014-09-15 22:51" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1862 CVE-2013-1416: 1863 A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially-crafted TGS request. 1864 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1416" id="CVE-2013-1416" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0748.html" id="RHSA-2013:0748" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="krb5-workstation" release="10.25.amzn1" version="1.10.3"><filename>Packages/krb5-workstation-1.10.3-10.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server" release="10.25.amzn1" version="1.10.3"><filename>Packages/krb5-server-1.10.3-10.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-devel" release="10.25.amzn1" version="1.10.3"><filename>Packages/krb5-devel-1.10.3-10.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-pkinit-openssl" release="10.25.amzn1" version="1.10.3"><filename>Packages/krb5-pkinit-openssl-1.10.3-10.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-libs" release="10.25.amzn1" version="1.10.3"><filename>Packages/krb5-libs-1.10.3-10.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-debuginfo" release="10.25.amzn1" version="1.10.3"><filename>Packages/krb5-debuginfo-1.10.3-10.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server-ldap" release="10.25.amzn1" version="1.10.3"><filename>Packages/krb5-server-ldap-1.10.3-10.25.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="krb5-devel" release="10.25.amzn1" version="1.10.3"><filename>Packages/krb5-devel-1.10.3-10.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-workstation" release="10.25.amzn1" version="1.10.3"><filename>Packages/krb5-workstation-1.10.3-10.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server" release="10.25.amzn1" version="1.10.3"><filename>Packages/krb5-server-1.10.3-10.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server-ldap" release="10.25.amzn1" version="1.10.3"><filename>Packages/krb5-server-ldap-1.10.3-10.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-debuginfo" release="10.25.amzn1" version="1.10.3"><filename>Packages/krb5-debuginfo-1.10.3-10.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-pkinit-openssl" release="10.25.amzn1" version="1.10.3"><filename>Packages/krb5-pkinit-openssl-1.10.3-10.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-libs" release="10.25.amzn1" version="1.10.3"><filename>Packages/krb5-libs-1.10.3-10.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-183</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-183: critical priority package update for java-1.7.0-openjdk</title><issued date="2013-04-18 13:59" /><updated date="2014-09-15 22:52" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1865 CVE-2013-2436: 1866 Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1867 1868 CVE-2013-2431: 1869 It was discovered that the Hotspot component did not properly handle certain intrinsic frames, and did not correctly perform access checks and MethodHandle lookups. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1870 1871 CVE-2013-2430: 1872 It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIO component did not protect against modification of their state while performing certain native code operations. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 1873 1874 CVE-2013-2429: 1875 It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIO component did not protect against modification of their state while performing certain native code operations. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 1876 1877 CVE-2013-2426: 1878 The JDBC driver manager could incorrectly call the toString() method in JDBC drivers, and the ConcurrentHashMap class could incorrectly call the defaultReadObject() method. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. 1879 1880 CVE-2013-2424: 1881 The MBeanInstantiator class implementation in the OpenJDK JMX component did not properly check class access before creating new instances. An untrusted Java application or applet could use this flaw to create instances of non-public classes. 1882 1883 CVE-2013-2423: 1884 It was discovered that the Hotspot component did not properly handle certain intrinsic frames, and did not correctly perform access checks and MethodHandle lookups. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1885 1886 CVE-2013-2422: 1887 Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1888 1889 CVE-2013-2421: 1890 It was discovered that the Hotspot component did not properly handle certain intrinsic frames, and did not correctly perform access checks and MethodHandle lookups. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1891 1892 CVE-2013-2420: 1893 The 2D component did not properly process certain images. An untrusted Java application or applet could possibly use this flaw to trigger Java Virtual Machine memory corruption. 1894 1895 CVE-2013-2419: 1896 Flaws were discovered in the Network component's InetAddress serialization, and the 2D component's font handling. An untrusted Java application or applet could possibly use these flaws to crash the Java Virtual Machine. 1897 1898 CVE-2013-2417: 1899 Flaws were discovered in the Network component's InetAddress serialization, and the 2D component's font handling. An untrusted Java application or applet could possibly use these flaws to crash the Java Virtual Machine. 1900 1901 CVE-2013-2415: 1902 It was discovered that JAX-WS could possibly create temporary files with insecure permissions. A local attacker could use this flaw to access temporary files created by an application using JAX-WS. 1903 1904 CVE-2013-2384: 1905 Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 1906 1907 CVE-2013-2383: 1908 Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 1909 1910 CVE-2013-1569: 1911 Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 1912 1913 CVE-2013-1558: 1914 Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1915 1916 CVE-2013-1557: 1917 Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1918 1919 CVE-2013-1537: 1920 The previous default value of the java.rmi.server.useCodebaseOnly property permitted the RMI implementation to automatically load classes from remotely specified locations. An attacker able to connect to an application using RMI could use this flaw to make the application execute arbitrary code. 1921 1922 CVE-2013-1518: 1923 Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1924 1925 CVE-2013-1488: 1926 The JDBC driver manager could incorrectly call the toString() method in JDBC drivers, and the ConcurrentHashMap class could incorrectly call the defaultReadObject() method. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. 1927 1928 CVE-2013-0401: 1929 The sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. 1930 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2419" id="CVE-2013-2419" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1569" id="CVE-2013-1569" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1537" id="CVE-2013-1537" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2383" id="CVE-2013-2383" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1518" id="CVE-2013-1518" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2415" id="CVE-2013-2415" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2417" id="CVE-2013-2417" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2421" id="CVE-2013-2421" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2420" id="CVE-2013-2420" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2430" id="CVE-2013-2430" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2431" id="CVE-2013-2431" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2436" id="CVE-2013-2436" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2424" id="CVE-2013-2424" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2426" id="CVE-2013-2426" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2429" id="CVE-2013-2429" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1488" id="CVE-2013-1488" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2423" id="CVE-2013-2423" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1558" id="CVE-2013-1558" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2422" id="CVE-2013-2422" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2384" id="CVE-2013-2384" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0401" id="CVE-2013-0401" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1557" id="CVE-2013-1557" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0751.html" id="RHSA-2013:0751" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.3.9.1.25.amzn1" version="1.7.0.19"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.25.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.3.9.1.25.amzn1" version="1.7.0.19"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.19-2.3.9.1.25.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.3.9.1.25.amzn1" version="1.7.0.19"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.3.9.1.25.amzn1" version="1.7.0.19"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.3.9.1.25.amzn1" version="1.7.0.19"><filename>Packages/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.3.9.1.25.amzn1" version="1.7.0.19"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.25.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.3.9.1.25.amzn1" version="1.7.0.19"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.3.9.1.25.amzn1" version="1.7.0.19"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.3.9.1.25.amzn1" version="1.7.0.19"><filename>Packages/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.3.9.1.25.amzn1" version="1.7.0.19"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.3.9.1.25.amzn1" version="1.7.0.19"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-184</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-184: low priority package update for 389-ds-base</title><issued date="2013-04-18 15:39" /><updated date="2014-09-15 22:52" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1931 CVE-2013-1897: 1932 The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. It was found that the 389 Directory Server did not properly restrict access to entries when the "nsslapd-allow-anonymous-access" configuration setting was set to "rootdse". An anonymous user could connect to the LDAP database and, if the search scope is set to BASE, obtain access to information outside of the rootDSE. 1933 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1897" id="CVE-2013-1897" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0742.html" id="RHSA-2013:0742" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base" release="1.3.amzn1" version="1.3.0.6"><filename>Packages/389-ds-base-1.3.0.6-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="1.3.amzn1" version="1.3.0.6"><filename>Packages/389-ds-base-libs-1.3.0.6-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="1.3.amzn1" version="1.3.0.6"><filename>Packages/389-ds-base-debuginfo-1.3.0.6-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="1.3.amzn1" version="1.3.0.6"><filename>Packages/389-ds-base-devel-1.3.0.6-1.3.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="1.3.amzn1" version="1.3.0.6"><filename>Packages/389-ds-base-1.3.0.6-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="1.3.amzn1" version="1.3.0.6"><filename>Packages/389-ds-base-devel-1.3.0.6-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="1.3.amzn1" version="1.3.0.6"><filename>Packages/389-ds-base-debuginfo-1.3.0.6-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="1.3.amzn1" version="1.3.0.6"><filename>Packages/389-ds-base-libs-1.3.0.6-1.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-185</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-185: important priority package update for java-1.6.0-openjdk</title><issued date="2013-04-25 20:40" /><updated date="2014-09-15 22:53" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1934 CVE-2013-2431: 1935 It was discovered that the Hotspot component did not properly handle certain intrinsic frames, and did not correctly perform MethodHandle lookups. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1936 1937 CVE-2013-2430: 1938 It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIO component did not protect against modification of their state while performing certain native code operations. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 1939 1940 CVE-2013-2429: 1941 It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIO component did not protect against modification of their state while performing certain native code operations. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 1942 1943 CVE-2013-2426: 1944 The JDBC driver manager could incorrectly call the toString() method in JDBC drivers, and the ConcurrentHashMap class could incorrectly call the defaultReadObject() method. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. 1945 1946 CVE-2013-2424: 1947 The MBeanInstantiator class implementation in the OpenJDK JMX component did not properly check class access before creating new instances. An untrusted Java application or applet could use this flaw to create instances of non-public classes. 1948 1949 CVE-2013-2422: 1950 Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1951 1952 CVE-2013-2421: 1953 It was discovered that the Hotspot component did not properly handle certain intrinsic frames, and did not correctly perform MethodHandle lookups. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1954 1955 CVE-2013-2420: 1956 The 2D component did not properly process certain images. An untrusted Java application or applet could possibly use this flaw to trigger Java Virtual Machine memory corruption. 1957 1958 CVE-2013-2419: 1959 Flaws were discovered in the Network component's InetAddress serialization, and the 2D component's font handling. An untrusted Java application or applet could possibly use these flaws to crash the Java Virtual Machine. 1960 1961 CVE-2013-2417: 1962 Flaws were discovered in the Network component's InetAddress serialization, and the 2D component's font handling. An untrusted Java application or applet could possibly use these flaws to crash the Java Virtual Machine. 1963 1964 CVE-2013-2415: 1965 It was discovered that JAX-WS could possibly create temporary files with insecure permissions. A local attacker could use this flaw to access temporary files created by an application using JAX-WS. 1966 1967 CVE-2013-2384: 1968 Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 1969 1970 CVE-2013-2383: 1971 Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 1972 1973 CVE-2013-1569: 1974 Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 1975 1976 CVE-2013-1558: 1977 Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1978 1979 CVE-2013-1557: 1980 Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1981 1982 CVE-2013-1537: 1983 The previous default value of the java.rmi.server.useCodebaseOnly property permitted the RMI implementation to automatically load classes from remotely specified locations. An attacker able to connect to an application using RMI could use this flaw to make the application execute arbitrary code. 1984 1985 CVE-2013-1518: 1986 Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 1987 1988 CVE-2013-1488: 1989 The JDBC driver manager could incorrectly call the toString() method in JDBC drivers, and the ConcurrentHashMap class could incorrectly call the defaultReadObject() method. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. 1990 1991 CVE-2013-0401: 1992 The sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. 1993 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2419" id="CVE-2013-2419" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0401" id="CVE-2013-0401" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1569" id="CVE-2013-1569" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1537" id="CVE-2013-1537" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2383" id="CVE-2013-2383" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1518" id="CVE-2013-1518" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2415" id="CVE-2013-2415" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2417" id="CVE-2013-2417" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2421" id="CVE-2013-2421" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2420" id="CVE-2013-2420" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2430" id="CVE-2013-2430" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2431" id="CVE-2013-2431" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2424" id="CVE-2013-2424" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2426" id="CVE-2013-2426" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2429" id="CVE-2013-2429" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1488" id="CVE-2013-1488" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1558" id="CVE-2013-1558" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2422" id="CVE-2013-2422" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2384" id="CVE-2013-2384" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1557" id="CVE-2013-1557" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0770.html" id="RHSA-2013:0770" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="61.1.11.11.53.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-61.1.11.11.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="61.1.11.11.53.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-61.1.11.11.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="61.1.11.11.53.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-61.1.11.11.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="61.1.11.11.53.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-61.1.11.11.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="61.1.11.11.53.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-61.1.11.11.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="61.1.11.11.53.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-61.1.11.11.53.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="61.1.11.11.53.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-61.1.11.11.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="61.1.11.11.53.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-61.1.11.11.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="61.1.11.11.53.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-61.1.11.11.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="61.1.11.11.53.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-61.1.11.11.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="61.1.11.11.53.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-61.1.11.11.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="61.1.11.11.53.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-61.1.11.11.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-186</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-186: important priority package update for mysql51</title><issued date="2013-04-25 20:40" /><updated date="2014-09-15 22:54" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 1994 CVE-2013-2392: 1995 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 1996 1997 CVE-2013-2391: 1998 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 1999 2000 CVE-2013-2389: 2001 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2002 2003 CVE-2013-2378: 2004 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2005 2006 CVE-2013-2375: 2007 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2008 2009 CVE-2013-1555: 2010 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2011 2012 CVE-2013-1552: 2013 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2014 2015 CVE-2013-1548: 2016 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2017 2018 CVE-2013-1544: 2019 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2020 2021 CVE-2013-1532: 2022 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2023 2024 CVE-2013-1531: 2025 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2026 2027 CVE-2013-1521: 2028 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2029 2030 CVE-2013-1506: 2031 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2032 2033 CVE-2012-5614: 2034 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2035 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2375" id="CVE-2013-2375" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2389" id="CVE-2013-2389" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1544" id="CVE-2013-1544" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1532" id="CVE-2013-1532" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1521" id="CVE-2013-1521" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2392" id="CVE-2013-2392" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1506" id="CVE-2013-1506" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2378" id="CVE-2013-2378" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5614" id="CVE-2012-5614" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2391" id="CVE-2013-2391" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1548" id="CVE-2013-1548" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1552" id="CVE-2013-1552" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1531" id="CVE-2013-1531" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1555" id="CVE-2013-1555" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0772.html" id="RHSA-2013:0772" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql51-test" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-test-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-server" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-server-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-devel" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-devel-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-debuginfo" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-debuginfo-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-embedded-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-libs" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-libs-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded-devel" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-embedded-devel-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-bench" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-bench-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-common" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-common-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-bench" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-bench-5.1.69-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded-devel" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-embedded-devel-5.1.69-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-devel" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-devel-5.1.69-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-debuginfo" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-debuginfo-5.1.69-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-libs" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-libs-5.1.69-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-test" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-test-5.1.69-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-5.1.69-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-embedded-5.1.69-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-common" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-common-5.1.69-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-server" release="1.63.amzn1" version="5.1.69"><filename>Packages/mysql51-server-5.1.69-1.63.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-187</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-187: important priority package update for mysql55</title><issued date="2013-04-25 20:40" /><updated date="2014-09-15 22:54" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2036 CVE-2013-2392: 2037 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2038 2039 CVE-2013-2391: 2040 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2041 2042 CVE-2013-2389: 2043 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2044 2045 CVE-2013-2378: 2046 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2047 2048 CVE-2013-2375: 2049 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2050 2051 CVE-2013-1555: 2052 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2053 2054 CVE-2013-1552: 2055 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2056 2057 CVE-2013-1548: 2058 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2059 2060 CVE-2013-1544: 2061 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2062 2063 CVE-2013-1532: 2064 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2065 2066 CVE-2013-1531: 2067 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2068 2069 CVE-2013-1521: 2070 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2071 2072 CVE-2013-1506: 2073 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2074 2075 CVE-2012-5614: 2076 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 2077 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2375" id="CVE-2013-2375" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2389" id="CVE-2013-2389" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1544" id="CVE-2013-1544" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1532" id="CVE-2013-1532" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1521" id="CVE-2013-1521" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2392" id="CVE-2013-2392" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1506" id="CVE-2013-1506" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2378" id="CVE-2013-2378" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5614" id="CVE-2012-5614" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2391" id="CVE-2013-2391" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1548" id="CVE-2013-1548" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1552" id="CVE-2013-1552" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1531" id="CVE-2013-1531" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1555" id="CVE-2013-1555" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0772.html" id="RHSA-2013:0772" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql55-embedded" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-embedded-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-libs-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-common" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-common-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-devel-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-debuginfo-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-server" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-server-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-embedded-devel-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-test" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-test-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-bench" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-bench-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-embedded-devel-5.5.31-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-common" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-common-5.5.31-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-embedded-5.5.31-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-devel-5.5.31-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-debuginfo-5.5.31-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-libs-5.5.31-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-bench-5.5.31-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-5.5.31-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-server-5.5.31-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="1.32.amzn1" version="5.5.31"><filename>Packages/mysql55-test-5.5.31-1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-188</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-188: medium priority package update for libxml2</title><issued date="2013-05-13 10:28" /><updated date="2014-09-15 23:02" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2078 CVE-2013-0338: 2079 A denial of service flaw was found in the way libxml2 performed string substitutions when entity values for entity references replacement was enabled. A remote attacker could provide a specially-crafted XML file that, when processed by an application linked against libxml2, would lead to excessive CPU consumption. 2080 libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity. 2081 912400: 2082 CVE-2013-0338 libxml2: CPU consumption DoS when performing string substitutions during entities expansion 2083 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0338" id="CVE-2013-0338" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libxml2-static" release="10.26.amzn1" version="2.7.8"><filename>Packages/libxml2-static-2.7.8-10.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2" release="10.26.amzn1" version="2.7.8"><filename>Packages/libxml2-2.7.8-10.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-devel" release="10.26.amzn1" version="2.7.8"><filename>Packages/libxml2-devel-2.7.8-10.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-debuginfo" release="10.26.amzn1" version="2.7.8"><filename>Packages/libxml2-debuginfo-2.7.8-10.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-python" release="10.26.amzn1" version="2.7.8"><filename>Packages/libxml2-python-2.7.8-10.26.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-debuginfo" release="10.26.amzn1" version="2.7.8"><filename>Packages/libxml2-debuginfo-2.7.8-10.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-static" release="10.26.amzn1" version="2.7.8"><filename>Packages/libxml2-static-2.7.8-10.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-devel" release="10.26.amzn1" version="2.7.8"><filename>Packages/libxml2-devel-2.7.8-10.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2" release="10.26.amzn1" version="2.7.8"><filename>Packages/libxml2-2.7.8-10.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-python" release="10.26.amzn1" version="2.7.8"><filename>Packages/libxml2-python-2.7.8-10.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-189</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-189: medium priority package update for nginx</title><issued date="2013-05-14 15:35" /><updated date="2014-09-15 23:31" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2084 CVE-2013-2070: 2085 http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028. 2086 962525: 2087 CVE-2013-2070 nginx: denial of service or memory disclosure when using proxy_pass 2088 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2070" id="CVE-2013-2070" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="nginx" release="1.11.amzn1" version="1.2.9"><filename>Packages/nginx-1.2.9-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-debuginfo" release="1.11.amzn1" version="1.2.9"><filename>Packages/nginx-debuginfo-1.2.9-1.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="nginx-debuginfo" release="1.11.amzn1" version="1.2.9"><filename>Packages/nginx-debuginfo-1.2.9-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx" release="1.11.amzn1" version="1.2.9"><filename>Packages/nginx-1.2.9-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-190</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-190: medium priority package update for kernel</title><issued date="2013-05-14 15:37" /><updated date="2014-09-15 23:02" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2089 CVE-2013-2094: 2090 962792: 2091 CVE-2013-2094 kernel: perf_swevent_enabled array out-of-bound access 2092 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2094" id="CVE-2013-2094" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-headers" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-headers-3.4.43-43.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-3.4.43-43.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.43-43.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-tools-3.4.43-43.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-tools-debuginfo-3.4.43-43.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-devel-3.4.43-43.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-debuginfo-3.4.43-43.43.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-tools-3.4.43-43.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-headers-3.4.43-43.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-debuginfo-3.4.43-43.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-tools-debuginfo-3.4.43-43.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-debuginfo-common-i686-3.4.43-43.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-devel-3.4.43-43.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-3.4.43-43.43.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="43.43.amzn1" version="3.4.43"><filename>Packages/kernel-doc-3.4.43-43.43.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-191</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-191: low priority package update for tomcat7</title><issued date="2013-05-24 13:55" /><updated date="2014-09-15 23:05" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2093 CVE-2013-2071: 2094 961803: 2095 CVE-2013-2071 tomcat: Information disclosure in asynchronous context when using AsyncListeners that threw RuntimeExceptions 2096 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2071" id="CVE-2013-2071" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.26.amzn1" version="7.0.40"><filename>Packages/tomcat7-lib-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.26.amzn1" version="7.0.40"><filename>Packages/tomcat7-jsp-2.2-api-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.26.amzn1" version="7.0.40"><filename>Packages/tomcat7-webapps-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.26.amzn1" version="7.0.40"><filename>Packages/tomcat7-javadoc-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.26.amzn1" version="7.0.40"><filename>Packages/tomcat7-docs-webapp-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.26.amzn1" version="7.0.40"><filename>Packages/tomcat7-admin-webapps-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.26.amzn1" version="7.0.40"><filename>Packages/tomcat7-el-2.2-api-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.26.amzn1" version="7.0.40"><filename>Packages/tomcat7-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.26.amzn1" version="7.0.40"><filename>Packages/tomcat7-servlet-3.0-api-7.0.40-1.26.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-192</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-192: important priority package update for openswan</title><issued date="2013-05-24 13:56" /><updated date="2014-09-15 23:06" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2097 CVE-2013-2053: 2098 A buffer overflow flaw was found in Openswan. If Opportunistic Encryption were enabled ("oe=yes" in "/etc/ipsec.conf") and an RSA key configured, an attacker able to cause a system to perform a DNS lookup for an attacker-controlled domain containing malicious records (such as by sending an email that triggers a DKIM or SPF DNS record lookup) could cause Openswan's pluto IKE daemon to crash or, potentially, execute arbitrary code with root privileges. With "oe=yes" but no RSA key configured, the issue can only be triggered by attackers on the local network who can control the reverse DNS entry of the target system. Opportunistic Encryption is disabled by default. 2099 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2053" id="CVE-2013-2053" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0827.html" id="RHSA-2013:0827" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openswan" release="2.16.amzn1" version="2.6.37"><filename>Packages/openswan-2.6.37-2.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openswan-debuginfo" release="2.16.amzn1" version="2.6.37"><filename>Packages/openswan-debuginfo-2.6.37-2.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openswan-doc" release="2.16.amzn1" version="2.6.37"><filename>Packages/openswan-doc-2.6.37-2.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openswan-doc" release="2.16.amzn1" version="2.6.37"><filename>Packages/openswan-doc-2.6.37-2.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openswan-debuginfo" release="2.16.amzn1" version="2.6.37"><filename>Packages/openswan-debuginfo-2.6.37-2.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openswan" release="2.16.amzn1" version="2.6.37"><filename>Packages/openswan-2.6.37-2.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-193</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-193: medium priority package update for httpd</title><issued date="2013-05-24 13:56" /><updated date="2014-09-15 23:06" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2100 CVE-2013-1862: 2101 It was found that mod_rewrite did not filter terminal escape sequences from its log file. If mod_rewrite was configured with the RewriteLog directive, a remote attacker could use specially-crafted HTTP requests to inject terminal escape sequences into the mod_rewrite log file. If a victim viewed the log file with a terminal emulator, it could result in arbitrary command execution with the privileges of that user. 2102 2103 CVE-2012-4558: 2104 Cross-site scripting (XSS) flaws were found in the mod_proxy_balancer module's manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's manager interface session. 2105 2106 CVE-2012-3499: 2107 Cross-site scripting (XSS) flaws were found in the mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could possibly use these flaws to perform XSS attacks if they were able to make the victim's browser generate an HTTP request with a specially-crafted Host header. 2108 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558" id="CVE-2012-4558" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862" id="CVE-2013-1862" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499" id="CVE-2012-3499" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0815.html" id="RHSA-2013:0815" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="httpd-devel" release="2.31.amzn1" version="2.2.24"><filename>Packages/httpd-devel-2.2.24-2.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod_ssl" release="2.31.amzn1" version="2.2.24"><filename>Packages/mod_ssl-2.2.24-2.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-debuginfo" release="2.31.amzn1" version="2.2.24"><filename>Packages/httpd-debuginfo-2.2.24-2.31.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd-manual" release="2.31.amzn1" version="2.2.24"><filename>Packages/httpd-manual-2.2.24-2.31.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd" release="2.31.amzn1" version="2.2.24"><filename>Packages/httpd-2.2.24-2.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-tools" release="2.31.amzn1" version="2.2.24"><filename>Packages/httpd-tools-2.2.24-2.31.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="httpd-debuginfo" release="2.31.amzn1" version="2.2.24"><filename>Packages/httpd-debuginfo-2.2.24-2.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd" release="2.31.amzn1" version="2.2.24"><filename>Packages/httpd-2.2.24-2.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod_ssl" release="2.31.amzn1" version="2.2.24"><filename>Packages/mod_ssl-2.2.24-2.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-tools" release="2.31.amzn1" version="2.2.24"><filename>Packages/httpd-tools-2.2.24-2.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-devel" release="2.31.amzn1" version="2.2.24"><filename>Packages/httpd-devel-2.2.24-2.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-194</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-194: medium priority package update for httpd24</title><issued date="2013-05-24 13:57" /><updated date="2014-09-15 23:07" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2109 CVE-2013-1862: 2110 It was found that mod_rewrite did not filter terminal escape sequences from its log file. If mod_rewrite was configured with the RewriteLog directive, a remote attacker could use specially-crafted HTTP requests to inject terminal escape sequences into the mod_rewrite log file. If a victim viewed the log file with a terminal emulator, it could result in arbitrary command execution with the privileges of that user. 2111 2112 CVE-2012-4558: 2113 Cross-site scripting (XSS) flaws were found in the mod_proxy_balancer module's manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's manager interface session. 2114 2115 CVE-2012-3499: 2116 Cross-site scripting (XSS) flaws were found in the mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could possibly use these flaws to perform XSS attacks if they were able to make the victim's browser generate an HTTP request with a specially-crafted Host header. 2117 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558" id="CVE-2012-4558" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862" id="CVE-2013-1862" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499" id="CVE-2012-3499" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0815.html" id="RHSA-2013:0815" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="2.46.amzn1" version="2.4.4"><filename>Packages/mod24_proxy_html-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-tools" release="2.46.amzn1" version="2.4.4"><filename>Packages/httpd24-tools-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24" release="2.46.amzn1" version="2.4.4"><filename>Packages/httpd24-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_ssl" release="2.46.amzn1" version="2.4.4"><filename>Packages/mod24_ssl-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="2.46.amzn1" version="2.4.4"><filename>Packages/mod24_session-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd24-manual" release="2.46.amzn1" version="2.4.4"><filename>Packages/httpd24-manual-2.4.4-2.46.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_ldap" release="2.46.amzn1" version="2.4.4"><filename>Packages/mod24_ldap-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-devel" release="2.46.amzn1" version="2.4.4"><filename>Packages/httpd24-devel-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="2.46.amzn1" version="2.4.4"><filename>Packages/httpd24-debuginfo-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="2.46.amzn1" version="2.4.4"><filename>Packages/httpd24-devel-2.4.4-2.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="2.46.amzn1" version="2.4.4"><filename>Packages/mod24_ldap-2.4.4-2.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="2.46.amzn1" version="2.4.4"><filename>Packages/httpd24-debuginfo-2.4.4-2.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="2.46.amzn1" version="2.4.4"><filename>Packages/httpd24-2.4.4-2.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="2.46.amzn1" version="2.4.4"><filename>Packages/mod24_session-2.4.4-2.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="2.46.amzn1" version="2.4.4"><filename>Packages/mod24_proxy_html-2.4.4-2.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="2.46.amzn1" version="2.4.4"><filename>Packages/httpd24-tools-2.4.4-2.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="2.46.amzn1" version="2.4.4"><filename>Packages/mod24_ssl-2.4.4-2.46.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-195</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-195: medium priority package update for ruby19</title><issued date="2013-05-24 13:57" /><updated date="2014-09-15 23:07" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2118 CVE-2013-1821: 2119 It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory. 2120 914716: 2121 CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML 2122 lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack. 2123 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821" id="CVE-2013-1821" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ruby19-debuginfo" release="29.38.amzn1" version="1.9.3.392"><filename>Packages/ruby19-debuginfo-1.9.3.392-29.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-libs" release="29.38.amzn1" version="1.9.3.392"><filename>Packages/ruby19-libs-1.9.3.392-29.38.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-minitest" release="29.38.amzn1" version="2.5.1"><filename>Packages/rubygem19-minitest-2.5.1-29.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby19-irb" release="29.38.amzn1" version="1.9.3.392"><filename>Packages/ruby19-irb-1.9.3.392-29.38.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-devel" release="29.38.amzn1" version="1.9.3.392"><filename>Packages/ruby19-devel-1.9.3.392-29.38.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems19-devel" release="29.38.amzn1" version="1.8.23"><filename>Packages/rubygems19-devel-1.8.23-29.38.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-bigdecimal" release="29.38.amzn1" version="1.1.0"><filename>Packages/rubygem19-bigdecimal-1.1.0-29.38.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-rdoc" release="29.38.amzn1" version="3.9.5"><filename>Packages/rubygem19-rdoc-3.9.5-29.38.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19" release="29.38.amzn1" version="1.9.3.392"><filename>Packages/ruby19-1.9.3.392-29.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-doc" release="29.38.amzn1" version="1.9.3.392"><filename>Packages/ruby19-doc-1.9.3.392-29.38.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems19" release="29.38.amzn1" version="1.8.23"><filename>Packages/rubygems19-1.8.23-29.38.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-io-console" release="29.38.amzn1" version="0.3"><filename>Packages/rubygem19-io-console-0.3-29.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-json" release="29.38.amzn1" version="1.5.5"><filename>Packages/rubygem19-json-1.5.5-29.38.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-rake" release="29.38.amzn1" version="0.9.2.2"><filename>Packages/rubygem19-rake-0.9.2.2-29.38.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ruby19" release="29.38.amzn1" version="1.9.3.392"><filename>Packages/ruby19-1.9.3.392-29.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-json" release="29.38.amzn1" version="1.5.5"><filename>Packages/rubygem19-json-1.5.5-29.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-devel" release="29.38.amzn1" version="1.9.3.392"><filename>Packages/ruby19-devel-1.9.3.392-29.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-libs" release="29.38.amzn1" version="1.9.3.392"><filename>Packages/ruby19-libs-1.9.3.392-29.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-debuginfo" release="29.38.amzn1" version="1.9.3.392"><filename>Packages/ruby19-debuginfo-1.9.3.392-29.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-io-console" release="29.38.amzn1" version="0.3"><filename>Packages/rubygem19-io-console-0.3-29.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-bigdecimal" release="29.38.amzn1" version="1.1.0"><filename>Packages/rubygem19-bigdecimal-1.1.0-29.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-doc" release="29.38.amzn1" version="1.9.3.392"><filename>Packages/ruby19-doc-1.9.3.392-29.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-196</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-196: important priority package update for tomcat6</title><issued date="2013-06-11 22:44" /><updated date="2014-09-15 23:08" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2124 CVE-2013-1976: 2125 927622: 2126 CVE-2013-1976 tomcat: Improper TOMCAT_LOG management in init script (DoS, ACE) 2127 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1976" id="CVE-2013-1976" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat6-admin-webapps" release="1.1.amzn1" version="6.0.37"><filename>Packages/tomcat6-admin-webapps-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-webapps" release="1.1.amzn1" version="6.0.37"><filename>Packages/tomcat6-webapps-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-el-2.1-api" release="1.1.amzn1" version="6.0.37"><filename>Packages/tomcat6-el-2.1-api-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6" release="1.1.amzn1" version="6.0.37"><filename>Packages/tomcat6-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-lib" release="1.1.amzn1" version="6.0.37"><filename>Packages/tomcat6-lib-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-servlet-2.5-api" release="1.1.amzn1" version="6.0.37"><filename>Packages/tomcat6-servlet-2.5-api-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-javadoc" release="1.1.amzn1" version="6.0.37"><filename>Packages/tomcat6-javadoc-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-jsp-2.1-api" release="1.1.amzn1" version="6.0.37"><filename>Packages/tomcat6-jsp-2.1-api-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-docs-webapp" release="1.1.amzn1" version="6.0.37"><filename>Packages/tomcat6-docs-webapp-6.0.37-1.1.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-197</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-197: important priority package update for gnutls</title><issued date="2013-06-11 22:44" /><updated date="2014-09-15 23:08" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2128 CVE-2013-2116: 2129 It was discovered that the fix for the CVE-2013-1619 issue released via RHSA-2013:0588 introduced a regression in the way GnuTLS decrypted TLS/SSL encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to crash a server or client application that uses GnuTLS. 2130 2131 CVE-2013-1619: 2132 It was discovered that the fix for the CVE-2013-1619 issue released via RHSA-2013:0588 introduced a regression in the way GnuTLS decrypted TLS/SSL encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to crash a server or client application that uses GnuTLS. 2133 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1619" id="CVE-2013-1619" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2116" id="CVE-2013-2116" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0883.html" id="RHSA-2013:0883" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnutls" release="10.10.amzn1" version="2.8.5"><filename>Packages/gnutls-2.8.5-10.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-utils" release="10.10.amzn1" version="2.8.5"><filename>Packages/gnutls-utils-2.8.5-10.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-guile" release="10.10.amzn1" version="2.8.5"><filename>Packages/gnutls-guile-2.8.5-10.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-debuginfo" release="10.10.amzn1" version="2.8.5"><filename>Packages/gnutls-debuginfo-2.8.5-10.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-devel" release="10.10.amzn1" version="2.8.5"><filename>Packages/gnutls-devel-2.8.5-10.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-debuginfo" release="10.10.amzn1" version="2.8.5"><filename>Packages/gnutls-debuginfo-2.8.5-10.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-devel" release="10.10.amzn1" version="2.8.5"><filename>Packages/gnutls-devel-2.8.5-10.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls" release="10.10.amzn1" version="2.8.5"><filename>Packages/gnutls-2.8.5-10.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-utils" release="10.10.amzn1" version="2.8.5"><filename>Packages/gnutls-utils-2.8.5-10.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-guile" release="10.10.amzn1" version="2.8.5"><filename>Packages/gnutls-guile-2.8.5-10.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-198</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-198: medium priority package update for mesa</title><issued date="2013-06-11 22:45" /><updated date="2014-09-15 23:09" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2134 CVE-2013-1993: 2135 It was found that Mesa did not correctly validate messages from the X server. A malicious X server could cause an application using Mesa to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 2136 2137 CVE-2013-1872: 2138 An out-of-bounds access flaw was found in Mesa. If an application using Mesa exposed the Mesa API to untrusted inputs (Mozilla Firefox does this), an attacker could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 2139 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1993" id="CVE-2013-1993" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1872" id="CVE-2013-1872" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0897.html" id="RHSA-2013:0897" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mesa-debuginfo" release="0.8.15.amzn1" version="9.0"><filename>Packages/mesa-debuginfo-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mesa-libOSMesa" release="0.8.15.amzn1" version="9.0"><filename>Packages/mesa-libOSMesa-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mesa-libGLU" release="0.8.15.amzn1" version="9.0"><filename>Packages/mesa-libGLU-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glx-utils" release="0.8.15.amzn1" version="9.0"><filename>Packages/glx-utils-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mesa-libGL-devel" release="0.8.15.amzn1" version="9.0"><filename>Packages/mesa-libGL-devel-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mesa-libGL" release="0.8.15.amzn1" version="9.0"><filename>Packages/mesa-libGL-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mesa-libGLU-devel" release="0.8.15.amzn1" version="9.0"><filename>Packages/mesa-libGLU-devel-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mesa-libOSMesa-devel" release="0.8.15.amzn1" version="9.0"><filename>Packages/mesa-libOSMesa-devel-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glx-utils" release="0.8.15.amzn1" version="9.0"><filename>Packages/glx-utils-9.0-0.8.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mesa-libGL-devel" release="0.8.15.amzn1" version="9.0"><filename>Packages/mesa-libGL-devel-9.0-0.8.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mesa-debuginfo" release="0.8.15.amzn1" version="9.0"><filename>Packages/mesa-debuginfo-9.0-0.8.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mesa-libGL" release="0.8.15.amzn1" version="9.0"><filename>Packages/mesa-libGL-9.0-0.8.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mesa-libGLU" release="0.8.15.amzn1" version="9.0"><filename>Packages/mesa-libGLU-9.0-0.8.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mesa-libGLU-devel" release="0.8.15.amzn1" version="9.0"><filename>Packages/mesa-libGLU-devel-9.0-0.8.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mesa-libOSMesa-devel" release="0.8.15.amzn1" version="9.0"><filename>Packages/mesa-libOSMesa-devel-9.0-0.8.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mesa-libOSMesa" release="0.8.15.amzn1" version="9.0"><filename>Packages/mesa-libOSMesa-9.0-0.8.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-199</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-199: medium priority package update for libtirpc</title><issued date="2013-06-11 22:45" /><updated date="2014-09-15 23:09" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2140 CVE-2013-1950: 2141 A flaw was found in the way libtirpc decoded RPC requests. A specially-crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash. 2142 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1950" id="CVE-2013-1950" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0884.html" id="RHSA-2013:0884" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libtirpc-debuginfo" release="6.8.amzn1" version="0.2.1"><filename>Packages/libtirpc-debuginfo-0.2.1-6.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtirpc-devel" release="6.8.amzn1" version="0.2.1"><filename>Packages/libtirpc-devel-0.2.1-6.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtirpc" release="6.8.amzn1" version="0.2.1"><filename>Packages/libtirpc-0.2.1-6.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libtirpc-devel" release="6.8.amzn1" version="0.2.1"><filename>Packages/libtirpc-devel-0.2.1-6.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtirpc" release="6.8.amzn1" version="0.2.1"><filename>Packages/libtirpc-0.2.1-6.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtirpc-debuginfo" release="6.8.amzn1" version="0.2.1"><filename>Packages/libtirpc-debuginfo-0.2.1-6.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-200</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-200: medium priority package update for kernel</title><issued date="2013-06-11 22:45" /><updated date="2014-09-15 23:11" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2143 CVE-2013-3235: 2144 * Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2145 2146 CVE-2013-3231: 2147 * Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2148 2149 CVE-2013-3224: 2150 * Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2151 * Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2152 2153 CVE-2013-3222: 2154 * Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2155 * Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2156 2157 CVE-2013-1929: 2158 * A heap-based buffer overflow in the way the tg3 Ethernet driver parsed the vital product data (VPD) of devices could allow an attacker with physical access to a system to cause a denial of service or, potentially, escalate their privileges. 2159 2160 CVE-2013-1773: 2161 916115: 2162 CVE-2013-1773 kernel: VFAT slab-based buffer overflow 2163 * A buffer overflow flaw was found in the way UTF-8 characters were converted to UTF-16 in the utf8s_to_utf16s() function of the Linux kernel's FAT file system implementation. A local user able to mount a FAT file system with the "utf8=1" option could use this flaw to crash the system or, potentially, to escalate their privileges. 2164 Buffer overflow in the VFAT filesystem implementation in the Linux kernel before 3.3 allows local users to gain privileges or cause a denial of service (system crash) via a VFAT write operation on a filesystem with the utf8 mount option, which is not properly handled during UTF-8 to UTF-16 conversion. 2165 2166 CVE-2013-1767: 2167 915592: 2168 CVE-2013-1767 Kernel: tmpfs: fix use-after-free of mempolicy object 2169 * A use-after-free flaw was found in the tmpfs implementation. A local user able to mount and unmount a tmpfs file system could use this flaw to cause a denial of service or, potentially, escalate their privileges. 2170 Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option. 2171 2172 CVE-2013-0914: 2173 * An information leak was found in the Linux kernel's POSIX signals implementation. A local, unprivileged user could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. 2174 2175 CVE-2012-6545: 2176 * Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2177 2178 CVE-2012-6544: 2179 * Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2180 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1929" id="CVE-2013-1929" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1767" id="CVE-2013-1767" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6545" id="CVE-2012-6545" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6544" id="CVE-2012-6544" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3224" id="CVE-2013-3224" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3222" id="CVE-2013-3222" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0914" id="CVE-2013-0914" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3231" id="CVE-2013-3231" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3235" id="CVE-2013-3235" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1773" id="CVE-2013-1773" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-tools-3.4.48-45.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-tools-debuginfo-3.4.48-45.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-debuginfo-3.4.48-45.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-headers-3.4.48-45.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-3.4.48-45.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.48-45.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-devel-3.4.48-45.46.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-debuginfo-common-i686-3.4.48-45.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-tools-debuginfo-3.4.48-45.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-debuginfo-3.4.48-45.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-tools-3.4.48-45.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-headers-3.4.48-45.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-devel-3.4.48-45.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-3.4.48-45.46.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="45.46.amzn1" version="3.4.48"><filename>Packages/kernel-doc-3.4.48-45.46.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-201</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-201: low priority package update for openvpn</title><issued date="2013-06-11 22:47" /><updated date="2014-09-15 23:12" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2181 CVE-2013-2061: 2182 960192: 2183 CVE-2013-2061 openvpn: use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt 2184 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2061" id="CVE-2013-2061" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openvpn-debuginfo" release="1.7.amzn1" version="2.3.1"><filename>Packages/openvpn-debuginfo-2.3.1-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openvpn" release="1.7.amzn1" version="2.3.1"><filename>Packages/openvpn-2.3.1-1.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openvpn" release="1.7.amzn1" version="2.3.1"><filename>Packages/openvpn-2.3.1-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openvpn-debuginfo" release="1.7.amzn1" version="2.3.1"><filename>Packages/openvpn-debuginfo-2.3.1-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-202</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-202: medium priority package update for socat</title><issued date="2013-06-20 14:13" /><updated date="2014-09-15 23:12" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2185 CVE-2013-3571: 2186 967345: 2187 CVE-2013-3571 socat: Denial of service due to file descriptor leak 2188 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3571" id="CVE-2013-3571" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="socat" release="1.8.amzn1" version="1.7.2.2"><filename>Packages/socat-1.7.2.2-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="socat-debuginfo" release="1.8.amzn1" version="1.7.2.2"><filename>Packages/socat-debuginfo-1.7.2.2-1.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="socat-debuginfo" release="1.8.amzn1" version="1.7.2.2"><filename>Packages/socat-debuginfo-1.7.2.2-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="socat" release="1.8.amzn1" version="1.7.2.2"><filename>Packages/socat-1.7.2.2-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-203</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-203: important priority package update for nrpe</title><issued date="2013-06-20 14:14" /><updated date="2014-09-15 23:31" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2189 CVE-2013-1362: 2190 2191 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362" id="CVE-2013-1362" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nagios-plugins-nrpe" release="3.5.amzn1" version="2.14"><filename>Packages/nagios-plugins-nrpe-2.14-3.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nrpe" release="3.5.amzn1" version="2.14"><filename>Packages/nrpe-2.14-3.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nrpe-debuginfo" release="3.5.amzn1" version="2.14"><filename>Packages/nrpe-debuginfo-2.14-3.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nagios-plugins-nrpe" release="3.5.amzn1" version="2.14"><filename>Packages/nagios-plugins-nrpe-2.14-3.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nrpe" release="3.5.amzn1" version="2.14"><filename>Packages/nrpe-2.14-3.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nrpe-debuginfo" release="3.5.amzn1" version="2.14"><filename>Packages/nrpe-debuginfo-2.14-3.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-204</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-204: important priority package update for java-1.7.0-openjdk</title><issued date="2013-06-20 14:14" /><updated date="2014-09-15 23:13" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2192 CVE-2013-2473: 2193 Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 2194 2195 CVE-2013-2472: 2196 Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 2197 2198 CVE-2013-2471: 2199 Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 2200 2201 CVE-2013-2470: 2202 Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 2203 2204 CVE-2013-2469: 2205 Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 2206 2207 CVE-2013-2465: 2208 Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 2209 2210 CVE-2013-2463: 2211 Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 2212 2213 CVE-2013-2461: 2214 It was discovered that the Libraries component contained certain errors related to XML security and the class loader. A remote attacker could possibly exploit these flaws to bypass intended security mechanisms or disclose potentially sensitive information and cause a denial of service. 2215 2216 CVE-2013-2460: 2217 Multiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2218 2219 CVE-2013-2459: 2220 Integer overflow flaws were found in the way AWT processed certain input. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted Java applet or application. 2221 2222 CVE-2013-2458: 2223 Multiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2224 2225 CVE-2013-2457: 2226 Multiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2227 2228 CVE-2013-2456: 2229 Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. 2230 2231 CVE-2013-2455: 2232 Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. 2233 2234 CVE-2013-2454: 2235 Multiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2236 2237 CVE-2013-2453: 2238 Multiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2239 2240 CVE-2013-2452: 2241 Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. 2242 2243 CVE-2013-2450: 2244 It was discovered that the AWT component did not properly manage certain resources and that the ObjectStreamClass of the Serialization component did not properly handle circular references. An untrusted Java application or applet could possibly use these flaws to cause a denial of service. 2245 2246 CVE-2013-2449: 2247 It was discovered that GnomeFileTypeDetector did not check for read permissions when accessing files. An untrusted Java application or applet could possibly use this flaw to disclose potentially sensitive information. 2248 2249 CVE-2013-2448: 2250 Multiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2251 2252 CVE-2013-2447: 2253 Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. 2254 2255 CVE-2013-2446: 2256 Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. 2257 2258 CVE-2013-2445: 2259 It was discovered that the Hotspot component did not properly handle out-of-memory errors. An untrusted Java application or applet could possibly use these flaws to terminate the Java Virtual Machine. 2260 2261 CVE-2013-2444: 2262 It was discovered that the AWT component did not properly manage certain resources and that the ObjectStreamClass of the Serialization component did not properly handle circular references. An untrusted Java application or applet could possibly use these flaws to cause a denial of service. 2263 2264 CVE-2013-2443: 2265 Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. 2266 2267 CVE-2013-2412: 2268 It was discovered that JConsole did not properly inform the user when establishing an SSL connection failed. An attacker could exploit this flaw to gain access to potentially sensitive information. 2269 2270 CVE-2013-2407: 2271 It was discovered that the Libraries component contained certain errors related to XML security and the class loader. A remote attacker could possibly exploit these flaws to bypass intended security mechanisms or disclose potentially sensitive information and cause a denial of service. 2272 2273 CVE-2013-1571: 2274 It was found that documentation generated by Javadoc was vulnerable to a frame injection attack. If such documentation was accessible over a network, and a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web content being displayed next to the documentation. This could be used to perform a phishing attack by providing frame content that spoofed a login form on the site hosting the vulnerable documentation. 2275 2276 CVE-2013-1500: 2277 It was discovered that the 2D component created shared memory segments with insecure permissions. A local attacker could use this flaw to read or write to the shared memory segment. 2278 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571" id="CVE-2013-1571" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407" id="CVE-2013-2407" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412" id="CVE-2013-2412" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500" id="CVE-2013-1500" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448" id="CVE-2013-2448" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454" id="CVE-2013-2454" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455" id="CVE-2013-2455" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456" id="CVE-2013-2456" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457" id="CVE-2013-2457" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450" id="CVE-2013-2450" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452" id="CVE-2013-2452" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453" id="CVE-2013-2453" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465" id="CVE-2013-2465" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2445" id="CVE-2013-2445" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472" id="CVE-2013-2472" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459" id="CVE-2013-2459" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470" id="CVE-2013-2470" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471" id="CVE-2013-2471" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443" id="CVE-2013-2443" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2458" id="CVE-2013-2458" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2449" id="CVE-2013-2449" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473" id="CVE-2013-2473" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447" id="CVE-2013-2447" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460" id="CVE-2013-2460" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463" id="CVE-2013-2463" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2461" id="CVE-2013-2461" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469" id="CVE-2013-2469" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446" id="CVE-2013-2446" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444" id="CVE-2013-2444" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0957.html" id="RHSA-2013:0957" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.3.10.3.29.amzn1" version="1.7.0.25"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.3.10.3.29.amzn1" version="1.7.0.25"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.3.29.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.3.10.3.29.amzn1" version="1.7.0.25"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.3.10.3.29.amzn1" version="1.7.0.25"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.3.10.3.29.amzn1" version="1.7.0.25"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.3.10.3.29.amzn1" version="1.7.0.25"><filename>Packages/java-1.7.0-openjdk-1.7.0.25-2.3.10.3.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.3.10.3.29.amzn1" version="1.7.0.25"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.3.10.3.29.amzn1" version="1.7.0.25"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.3.10.3.29.amzn1" version="1.7.0.25"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.3.10.3.29.amzn1" version="1.7.0.25"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.3.10.3.29.amzn1" version="1.7.0.25"><filename>Packages/java-1.7.0-openjdk-1.7.0.25-2.3.10.3.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-205</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-205: critical priority package update for php</title><issued date="2013-06-24 13:48" /><updated date="2014-09-15 23:14" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2279 CVE-2013-2110: 2280 964969: 2281 CVE-2013-2110 php: Heap-based buffer overflow in quoted_printable_encode() 2282 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2110" id="CVE-2013-2110" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php-xml" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-xml-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mssql" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-mssql-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysql" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-mysql-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-imap" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-imap-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysqlnd" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-mysqlnd-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-common" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-common-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-snmp" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-snmp-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-bcmath" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-bcmath-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-gd" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-gd-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-debuginfo" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-debuginfo-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-devel" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-devel-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-recode" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-recode-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-dba" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-dba-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mbstring" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-mbstring-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-process" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-process-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xmlrpc" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-xmlrpc-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-cli" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-cli-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-ldap" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-ldap-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-tidy" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-tidy-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-enchant" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-enchant-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-odbc" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-odbc-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mcrypt" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-mcrypt-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pgsql" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-pgsql-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-soap" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-soap-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-embedded" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-embedded-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pspell" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-pspell-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pdo" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-pdo-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-fpm" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-fpm-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-intl" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-intl-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php-mcrypt" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-mcrypt-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-soap" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-soap-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-tidy" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-tidy-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-snmp" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-snmp-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-dba" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-dba-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mbstring" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-mbstring-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-intl" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-intl-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xmlrpc" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-xmlrpc-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-devel" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-devel-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-bcmath" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-bcmath-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-fpm" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-fpm-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-ldap" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-ldap-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysqlnd" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-mysqlnd-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-embedded" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-embedded-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-enchant" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-enchant-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mssql" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-mssql-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-common" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-common-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysql" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-mysql-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-debuginfo" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-debuginfo-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-cli" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-cli-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-imap" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-imap-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pspell" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-pspell-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pdo" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-pdo-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xml" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-xml-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pgsql" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-pgsql-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-recode" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-recode-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-gd" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-gd-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-odbc" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-odbc-5.3.26-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-process" release="1.0.amzn1" version="5.3.26"><filename>Packages/php-process-5.3.26-1.0.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-206</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-206: critical priority package update for php54</title><issued date="2013-06-24 13:48" /><updated date="2014-09-15 23:14" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2283 CVE-2013-2110: 2284 964969: 2285 CVE-2013-2110 php: Heap-based buffer overflow in quoted_printable_encode() 2286 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2110" id="CVE-2013-2110" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-process" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-process-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-recode-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-fpm-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-dba-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-ldap-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-soap-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-mbstring-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-embedded-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-mysqlnd-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-odbc-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-mysql-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-pspell-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-common-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-imap-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-enchant-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-xml-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-devel-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-mcrypt-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-tidy-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-mssql-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-cli-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-intl-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-debuginfo-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-xmlrpc-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-pgsql-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-gd-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-pdo-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-snmp-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-bcmath-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-pspell-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-snmp-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-imap-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-mbstring-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-cli-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-tidy-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-ldap-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-xml-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-enchant-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-debuginfo-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-devel-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-mcrypt-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-fpm-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-pdo-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-pgsql-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-mssql-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-gd-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-mysqlnd-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-embedded-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-odbc-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-common-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-recode-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-process-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-dba-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-intl-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-bcmath-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-mysql-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-xmlrpc-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-5.4.16-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.37.amzn1" version="5.4.16"><filename>Packages/php54-soap-5.4.16-1.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-207</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-207: important priority package update for java-1.6.0-openjdk</title><issued date="2013-07-12 15:31" /><updated date="2014-09-15 23:15" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2287 CVE-2013-2473: 2288 Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 2289 2290 CVE-2013-2472: 2291 Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 2292 2293 CVE-2013-2471: 2294 Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 2295 2296 CVE-2013-2470: 2297 Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 2298 2299 CVE-2013-2469: 2300 Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 2301 2302 CVE-2013-2465: 2303 Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 2304 2305 CVE-2013-2463: 2306 Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. 2307 2308 CVE-2013-2461: 2309 It was discovered that the Libraries component contained certain errors related to XML security and the class loader. A remote attacker could possibly exploit these flaws to bypass intended security mechanisms or disclose potentially sensitive information and cause a denial of service. 2310 2311 CVE-2013-2459: 2312 Integer overflow flaws were found in the way AWT processed certain input. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted Java applet or application. 2313 2314 CVE-2013-2457: 2315 Multiple improper permission check issues were discovered in the Sound and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2316 2317 CVE-2013-2456: 2318 Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. 2319 2320 CVE-2013-2455: 2321 Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. 2322 2323 CVE-2013-2453: 2324 Multiple improper permission check issues were discovered in the Sound and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2325 2326 CVE-2013-2452: 2327 Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. 2328 2329 CVE-2013-2450: 2330 It was discovered that the AWT component did not properly manage certain resources and that the ObjectStreamClass of the Serialization component did not properly handle circular references. An untrusted Java application or applet could possibly use these flaws to cause a denial of service. 2331 2332 CVE-2013-2448: 2333 Multiple improper permission check issues were discovered in the Sound and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2334 2335 CVE-2013-2447: 2336 Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. 2337 2338 CVE-2013-2446: 2339 Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. 2340 2341 CVE-2013-2445: 2342 It was discovered that the Hotspot component did not properly handle out-of-memory errors. An untrusted Java application or applet could possibly use these flaws to terminate the Java Virtual Machine. 2343 2344 CVE-2013-2444: 2345 It was discovered that the AWT component did not properly manage certain resources and that the ObjectStreamClass of the Serialization component did not properly handle circular references. An untrusted Java application or applet could possibly use these flaws to cause a denial of service. 2346 2347 CVE-2013-2443: 2348 Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. 2349 2350 CVE-2013-2412: 2351 It was discovered that JConsole did not properly inform the user when establishing an SSL connection failed. An attacker could exploit this flaw to gain access to potentially sensitive information. 2352 2353 CVE-2013-2407: 2354 It was discovered that the Libraries component contained certain errors related to XML security and the class loader. A remote attacker could possibly exploit these flaws to bypass intended security mechanisms or disclose potentially sensitive information and cause a denial of service. 2355 2356 CVE-2013-1571: 2357 It was found that documentation generated by Javadoc was vulnerable to a frame injection attack. If such documentation was accessible over a network, and a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web content being displayed next to the documentation. This could be used to perform a phishing attack by providing frame content that spoofed a login form on the site hosting the vulnerable documentation. 2358 2359 CVE-2013-1500: 2360 It was discovered that the 2D component created shared memory segments with insecure permissions. A local attacker could use this flaw to read or write to the shared memory segment. 2361 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465" id="CVE-2013-2465" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571" id="CVE-2013-1571" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407" id="CVE-2013-2407" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412" id="CVE-2013-2412" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500" id="CVE-2013-1500" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455" id="CVE-2013-2455" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456" id="CVE-2013-2456" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457" id="CVE-2013-2457" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450" id="CVE-2013-2450" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452" id="CVE-2013-2452" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453" id="CVE-2013-2453" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443" id="CVE-2013-2443" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472" id="CVE-2013-2472" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459" id="CVE-2013-2459" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470" id="CVE-2013-2470" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471" id="CVE-2013-2471" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447" id="CVE-2013-2447" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473" id="CVE-2013-2473" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448" id="CVE-2013-2448" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463" id="CVE-2013-2463" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2445" id="CVE-2013-2445" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2461" id="CVE-2013-2461" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469" id="CVE-2013-2469" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446" id="CVE-2013-2446" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444" id="CVE-2013-2444" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1014.html" id="RHSA-2013:1014" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="62.1.11.11.90.55.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="62.1.11.11.90.55.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="62.1.11.11.90.55.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="62.1.11.11.90.55.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="62.1.11.11.90.55.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="62.1.11.11.90.55.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="62.1.11.11.90.55.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-62.1.11.11.90.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="62.1.11.11.90.55.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-62.1.11.11.90.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="62.1.11.11.90.55.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-62.1.11.11.90.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="62.1.11.11.90.55.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-62.1.11.11.90.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="62.1.11.11.90.55.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-62.1.11.11.90.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="62.1.11.11.90.55.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-62.1.11.11.90.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-208</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-208: medium priority package update for krb5</title><issued date="2013-07-12 15:31" /><updated date="2014-09-15 23:15" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2362 CVE-2002-2443: 2363 It was found that kadmind's kpasswd service did not perform any validation on incoming network packets, causing it to reply to all requests. A remote attacker could use this flaw to send spoofed packets to a kpasswd service that appear to come from kadmind on a different server, causing the services to keep replying packets to each other, consuming network bandwidth and CPU. 2364 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2443" id="CVE-2002-2443" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0942.html" id="RHSA-2013:0942" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="krb5-server-ldap" release="10.26.amzn1" version="1.10.3"><filename>Packages/krb5-server-ldap-1.10.3-10.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-workstation" release="10.26.amzn1" version="1.10.3"><filename>Packages/krb5-workstation-1.10.3-10.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server" release="10.26.amzn1" version="1.10.3"><filename>Packages/krb5-server-1.10.3-10.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-libs" release="10.26.amzn1" version="1.10.3"><filename>Packages/krb5-libs-1.10.3-10.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-pkinit-openssl" release="10.26.amzn1" version="1.10.3"><filename>Packages/krb5-pkinit-openssl-1.10.3-10.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-debuginfo" release="10.26.amzn1" version="1.10.3"><filename>Packages/krb5-debuginfo-1.10.3-10.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-devel" release="10.26.amzn1" version="1.10.3"><filename>Packages/krb5-devel-1.10.3-10.26.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="krb5-workstation" release="10.26.amzn1" version="1.10.3"><filename>Packages/krb5-workstation-1.10.3-10.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-devel" release="10.26.amzn1" version="1.10.3"><filename>Packages/krb5-devel-1.10.3-10.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server" release="10.26.amzn1" version="1.10.3"><filename>Packages/krb5-server-1.10.3-10.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-pkinit-openssl" release="10.26.amzn1" version="1.10.3"><filename>Packages/krb5-pkinit-openssl-1.10.3-10.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-libs" release="10.26.amzn1" version="1.10.3"><filename>Packages/krb5-libs-1.10.3-10.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-debuginfo" release="10.26.amzn1" version="1.10.3"><filename>Packages/krb5-debuginfo-1.10.3-10.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server-ldap" release="10.26.amzn1" version="1.10.3"><filename>Packages/krb5-server-ldap-1.10.3-10.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-209</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-209: medium priority package update for fail2ban</title><issued date="2013-07-12 15:31" /><updated date="2014-09-15 23:16" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2365 CVE-2013-2178: 2366 973756: 2367 CVE-2013-2178 fail2ban: remote denial of service due to apache log parsing issue 2368 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2178" id="CVE-2013-2178" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="fail2ban" release="1.3.amzn1" version="0.8.10"><filename>Packages/fail2ban-0.8.10-1.3.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-210</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-210: medium priority package update for curl</title><issued date="2013-07-12 15:32" /><updated date="2014-09-15 23:17" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2369 CVE-2013-1944: 2370 The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. 2371 A flaw was found in the way libcurl matched domains associated with cookies. This could lead to cURL or an application linked against libcurl sending the wrong cookie if only part of the domain name matched the domain associated with the cookie, disclosing the cookie to unrelated hosts. 2372 950577: 2373 CVE-2013-1944 curl: Cookie domain suffix match vulnerability 2374 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1944" id="CVE-2013-1944" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="curl" release="11.34.amzn1" version="7.27.0"><filename>Packages/curl-7.27.0-11.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="11.34.amzn1" version="7.27.0"><filename>Packages/libcurl-7.27.0-11.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="11.34.amzn1" version="7.27.0"><filename>Packages/curl-debuginfo-7.27.0-11.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="11.34.amzn1" version="7.27.0"><filename>Packages/libcurl-devel-7.27.0-11.34.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="11.34.amzn1" version="7.27.0"><filename>Packages/libcurl-devel-7.27.0-11.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="11.34.amzn1" version="7.27.0"><filename>Packages/curl-7.27.0-11.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="11.34.amzn1" version="7.27.0"><filename>Packages/curl-debuginfo-7.27.0-11.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="11.34.amzn1" version="7.27.0"><filename>Packages/libcurl-7.27.0-11.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-211</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-211: critical priority package update for php</title><issued date="2013-07-12 15:56" /><updated date="2014-09-15 23:17" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2375 CVE-2013-4113: 2376 A buffer overflow flaw was found in the way PHP parsed deeply nested XML documents. If a PHP application used the xml_parse_into_struct() function to parse untrusted XML content, an attacker able to supply specially-crafted XML could use this flaw to crash the application or, possibly, execute arbitrary code with the privileges of the user running the PHP interpreter. 2377 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113" id="CVE-2013-4113" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1049.html" id="RHSA-2013:1049" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php-fpm" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-fpm-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-intl" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-intl-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-common" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-common-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-snmp" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-snmp-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mbstring" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-mbstring-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xml" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-xml-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pdo" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-pdo-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-process" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-process-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-dba" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-dba-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysqlnd" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-mysqlnd-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-gd" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-gd-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mssql" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-mssql-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-recode" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-recode-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysql" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-mysql-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-bcmath" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-bcmath-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-embedded" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-embedded-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-devel" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-devel-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-imap" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-imap-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xmlrpc" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-xmlrpc-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pgsql" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-pgsql-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-tidy" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-tidy-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-cli" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-cli-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-odbc" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-odbc-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-debuginfo" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-debuginfo-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-soap" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-soap-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-ldap" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-ldap-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mcrypt" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-mcrypt-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pspell" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-pspell-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-enchant" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-enchant-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php-snmp" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-snmp-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysql" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-mysql-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mssql" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-mssql-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xml" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-xml-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-intl" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-intl-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysqlnd" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-mysqlnd-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pdo" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-pdo-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-odbc" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-odbc-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-embedded" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-embedded-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-dba" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-dba-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xmlrpc" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-xmlrpc-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mbstring" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-mbstring-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-debuginfo" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-debuginfo-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-ldap" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-ldap-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-enchant" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-enchant-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-cli" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-cli-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pgsql" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-pgsql-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-common" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-common-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-bcmath" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-bcmath-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-soap" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-soap-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-imap" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-imap-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-devel" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-devel-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-gd" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-gd-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-process" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-process-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-recode" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-recode-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mcrypt" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-mcrypt-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-fpm" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-fpm-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-tidy" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-tidy-5.3.27-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pspell" release="1.0.amzn1" version="5.3.27"><filename>Packages/php-pspell-5.3.27-1.0.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-212</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-212: critical priority package update for php54</title><issued date="2013-07-12 15:56" /><updated date="2014-09-15 23:18" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2378 CVE-2013-4113: 2379 A buffer overflow flaw was found in the way PHP parsed deeply nested XML documents. If a PHP application used the xml_parse_into_struct() function to parse untrusted XML content, an attacker able to supply specially-crafted XML could use this flaw to crash the application or, possibly, execute arbitrary code with the privileges of the user running the PHP interpreter. 2380 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113" id="CVE-2013-4113" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1049.html" id="RHSA-2013:1049" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-bcmath" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-bcmath-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-pspell-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-recode-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-common-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-fpm-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-odbc-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-xmlrpc-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-dba-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-xml-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-mbstring-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-debuginfo-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-tidy-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-devel-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-soap-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-pgsql-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-pdo-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-snmp-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-mysqlnd-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-embedded-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-mysql-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-gd-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-process-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-imap-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-cli-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-enchant-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-mssql-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-intl-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-mcrypt-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-ldap-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-pspell-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-snmp-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-bcmath-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-ldap-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-xml-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-mysql-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-xmlrpc-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-imap-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-soap-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-mcrypt-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-tidy-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-cli-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-dba-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-mysqlnd-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-devel-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-pdo-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-process-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-gd-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-embedded-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-mbstring-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-pgsql-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-mssql-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-enchant-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-fpm-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-intl-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-debuginfo-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-recode-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-odbc-5.4.17-2.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="2.40.amzn1" version="5.4.17"><filename>Packages/php54-common-5.4.17-2.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-213</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-213: critical priority package update for puppet</title><issued date="2013-07-12 15:57" /><updated date="2014-09-15 23:18" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2381 CVE-2013-3567: 2382 974649: 2383 CVE-2013-3567 puppet: remote code execution on master from unauthenticated clients 2384 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3567" id="CVE-2013-3567" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="puppet" release="1.0.amzn1" version="2.7.22"><filename>Packages/puppet-2.7.22-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet-debuginfo" release="1.0.amzn1" version="2.7.22"><filename>Packages/puppet-debuginfo-2.7.22-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet-server" release="1.0.amzn1" version="2.7.22"><filename>Packages/puppet-server-2.7.22-1.0.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="puppet-debuginfo" release="1.0.amzn1" version="2.7.22"><filename>Packages/puppet-debuginfo-2.7.22-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet" release="1.0.amzn1" version="2.7.22"><filename>Packages/puppet-2.7.22-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet-server" release="1.0.amzn1" version="2.7.22"><filename>Packages/puppet-server-2.7.22-1.0.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-214</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-214: important priority package update for bind</title><issued date="2013-08-07 21:20" /><updated date="2014-09-15 23:18" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2385 CVE-2013-4854: 2386 A denial of service flaw was found in BIND. A remote attacker could use this flaw to send a specially-crafted DNS query to named that, when processed, would cause named to crash when rejecting the malformed query. 2387 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4854" id="CVE-2013-4854" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1114.html" id="RHSA-2013:1114" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.17.rc1.30.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.17.rc1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.17.rc1.30.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.17.rc1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.17.rc1.30.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.17.rc1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.17.rc1.30.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.17.rc1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.17.rc1.30.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.17.rc1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.17.rc1.30.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.17.rc1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.17.rc1.30.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.17.rc1.30.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.17.rc1.30.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.17.rc1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.17.rc1.30.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.17.rc1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.17.rc1.30.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.17.rc1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.17.rc1.30.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.17.rc1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.17.rc1.30.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.17.rc1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.17.rc1.30.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.17.rc1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.17.rc1.30.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.17.rc1.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-215</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-215: medium priority package update for haproxy</title><issued date="2013-08-07 21:21" /><updated date="2014-09-15 23:19" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2388 CVE-2013-2175: 2389 HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable. 2390 974259: 2391 CVE-2013-2175 haproxy: http_get_hdr()/get_ip_from_hdr2() MAX_HDR_HISTORY handling denial of service 2392 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2175" id="CVE-2013-2175" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="haproxy-debuginfo" release="5.3.amzn1" version="1.4.22"><filename>Packages/haproxy-debuginfo-1.4.22-5.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="haproxy" release="5.3.amzn1" version="1.4.22"><filename>Packages/haproxy-1.4.22-5.3.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="haproxy" release="5.3.amzn1" version="1.4.22"><filename>Packages/haproxy-1.4.22-5.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="haproxy-debuginfo" release="5.3.amzn1" version="1.4.22"><filename>Packages/haproxy-debuginfo-1.4.22-5.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-216</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-216: medium priority package update for nspr</title><issued date="2013-08-07 21:23" /><updated date="2014-09-15 23:19" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2393 CVE-2013-1620: 2394 It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. 2395 2396 CVE-2013-0791: 2397 An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. 2398 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0791" id="CVE-2013-0791" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620" id="CVE-2013-1620" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1144.html" id="RHSA-2013:1144" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nspr-devel" release="2.17.amzn1" version="4.9.5"><filename>Packages/nspr-devel-4.9.5-2.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nspr-debuginfo" release="2.17.amzn1" version="4.9.5"><filename>Packages/nspr-debuginfo-4.9.5-2.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nspr" release="2.17.amzn1" version="4.9.5"><filename>Packages/nspr-4.9.5-2.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nspr" release="2.17.amzn1" version="4.9.5"><filename>Packages/nspr-4.9.5-2.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nspr-devel" release="2.17.amzn1" version="4.9.5"><filename>Packages/nspr-devel-4.9.5-2.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nspr-debuginfo" release="2.17.amzn1" version="4.9.5"><filename>Packages/nspr-debuginfo-4.9.5-2.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-217</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-217: medium priority package update for nss</title><issued date="2013-08-07 21:23" /><updated date="2014-09-15 23:20" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2399 CVE-2013-1620: 2400 It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. 2401 2402 CVE-2013-0791: 2403 An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. 2404 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0791" id="CVE-2013-0791" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620" id="CVE-2013-1620" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1144.html" id="RHSA-2013:1144" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-debuginfo" release="4.29.amzn1" version="3.14.3"><filename>Packages/nss-debuginfo-3.14.3-4.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="4.29.amzn1" version="3.14.3"><filename>Packages/nss-sysinit-3.14.3-4.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="4.29.amzn1" version="3.14.3"><filename>Packages/nss-3.14.3-4.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="4.29.amzn1" version="3.14.3"><filename>Packages/nss-devel-3.14.3-4.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="4.29.amzn1" version="3.14.3"><filename>Packages/nss-pkcs11-devel-3.14.3-4.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="4.29.amzn1" version="3.14.3"><filename>Packages/nss-tools-3.14.3-4.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="4.29.amzn1" version="3.14.3"><filename>Packages/nss-3.14.3-4.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="4.29.amzn1" version="3.14.3"><filename>Packages/nss-tools-3.14.3-4.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="4.29.amzn1" version="3.14.3"><filename>Packages/nss-devel-3.14.3-4.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="4.29.amzn1" version="3.14.3"><filename>Packages/nss-debuginfo-3.14.3-4.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="4.29.amzn1" version="3.14.3"><filename>Packages/nss-sysinit-3.14.3-4.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="4.29.amzn1" version="3.14.3"><filename>Packages/nss-pkcs11-devel-3.14.3-4.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-218</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-218: medium priority package update for kernel</title><issued date="2013-08-13 21:32" /><updated date="2014-09-15 23:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2405 CVE-2013-3301: 2406 * A NULL pointer dereference flaw was found in the Linux kernel's ftrace and function tracer implementations. A local user who has the CAP_SYS_ADMIN capability could use this flaw to cause a denial of service. 2407 2408 CVE-2013-3225: 2409 955649: 2410 CVE-2013-3225 Kernel: Bluetooth: RFCOMM - missing msg_namelen update in rfcomm_sock_recvmsg 2411 * Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2412 The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. 2413 2414 CVE-2013-3224: 2415 * Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2416 The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. 2417 * Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2418 955599: 2419 CVE-2013-3224 Kernel: Bluetooth: possible info leak in bt_sock_recvmsg() 2420 2421 CVE-2013-3222: 2422 The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. 2423 955216: 2424 CVE-2013-3222 Kernel: atm: update msg_namelen in vcc_recvmsg() 2425 * Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2426 * Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2427 2428 CVE-2013-2852: 2429 * A format string flaw was found in the b43_do_request_fw() function in the Linux kernel's b43 driver implementation. A local user who is able to specify the "fwpostfix" b43 module parameter could use this flaw to cause a denial of service or, potentially, escalate their privileges. 2430 969518: 2431 CVE-2013-2852 kernel: b43: format string leaking into error msgs 2432 Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message. 2433 2434 CVE-2013-2635: 2435 The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. 2436 924690: 2437 CVE-2013-2635 kernel: Information leak in the RTNETLINK component 2438 * Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2439 2440 CVE-2013-2634: 2441 net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. 2442 924689: 2443 CVE-2013-2634 kernel: Information leak in the Data Center Bridging (DCB) component 2444 * Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2445 2446 CVE-2013-2234: 2447 The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. 2448 980995: 2449 CVE-2013-2234 Kernel: net: information leak in AF_KEY notify 2450 2451 CVE-2013-2232: 2452 The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. 2453 981552: 2454 CVE-2013-2232 Kernel: ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg 2455 2456 CVE-2013-2128: 2457 968484: 2458 CVE-2013-2128 Kernel: net: oops from tcp_collapse() when using splice(2) 2459 The tcp_read_sock function in net/ipv4/tcp.c in the Linux kernel before 2.6.34 does not properly manage skb consumption, which allows local users to cause a denial of service (system crash) via a crafted splice system call for a TCP socket. 2460 * A flaw was found in the tcp_read_sock() function in the Linux kernel's IPv4 TCP/IP protocol suite implementation in the way socket buffers (skb) were handled. A local, unprivileged user could trigger this issue via a call to splice(), leading to a denial of service. 2461 2462 CVE-2013-1848: 2463 920783: 2464 CVE-2013-1848 kernel: ext3: format string issues 2465 * A format string flaw was found in the ext3_msg() function in the Linux kernel's ext3 file system implementation. A local user who is able to mount an ext3 file system could use this flaw to cause a denial of service or, potentially, escalate their privileges. 2466 fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application. 2467 2468 CVE-2013-1059: 2469 977356: 2470 CVE-2013-1059 Kernel: libceph: Fix NULL pointer dereference in auth client code 2471 net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation. 2472 2473 CVE-2013-0914: 2474 The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. 2475 * An information leak was found in the Linux kernel's POSIX signals implementation. A local, unprivileged user could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature. 2476 920499: 2477 CVE-2013-0914 Kernel: sa_restorer information leak 2478 2479 CVE-2012-6548: 2480 922353: 2481 CVE-2012-6548 Kernel: udf: information leak on export 2482 * Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2483 The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application. 2484 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3224" id="CVE-2013-3224" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6548" id="CVE-2012-6548" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3301" id="CVE-2013-3301" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2635" id="CVE-2013-2635" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2232" id="CVE-2013-2232" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2128" id="CVE-2013-2128" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3225" id="CVE-2013-3225" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2852" id="CVE-2013-2852" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2234" id="CVE-2013-2234" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3222" id="CVE-2013-3222" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0914" id="CVE-2013-0914" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2634" id="CVE-2013-2634" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1848" id="CVE-2013-1848" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1059" id="CVE-2013-1059" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-tools-debuginfo-3.4.57-48.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-tools-3.4.57-48.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-3.4.57-48.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.57-48.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-devel-3.4.57-48.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-headers-3.4.57-48.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-debuginfo-3.4.57-48.42.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-headers-3.4.57-48.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-debuginfo-common-i686-3.4.57-48.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-tools-3.4.57-48.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-3.4.57-48.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-devel-3.4.57-48.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-debuginfo-3.4.57-48.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-tools-debuginfo-3.4.57-48.42.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="48.42.amzn1" version="3.4.57"><filename>Packages/kernel-doc-3.4.57-48.42.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-219</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-219: medium priority package update for puppet</title><issued date="2013-09-04 13:30" /><updated date="2014-09-15 23:21" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2485 CVE-2013-4956: 2486 996855: 2487 CVE-2013-4956 Puppet: Local Privilege Escalation/Arbitrary Code Execution 2488 Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might allow local users to read or modify those modules depending on the original permissions. 2489 2490 CVE-2013-4761: 2491 Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master. 2492 996856: 2493 CVE-2013-4761 Puppet: resource_type service code execution 2494 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4761" id="CVE-2013-4761" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4956" id="CVE-2013-4956" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="puppet-debuginfo" release="1.0.amzn1" version="2.7.23"><filename>Packages/puppet-debuginfo-2.7.23-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet" release="1.0.amzn1" version="2.7.23"><filename>Packages/puppet-2.7.23-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet-server" release="1.0.amzn1" version="2.7.23"><filename>Packages/puppet-server-2.7.23-1.0.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="puppet-debuginfo" release="1.0.amzn1" version="2.7.23"><filename>Packages/puppet-debuginfo-2.7.23-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet" release="1.0.amzn1" version="2.7.23"><filename>Packages/puppet-2.7.23-1.0.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet-server" release="1.0.amzn1" version="2.7.23"><filename>Packages/puppet-server-2.7.23-1.0.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-220</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-220: medium priority package update for python27</title><issued date="2013-09-04 13:31" /><updated date="2014-09-15 23:21" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2495 CVE-2013-4238: 2496 996381: 2497 CVE-2013-4238 python: hostname check bypassing vulnerability in SSL module 2498 The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. 2499 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4238" id="CVE-2013-4238" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python27-test" release="4.28.amzn1" version="2.7.5"><filename>Packages/python27-test-2.7.5-4.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-debuginfo" release="4.28.amzn1" version="2.7.5"><filename>Packages/python27-debuginfo-2.7.5-4.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libs" release="4.28.amzn1" version="2.7.5"><filename>Packages/python27-libs-2.7.5-4.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-tools" release="4.28.amzn1" version="2.7.5"><filename>Packages/python27-tools-2.7.5-4.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-devel" release="4.28.amzn1" version="2.7.5"><filename>Packages/python27-devel-2.7.5-4.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27" release="4.28.amzn1" version="2.7.5"><filename>Packages/python27-2.7.5-4.28.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python27" release="4.28.amzn1" version="2.7.5"><filename>Packages/python27-2.7.5-4.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-devel" release="4.28.amzn1" version="2.7.5"><filename>Packages/python27-devel-2.7.5-4.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-test" release="4.28.amzn1" version="2.7.5"><filename>Packages/python27-test-2.7.5-4.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-tools" release="4.28.amzn1" version="2.7.5"><filename>Packages/python27-tools-2.7.5-4.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-debuginfo" release="4.28.amzn1" version="2.7.5"><filename>Packages/python27-debuginfo-2.7.5-4.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libs" release="4.28.amzn1" version="2.7.5"><filename>Packages/python27-libs-2.7.5-4.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-221</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-221: medium priority package update for subversion</title><issued date="2013-09-04 13:32" /><updated date="2014-09-15 23:21" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2500 CVE-2013-4131: 2501 986194: 2502 CVE-2013-4131 subversion: DoS (assertion failure, crash) in mod_dav_svn when handling certain MOVE, COPY, or DELETE HTTP requests 2503 The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.10 and 1.8.x before 1.8.1 allows remote authenticated users to cause a denial of service (assertion failure or out-of-bounds read) via a certain (1) COPY, (2) DELETE, or (3) MOVE request against a revision root. 2504 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4131" id="CVE-2013-4131" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="subversion-debuginfo" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-debuginfo-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-python-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-libs" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-libs-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-javahl" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-javahl-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-devel" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-devel-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_dav_svn" release="1.32.amzn1" version="1.7.13"><filename>Packages/mod_dav_svn-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-perl" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-perl-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-tools" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-tools-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-ruby" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-ruby-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="subversion-perl" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-perl-1.7.13-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-javahl" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-javahl-1.7.13-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-python-1.7.13-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-ruby" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-ruby-1.7.13-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-libs" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-libs-1.7.13-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn" release="1.32.amzn1" version="1.7.13"><filename>Packages/mod_dav_svn-1.7.13-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-tools" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-tools-1.7.13-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-debuginfo" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-debuginfo-1.7.13-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-devel" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-devel-1.7.13-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion" release="1.32.amzn1" version="1.7.13"><filename>Packages/subversion-1.7.13-1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-222</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-222: medium priority package update for cacti</title><issued date="2013-09-04 13:33" /><updated date="2014-09-15 23:22" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2505 CVE-2013-1435: 2506 994616: 2507 CVE-2013-1434 CVE-2013-1435 cacti: SQL injection and shell escaping issues fixed in 0.8.8b 2508 (1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors. 2509 2510 CVE-2013-1434: 2511 994616: 2512 CVE-2013-1434 CVE-2013-1435 cacti: SQL injection and shell escaping issues fixed in 0.8.8b 2513 Multiple SQL injection vulnerabilities in (1) api_poller.php and (2) utility.php in Cacti before 0.8.8b allow remote attackers to execute arbitrary SQL commands via unspecified vectors. 2514 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1435" id="CVE-2013-1435" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1434" id="CVE-2013-1434" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="cacti" release="2.10.amzn1" version="0.8.8b"><filename>Packages/cacti-0.8.8b-2.10.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-223</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-223: important priority package update for 389-ds-base</title><issued date="2013-09-19 15:02" /><updated date="2014-09-15 23:23" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2515 CVE-2013-4283: 2516 999634: 2517 CVE-2013-4283 389-ds-base: ns-slapd crash due to bogus DN 2518 ns-slapd in 389 Directory Server before 1.3.0.8 allows remote attackers to cause a denial of service (server crash) via a crafted Distinguished Name (DN) in a MOD operation request. 2519 It was discovered that the 389 Directory Server did not properly handle the receipt of certain MOD operations with a bogus Distinguished Name (DN). A remote, unauthenticated attacker could use this flaw to cause the 389 Directory Server to crash. 2520 2521 CVE-2013-2219: 2522 979508: 2523 CVE-2013-2219 Directory Server: ACLs inoperative in some search scenarios 2524 It was discovered that the 389 Directory Server did not honor defined attribute access controls when evaluating search filter expressions. A remote attacker (with permission to query the Directory Server) could use this flaw to determine the values of restricted attributes via a series of search queries with filter conditions that used restricted attributes. 2525 The Red Hat Directory Server before 8.2.11-13 and 389 Directory Server do not properly restrict access to entity attributes, which allows remote authenticated users to obtain sensitive information via a search query for the attribute. 2526 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4283" id="CVE-2013-4283" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2219" id="CVE-2013-2219" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="1.5.amzn1" version="1.3.1.8"><filename>Packages/389-ds-base-debuginfo-1.3.1.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="1.5.amzn1" version="1.3.1.8"><filename>Packages/389-ds-base-libs-1.3.1.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="1.5.amzn1" version="1.3.1.8"><filename>Packages/389-ds-base-devel-1.3.1.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base" release="1.5.amzn1" version="1.3.1.8"><filename>Packages/389-ds-base-1.3.1.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="1.5.amzn1" version="1.3.1.8"><filename>Packages/389-ds-base-devel-1.3.1.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="1.5.amzn1" version="1.3.1.8"><filename>Packages/389-ds-base-1.3.1.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="1.5.amzn1" version="1.3.1.8"><filename>Packages/389-ds-base-libs-1.3.1.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="1.5.amzn1" version="1.3.1.8"><filename>Packages/389-ds-base-debuginfo-1.3.1.8-1.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-224</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-224: medium priority package update for php54</title><issued date="2013-09-19 15:28" /><updated date="2014-09-15 23:23" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2527 CVE-2013-4248: 2528 997097: 2529 CVE-2013-4248 php: hostname check bypassing vulnerability in SSL client 2530 The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. 2531 2532 CVE-2011-4718: 2533 996774: 2534 CVE-2011-4718 php: session fixation vulnerability allows remote hijacking of sessions 2535 Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. 2536 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4718" id="CVE-2011-4718" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4248" id="CVE-2013-4248" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-odbc" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-odbc-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-mysql-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-debuginfo-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-pgsql-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-fpm-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-process-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-dba-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-recode-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-pspell-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-imap-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-enchant-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-bcmath-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-snmp-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-soap-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-xml-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-mssql-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-gd-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-pdo-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-embedded-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-mbstring-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-common-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-tidy-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-xmlrpc-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-intl-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-ldap-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-devel-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-mcrypt-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-cli-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-mysqlnd-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-devel-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-pdo-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-gd-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-snmp-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-embedded-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-tidy-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-mysqlnd-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-mssql-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-mbstring-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-ldap-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-dba-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-imap-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-xmlrpc-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-pspell-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-fpm-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-common-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-bcmath-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-xml-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-pgsql-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-mysql-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-cli-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-odbc-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-enchant-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-debuginfo-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-intl-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-recode-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-soap-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-process-5.4.19-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.42.amzn1" version="5.4.19"><filename>Packages/php54-mcrypt-5.4.19-1.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-225</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-225: medium priority package update for gnupg</title><issued date="2013-09-19 15:29" /><updated date="2014-09-15 23:24" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2537 CVE-2013-4242: 2538 GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. 2539 988589: 2540 CVE-2013-4242 GnuPG susceptible to Yarom/Falkner flush+reload cache side-channel attack 2541 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242" id="CVE-2013-4242" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnupg" release="1.20.amzn1" version="1.4.14"><filename>Packages/gnupg-1.4.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg-debuginfo" release="1.20.amzn1" version="1.4.14"><filename>Packages/gnupg-debuginfo-1.4.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnupg-debuginfo" release="1.20.amzn1" version="1.4.14"><filename>Packages/gnupg-debuginfo-1.4.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg" release="1.20.amzn1" version="1.4.14"><filename>Packages/gnupg-1.4.14-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-226</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-226: medium priority package update for libgcrypt</title><issued date="2013-09-19 15:49" /><updated date="2014-09-16 21:38" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2542 CVE-2013-4242: 2543 GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. 2544 988589: 2545 CVE-2013-4242 GnuPG susceptible to Yarom/Falkner flush+reload cache side-channel attack 2546 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242" id="CVE-2013-4242" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libgcrypt-debuginfo" release="9.12.amzn1" version="1.4.5"><filename>Packages/libgcrypt-debuginfo-1.4.5-9.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libgcrypt" release="9.12.amzn1" version="1.4.5"><filename>Packages/libgcrypt-1.4.5-9.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libgcrypt-devel" release="9.12.amzn1" version="1.4.5"><filename>Packages/libgcrypt-devel-1.4.5-9.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libgcrypt-debuginfo" release="9.12.amzn1" version="1.4.5"><filename>Packages/libgcrypt-debuginfo-1.4.5-9.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libgcrypt-devel" release="9.12.amzn1" version="1.4.5"><filename>Packages/libgcrypt-devel-1.4.5-9.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libgcrypt" release="9.12.amzn1" version="1.4.5"><filename>Packages/libgcrypt-1.4.5-9.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-227</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-227: medium priority package update for nagios</title><issued date="2013-09-24 19:41" /><updated date="2014-09-16 21:39" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2547 CVE-2013-2029: 2548 958015: 2549 CVE-2013-2029 Nagios core: Insecure temporary file usage in nagios.upgrade_to_v3.sh 2550 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2029" id="CVE-2013-2029" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nagios-common" release="1.6.amzn1" version="3.5.1"><filename>Packages/nagios-common-3.5.1-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nagios-debuginfo" release="1.6.amzn1" version="3.5.1"><filename>Packages/nagios-debuginfo-3.5.1-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nagios-devel" release="1.6.amzn1" version="3.5.1"><filename>Packages/nagios-devel-3.5.1-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nagios" release="1.6.amzn1" version="3.5.1"><filename>Packages/nagios-3.5.1-1.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nagios-devel" release="1.6.amzn1" version="3.5.1"><filename>Packages/nagios-devel-3.5.1-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nagios" release="1.6.amzn1" version="3.5.1"><filename>Packages/nagios-3.5.1-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nagios-debuginfo" release="1.6.amzn1" version="3.5.1"><filename>Packages/nagios-debuginfo-3.5.1-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nagios-common" release="1.6.amzn1" version="3.5.1"><filename>Packages/nagios-common-3.5.1-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-228</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-228: medium priority package update for kernel</title><issued date="2013-09-24 19:43" /><updated date="2014-09-16 21:40" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2551 CVE-2013-0343: 2552 914664: 2553 CVE-2013-0343 kernel: handling of IPv6 temporary addresses 2554 The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages. 2555 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0343" id="CVE-2013-0343" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-tools-debuginfo-3.4.62-53.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-3.4.62-53.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-headers-3.4.62-53.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-devel-3.4.62-53.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-tools-3.4.62-53.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.62-53.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-debuginfo-3.4.62-53.42.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-debuginfo-common-i686-3.4.62-53.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-headers-3.4.62-53.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-3.4.62-53.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-tools-3.4.62-53.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-devel-3.4.62-53.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-tools-debuginfo-3.4.62-53.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-debuginfo-3.4.62-53.42.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="53.42.amzn1" version="3.4.62"><filename>Packages/kernel-doc-3.4.62-53.42.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-229</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-229: low priority package update for ruby19</title><issued date="2013-09-26 22:21" /><updated date="2014-09-16 21:40" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2556 CVE-2013-2065: 2557 962035: 2558 CVE-2013-2065 Ruby: Object taint bypassing in DL and Fiddle 2559 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2065" id="CVE-2013-2065" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="rubygem19-rake" release="31.53.amzn1" version="0.9.2.2"><filename>Packages/rubygem19-rake-0.9.2.2-31.53.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19" release="31.53.amzn1" version="1.9.3.448"><filename>Packages/ruby19-1.9.3.448-31.53.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby19-irb" release="31.53.amzn1" version="1.9.3.448"><filename>Packages/ruby19-irb-1.9.3.448-31.53.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-json" release="31.53.amzn1" version="1.5.5"><filename>Packages/rubygem19-json-1.5.5-31.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-doc" release="31.53.amzn1" version="1.9.3.448"><filename>Packages/ruby19-doc-1.9.3.448-31.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-libs" release="31.53.amzn1" version="1.9.3.448"><filename>Packages/ruby19-libs-1.9.3.448-31.53.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-rdoc" release="31.53.amzn1" version="3.9.5"><filename>Packages/rubygem19-rdoc-3.9.5-31.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems19-devel" release="31.53.amzn1" version="1.8.23"><filename>Packages/rubygems19-devel-1.8.23-31.53.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-io-console" release="31.53.amzn1" version="0.3"><filename>Packages/rubygem19-io-console-0.3-31.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-debuginfo" release="31.53.amzn1" version="1.9.3.448"><filename>Packages/ruby19-debuginfo-1.9.3.448-31.53.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems19" release="31.53.amzn1" version="1.8.23"><filename>Packages/rubygems19-1.8.23-31.53.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-bigdecimal" release="31.53.amzn1" version="1.1.0"><filename>Packages/rubygem19-bigdecimal-1.1.0-31.53.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-minitest" release="31.53.amzn1" version="2.5.1"><filename>Packages/rubygem19-minitest-2.5.1-31.53.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-devel" release="31.53.amzn1" version="1.9.3.448"><filename>Packages/ruby19-devel-1.9.3.448-31.53.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-debuginfo" release="31.53.amzn1" version="1.9.3.448"><filename>Packages/ruby19-debuginfo-1.9.3.448-31.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-io-console" release="31.53.amzn1" version="0.3"><filename>Packages/rubygem19-io-console-0.3-31.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-bigdecimal" release="31.53.amzn1" version="1.1.0"><filename>Packages/rubygem19-bigdecimal-1.1.0-31.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-doc" release="31.53.amzn1" version="1.9.3.448"><filename>Packages/ruby19-doc-1.9.3.448-31.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-devel" release="31.53.amzn1" version="1.9.3.448"><filename>Packages/ruby19-devel-1.9.3.448-31.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-libs" release="31.53.amzn1" version="1.9.3.448"><filename>Packages/ruby19-libs-1.9.3.448-31.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-json" release="31.53.amzn1" version="1.5.5"><filename>Packages/rubygem19-json-1.5.5-31.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19" release="31.53.amzn1" version="1.9.3.448"><filename>Packages/ruby19-1.9.3.448-31.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-230</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-230: medium priority package update for rubygems</title><issued date="2013-09-26 22:22" /><updated date="2014-09-16 21:40" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2560 CVE-2013-4287: 2561 1002364: 2562 CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability 2563 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4287" id="CVE-2013-4287" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="rubygems-devel" release="7.12.amzn1" version="1.8.25"><filename>Packages/rubygems-devel-1.8.25-7.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems" release="7.12.amzn1" version="1.8.25"><filename>Packages/rubygems-1.8.25-7.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-231</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-231: medium priority package update for rubygems</title><issued date="2013-10-16 20:52" /><updated date="2014-09-16 21:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2564 CVE-2013-4363: 2565 1009720: 2566 CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix 2567 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4363" id="CVE-2013-4363" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="rubygems" release="8.12.amzn1" version="1.8.25"><filename>Packages/rubygems-1.8.25-8.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems-devel" release="8.12.amzn1" version="1.8.25"><filename>Packages/rubygems-devel-1.8.25-8.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-232</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-232: medium priority package update for xinetd</title><issued date="2013-10-16 20:53" /><updated date="2014-09-16 21:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2568 CVE-2013-4342: 2569 It was found that xinetd ignored the user and group configuration directives for services running under the tcpmux-server service. This flaw could cause the associated services to run as root. If there was a flaw in such a service, a remote attacker could use it to execute arbitrary code with the privileges of the root user. 2570 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4342" id="CVE-2013-4342" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1409.html" id="RHSA-2013:1409" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="2" name="xinetd-debuginfo" release="39.9.amzn1" version="2.3.14"><filename>Packages/xinetd-debuginfo-2.3.14-39.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="xinetd" release="39.9.amzn1" version="2.3.14"><filename>Packages/xinetd-2.3.14-39.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="2" name="xinetd" release="39.9.amzn1" version="2.3.14"><filename>Packages/xinetd-2.3.14-39.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="xinetd-debuginfo" release="39.9.amzn1" version="2.3.14"><filename>Packages/xinetd-debuginfo-2.3.14-39.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-233</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-233: medium priority package update for kernel</title><issued date="2013-10-16 20:53" /><updated date="2014-09-16 21:43" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2571 CVE-2013-4387: 2572 1011927: 2573 CVE-2013-4387 Kernel: net: IPv6: panic when UFO=On for an interface 2574 net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet. 2575 2576 CVE-2013-4299: 2577 1004233: 2578 CVE-2013-4299 kernel: dm: dm-snapshot data leak 2579 * An information leak flaw was found in the way Linux kernel's device mapper subsystem, under certain conditions, interpreted data written to snapshot block devices. An attacker could use this flaw to read data from disk blocks in free space, which are normally inaccessible. 2580 2581 CVE-2013-4162: 2582 987627: 2583 CVE-2013-4162 Kernel: net: panic while pushing pending data out of a IPv6 socket with UDP_CORK enabled 2584 * A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled IPv6 sockets that used the UDP_CORK option. A local, unprivileged user could use this flaw to cause a denial of service. 2585 The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. 2586 2587 CVE-2013-2141: 2588 970873: 2589 CVE-2013-2141 Kernel: signal: information leak in tkill/tgkill 2590 The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. 2591 * An information leak flaw in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space. 2592 2593 CVE-2012-4398: 2594 853474: 2595 CVE-2012-4398 kernel: request_module() OOM local DoS 2596 The __request_module function in kernel/kmod.c in the Linux kernel before 3.4 does not set a certain killable attribute, which allows local users to cause a denial of service (memory consumption) via a crafted application. 2597 * It was found that a deadlock could occur in the Out of Memory (OOM) killer. A process could trigger this deadlock by consuming a large amount of memory, and then causing request_module() to be called. A local, unprivileged user could use this flaw to cause a denial of service (excessive memory consumption). 2598 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2141" id="CVE-2013-2141" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4162" id="CVE-2013-4162" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4387" id="CVE-2013-4387" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4398" id="CVE-2012-4398" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4299" id="CVE-2013-4299" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-3.4.66-55.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.66-55.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-tools-3.4.66-55.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-headers-3.4.66-55.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-debuginfo-3.4.66-55.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-tools-debuginfo-3.4.66-55.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-devel-3.4.66-55.43.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-devel-3.4.66-55.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-debuginfo-common-i686-3.4.66-55.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-debuginfo-3.4.66-55.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-3.4.66-55.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-tools-debuginfo-3.4.66-55.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-headers-3.4.66-55.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-tools-3.4.66-55.43.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="55.43.amzn1" version="3.4.66"><filename>Packages/kernel-doc-3.4.66-55.43.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-234</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-234: important priority package update for xorg-x11-server</title><issued date="2013-10-23 15:21" /><updated date="2014-09-16 21:44" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2599 CVE-2013-4396: 2600 A use-after-free flaw was found in the way the X.Org server handled ImageText requests. A malicious, authorized client could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with root privileges. 2601 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396" id="CVE-2013-4396" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1426.html" id="RHSA-2013:1426" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="xorg-x11-server-Xephyr" release="11.18.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xephyr-1.13.0-11.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xnest" release="11.18.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xnest-1.13.0-11.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-debuginfo" release="11.18.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-debuginfo-1.13.0-11.18.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="xorg-x11-server-source" release="11.18.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-source-1.13.0-11.18.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xvfb" release="11.18.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xvfb-1.13.0-11.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-common" release="11.18.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-common-1.13.0-11.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-debuginfo" release="11.18.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-debuginfo-1.13.0-11.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-common" release="11.18.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-common-1.13.0-11.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xnest" release="11.18.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xnest-1.13.0-11.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xvfb" release="11.18.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xvfb-1.13.0-11.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xephyr" release="11.18.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xephyr-1.13.0-11.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-235</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-235: critical priority package update for java-1.7.0-openjdk</title><issued date="2013-10-23 15:22" /><updated date="2014-09-16 21:45" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2602 CVE-2013-5851: 2603 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2604 2605 CVE-2013-5850: 2606 Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2607 2608 CVE-2013-5849: 2609 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2610 2611 CVE-2013-5842: 2612 Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2613 2614 CVE-2013-5840: 2615 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2616 2617 CVE-2013-5838: 2618 Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2619 2620 CVE-2013-5830: 2621 The class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. 2622 2623 CVE-2013-5829: 2624 Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2625 2626 CVE-2013-5825: 2627 Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. 2628 2629 CVE-2013-5823: 2630 Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. 2631 2632 CVE-2013-5820: 2633 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2634 2635 CVE-2013-5817: 2636 Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2637 2638 CVE-2013-5814: 2639 Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2640 2641 CVE-2013-5809: 2642 Multiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions. 2643 2644 CVE-2013-5804: 2645 Multiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks. 2646 2647 CVE-2013-5803: 2648 The Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. 2649 2650 CVE-2013-5802: 2651 The FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. 2652 2653 CVE-2013-5800: 2654 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2655 2656 CVE-2013-5797: 2657 Multiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks. 2658 2659 CVE-2013-5790: 2660 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2661 2662 CVE-2013-5784: 2663 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2664 2665 CVE-2013-5783: 2666 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2667 2668 CVE-2013-5782: 2669 Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. 2670 2671 CVE-2013-5780: 2672 Various OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. 2673 2674 CVE-2013-5778: 2675 It was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. 2676 2677 CVE-2013-5774: 2678 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2679 2680 CVE-2013-5772: 2681 The Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. 2682 2683 CVE-2013-4002: 2684 Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. 2685 2686 CVE-2013-3829: 2687 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2688 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5802" id="CVE-2013-5802" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5803" id="CVE-2013-5803" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5800" id="CVE-2013-5800" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5814" id="CVE-2013-5814" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5817" id="CVE-2013-5817" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5849" id="CVE-2013-5849" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5797" id="CVE-2013-5797" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5809" id="CVE-2013-5809" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5851" id="CVE-2013-5851" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5850" id="CVE-2013-5850" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5790" id="CVE-2013-5790" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5780" id="CVE-2013-5780" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5783" id="CVE-2013-5783" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3829" id="CVE-2013-3829" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5782" id="CVE-2013-5782" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5772" id="CVE-2013-5772" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5838" id="CVE-2013-5838" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5774" id="CVE-2013-5774" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5804" id="CVE-2013-5804" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5778" id="CVE-2013-5778" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5829" id="CVE-2013-5829" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002" id="CVE-2013-4002" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5784" id="CVE-2013-5784" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5820" id="CVE-2013-5820" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5840" id="CVE-2013-5840" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5823" id="CVE-2013-5823" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5842" id="CVE-2013-5842" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5825" id="CVE-2013-5825" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5830" id="CVE-2013-5830" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1451.html" id="RHSA-2013:1451" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.4.3.2.32.amzn1" version="1.7.0.45"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.4.3.2.32.amzn1" version="1.7.0.45"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.4.3.2.32.amzn1" version="1.7.0.45"><filename>Packages/java-1.7.0-openjdk-1.7.0.45-2.4.3.2.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.4.3.2.32.amzn1" version="1.7.0.45"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.32.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.4.3.2.32.amzn1" version="1.7.0.45"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.2.32.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.4.3.2.32.amzn1" version="1.7.0.45"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.4.3.2.32.amzn1" version="1.7.0.45"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.4.3.2.32.amzn1" version="1.7.0.45"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.4.3.2.32.amzn1" version="1.7.0.45"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.4.3.2.32.amzn1" version="1.7.0.45"><filename>Packages/java-1.7.0-openjdk-1.7.0.45-2.4.3.2.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.4.3.2.32.amzn1" version="1.7.0.45"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-236</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-236: medium priority package update for gnupg</title><issued date="2013-10-23 15:23" /><updated date="2014-09-16 21:46" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2689 CVE-2013-4402: 2690 1015685: 2691 CVE-2013-4402 GnuPG: infinite recursion in the compressed packet parser DoS 2692 2693 CVE-2013-4351: 2694 1010137: 2695 CVE-2013-4351 gnupg: treats no-usage-permitted keys as all-usages-permitted 2696 GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey. 2697 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4351" id="CVE-2013-4351" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402" id="CVE-2013-4402" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnupg" release="1.21.amzn1" version="1.4.15"><filename>Packages/gnupg-1.4.15-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg-debuginfo" release="1.21.amzn1" version="1.4.15"><filename>Packages/gnupg-debuginfo-1.4.15-1.21.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnupg" release="1.21.amzn1" version="1.4.15"><filename>Packages/gnupg-1.4.15-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg-debuginfo" release="1.21.amzn1" version="1.4.15"><filename>Packages/gnupg-debuginfo-1.4.15-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-237</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-237: medium priority package update for gnupg2</title><issued date="2013-10-23 15:24" /><updated date="2014-09-16 21:46" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2698 CVE-2013-4402: 2699 1015685: 2700 CVE-2013-4402 GnuPG: infinite recursion in the compressed packet parser DoS 2701 2702 CVE-2013-4351: 2703 1010137: 2704 CVE-2013-4351 gnupg: treats no-usage-permitted keys as all-usages-permitted 2705 GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey. 2706 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4351" id="CVE-2013-4351" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402" id="CVE-2013-4402" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnupg2" release="1.24.amzn1" version="2.0.22"><filename>Packages/gnupg2-2.0.22-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg2-smime" release="1.24.amzn1" version="2.0.22"><filename>Packages/gnupg2-smime-2.0.22-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg2-debuginfo" release="1.24.amzn1" version="2.0.22"><filename>Packages/gnupg2-debuginfo-2.0.22-1.24.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2-debuginfo" release="1.24.amzn1" version="2.0.22"><filename>Packages/gnupg2-debuginfo-2.0.22-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2-smime" release="1.24.amzn1" version="2.0.22"><filename>Packages/gnupg2-smime-2.0.22-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2" release="1.24.amzn1" version="2.0.22"><filename>Packages/gnupg2-2.0.22-1.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-238</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-238: important priority package update for mod_fcgid</title><issued date="2013-10-23 15:26" /><updated date="2014-09-16 21:48" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2707 CVE-2013-4365: 2708 1017039: 2709 CVE-2013-4365 mod_fcgid: heap overflow 2710 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4365" id="CVE-2013-4365" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod_fcgid" release="1.6.amzn1" version="2.3.9"><filename>Packages/mod_fcgid-2.3.9-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_fcgid-debuginfo" release="1.6.amzn1" version="2.3.9"><filename>Packages/mod_fcgid-debuginfo-2.3.9-1.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod_fcgid-debuginfo" release="1.6.amzn1" version="2.3.9"><filename>Packages/mod_fcgid-debuginfo-2.3.9-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_fcgid" release="1.6.amzn1" version="2.3.9"><filename>Packages/mod_fcgid-2.3.9-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-239</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-239: important priority package update for mod24_fcgid</title><issued date="2013-10-23 15:26" /><updated date="2014-09-16 21:49" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2711 CVE-2013-4365: 2712 1017039: 2713 CVE-2013-4365 mod_fcgid: heap overflow 2714 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4365" id="CVE-2013-4365" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod24_fcgid" release="1.7.amzn1" version="2.3.9"><filename>Packages/mod24_fcgid-2.3.9-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_fcgid-debuginfo" release="1.7.amzn1" version="2.3.9"><filename>Packages/mod24_fcgid-debuginfo-2.3.9-1.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod24_fcgid-debuginfo" release="1.7.amzn1" version="2.3.9"><filename>Packages/mod24_fcgid-debuginfo-2.3.9-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_fcgid" release="1.7.amzn1" version="2.3.9"><filename>Packages/mod24_fcgid-2.3.9-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-240</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-240: low priority package update for mysql51</title><issued date="2013-11-03 12:08" /><updated date="2014-09-16 21:49" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2715 CVE-2013-3839: 2716 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.70 and earlier, 5.5.32 and earlier, and 5.6.12 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. 2717 1019978: 2718 CVE-2013-3839 mysql: unspecified DoS related to Optimizer (CPU October 2013) 2719 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3839" id="CVE-2013-3839" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql51-common" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-common-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded-devel" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-embedded-devel-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-server" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-server-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-test" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-test-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-libs" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-libs-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-bench" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-bench-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-debuginfo" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-debuginfo-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-devel" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-devel-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-embedded-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-common" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-common-5.1.72-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded-devel" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-embedded-devel-5.1.72-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-5.1.72-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-devel" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-devel-5.1.72-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-debuginfo" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-debuginfo-5.1.72-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-libs" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-libs-5.1.72-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-embedded-5.1.72-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-bench" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-bench-5.1.72-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-test" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-test-5.1.72-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-server" release="1.64.amzn1" version="5.1.72"><filename>Packages/mysql51-server-5.1.72-1.64.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-241</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-241: medium priority package update for python26</title><issued date="2013-11-03 12:09" /><updated date="2015-06-22 10:35" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2720 CVE-2013-4238: 2721 996381: 2722 CVE-2013-4238 python: hostname check bypassing vulnerability in SSL module 2723 A flaw was found in the way the Python SSL module handled X.509 certificate fields that contain a NULL byte. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully crafted certificate signed by an authority that the client trusts. 2724 The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. 2725 2726 CVE-2013-1752: 2727 It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory. 2728 1046174: 2729 CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib 2730 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752" id="CVE-2013-1752" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4238" id="CVE-2013-4238" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python26-tools" release="1.40.amzn1" version="2.6.9"><filename>Packages/python26-tools-2.6.9-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26" release="1.40.amzn1" version="2.6.9"><filename>Packages/python26-2.6.9-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-debuginfo" release="1.40.amzn1" version="2.6.9"><filename>Packages/python26-debuginfo-2.6.9-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-test" release="1.40.amzn1" version="2.6.9"><filename>Packages/python26-test-2.6.9-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-libs" release="1.40.amzn1" version="2.6.9"><filename>Packages/python26-libs-2.6.9-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-devel" release="1.40.amzn1" version="2.6.9"><filename>Packages/python26-devel-2.6.9-1.40.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python26-devel" release="1.40.amzn1" version="2.6.9"><filename>Packages/python26-devel-2.6.9-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26" release="1.40.amzn1" version="2.6.9"><filename>Packages/python26-2.6.9-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-test" release="1.40.amzn1" version="2.6.9"><filename>Packages/python26-test-2.6.9-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-tools" release="1.40.amzn1" version="2.6.9"><filename>Packages/python26-tools-2.6.9-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-libs" release="1.40.amzn1" version="2.6.9"><filename>Packages/python26-libs-2.6.9-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-debuginfo" release="1.40.amzn1" version="2.6.9"><filename>Packages/python26-debuginfo-2.6.9-1.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-242</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-242: medium priority package update for scipy</title><issued date="2013-11-03 12:09" /><updated date="2014-09-16 21:51" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2731 CVE-2013-4251: 2732 916690: 2733 CVE-2013-4251 scipy: weave /tmp and current directory issues 2734 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4251" id="CVE-2013-4251" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="scipy-debuginfo" release="1.7.amzn1" version="0.12.1"><filename>Packages/scipy-debuginfo-0.12.1-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="scipy" release="1.7.amzn1" version="0.12.1"><filename>Packages/scipy-0.12.1-1.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="scipy" release="1.7.amzn1" version="0.12.1"><filename>Packages/scipy-0.12.1-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="scipy-debuginfo" release="1.7.amzn1" version="0.12.1"><filename>Packages/scipy-debuginfo-0.12.1-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-243</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-243: low priority package update for python-crypto</title><issued date="2013-11-03 12:09" /><updated date="2014-09-16 21:51" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2735 CVE-2013-1445: 2736 The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process. 2737 1020814: 2738 CVE-2013-1445 python-crypto: PRNG not correctly reseeded in some situations 2739 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1445" id="CVE-2013-1445" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python-crypto-debuginfo" release="1.7.amzn1" version="2.6.1"><filename>Packages/python-crypto-debuginfo-2.6.1-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python-crypto" release="1.7.amzn1" version="2.6.1"><filename>Packages/python-crypto-2.6.1-1.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python-crypto-debuginfo" release="1.7.amzn1" version="2.6.1"><filename>Packages/python-crypto-debuginfo-2.6.1-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python-crypto" release="1.7.amzn1" version="2.6.1"><filename>Packages/python-crypto-2.6.1-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-244</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-244: medium priority package update for postgresql8</title><issued date="2013-11-03 12:09" /><updated date="2014-09-16 21:52" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2740 CVE-2013-1900: 2741 A flaw was found in the way the pgcrypto contrib module of PostgreSQL (re)initialized its internal random number generator. This could lead to random numbers with less bits of entropy being used by certain pgcrypto functions, possibly allowing an attacker to conduct other attacks. 2742 2743 CVE-2013-0255: 2744 An array index error, leading to a heap-based out-of-bounds buffer read flaw, was found in the way PostgreSQL performed certain error processing using enumeration types. An unprivileged database user could issue a specially crafted SQL query that, when processed by the server component of the PostgreSQL service, would lead to a denial of service (daemon crash) or disclosure of certain portions of server memory. 2745 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0255" id="CVE-2013-0255" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900" id="CVE-2013-1900" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1475.html" id="RHSA-2013:1475" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql8-plpython" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-plpython-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-libs" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-libs-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-server" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-server-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-pltcl" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-pltcl-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-devel" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-devel-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plperl" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-plperl-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-contrib" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-contrib-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-docs" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-docs-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-debuginfo" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-debuginfo-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-test" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-test-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-debuginfo" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-debuginfo-8.4.18-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-devel" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-devel-8.4.18-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-libs" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-libs-8.4.18-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-server" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-server-8.4.18-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-8.4.18-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-contrib" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-contrib-8.4.18-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-pltcl" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-pltcl-8.4.18-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plpython" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-plpython-8.4.18-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-test" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-test-8.4.18-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-docs" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-docs-8.4.18-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plperl" release="1.39.amzn1" version="8.4.18"><filename>Packages/postgresql8-plperl-8.4.18-1.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-245</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-245: medium priority package update for gc</title><issued date="2013-11-04 14:53" /><updated date="2014-09-16 21:53" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2746 CVE-2012-2673: 2747 It was discovered that gc's implementation of the malloc() and calloc() routines did not properly perform parameter sanitization when allocating memory. If an application using gc did not implement application-level validity checks for the malloc() and calloc() routines, a remote attacker could provide specially crafted application-specific input, which, when processed by the application, could lead to an application crash or, potentially, arbitrary code execution with the privileges of the user running the application. 2748 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2673" id="CVE-2012-2673" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1500.html" id="RHSA-2013:1500" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gc" release="12.6.amzn1" version="7.1"><filename>Packages/gc-7.1-12.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gc-debuginfo" release="12.6.amzn1" version="7.1"><filename>Packages/gc-debuginfo-7.1-12.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gc-devel" release="12.6.amzn1" version="7.1"><filename>Packages/gc-devel-7.1-12.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gc-devel" release="12.6.amzn1" version="7.1"><filename>Packages/gc-devel-7.1-12.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gc" release="12.6.amzn1" version="7.1"><filename>Packages/gc-7.1-12.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gc-debuginfo" release="12.6.amzn1" version="7.1"><filename>Packages/gc-debuginfo-7.1-12.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-246</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-246: important priority package update for java-1.6.0-openjdk</title><issued date="2013-11-05 13:35" /><updated date="2014-09-16 21:54" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2749 CVE-2013-5850: 2750 Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2751 2752 CVE-2013-5849: 2753 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2754 2755 CVE-2013-5842: 2756 Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2757 2758 CVE-2013-5840: 2759 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2760 2761 CVE-2013-5830: 2762 The class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. 2763 2764 CVE-2013-5829: 2765 Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2766 2767 CVE-2013-5825: 2768 Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. 2769 2770 CVE-2013-5823: 2771 Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. 2772 2773 CVE-2013-5820: 2774 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2775 2776 CVE-2013-5817: 2777 Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2778 2779 CVE-2013-5814: 2780 Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2781 2782 CVE-2013-5809: 2783 Multiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions. 2784 2785 CVE-2013-5804: 2786 Multiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks. 2787 2788 CVE-2013-5803: 2789 The Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. 2790 2791 CVE-2013-5802: 2792 The FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. 2793 2794 CVE-2013-5797: 2795 Multiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks. 2796 2797 CVE-2013-5790: 2798 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2799 2800 CVE-2013-5784: 2801 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2802 2803 CVE-2013-5783: 2804 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2805 2806 CVE-2013-5782: 2807 Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. 2808 2809 CVE-2013-5780: 2810 Various OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. 2811 2812 CVE-2013-5778: 2813 It was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. 2814 2815 CVE-2013-5774: 2816 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2817 2818 CVE-2013-5772: 2819 The Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. 2820 2821 CVE-2013-4002: 2822 Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. 2823 2824 CVE-2013-3829: 2825 Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 2826 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5802" id="CVE-2013-5802" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5803" id="CVE-2013-5803" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5814" id="CVE-2013-5814" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5817" id="CVE-2013-5817" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5849" id="CVE-2013-5849" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5797" id="CVE-2013-5797" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5809" id="CVE-2013-5809" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5842" id="CVE-2013-5842" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5850" id="CVE-2013-5850" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5790" id="CVE-2013-5790" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5780" id="CVE-2013-5780" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5783" id="CVE-2013-5783" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3829" id="CVE-2013-3829" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5782" id="CVE-2013-5782" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5772" id="CVE-2013-5772" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5774" id="CVE-2013-5774" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5804" id="CVE-2013-5804" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5778" id="CVE-2013-5778" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5829" id="CVE-2013-5829" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002" id="CVE-2013-4002" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5784" id="CVE-2013-5784" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5820" id="CVE-2013-5820" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5840" id="CVE-2013-5840" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5823" id="CVE-2013-5823" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5825" id="CVE-2013-5825" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5830" id="CVE-2013-5830" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1505.html" id="RHSA-2013:1505" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="65.1.11.14.57.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-65.1.11.14.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="65.1.11.14.57.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-65.1.11.14.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="65.1.11.14.57.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-65.1.11.14.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="65.1.11.14.57.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-65.1.11.14.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="65.1.11.14.57.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-65.1.11.14.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="65.1.11.14.57.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-65.1.11.14.57.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="65.1.11.14.57.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-65.1.11.14.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="65.1.11.14.57.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-65.1.11.14.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="65.1.11.14.57.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-65.1.11.14.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="65.1.11.14.57.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-65.1.11.14.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="65.1.11.14.57.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-65.1.11.14.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="65.1.11.14.57.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-65.1.11.14.57.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-247</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-247: critical priority package update for ruby19</title><issued date="2013-11-22 21:42" /><updated date="2014-09-16 21:54" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2827 CVE-2013-4164: 2828 1033460: 2829 CVE-2013-4164 ruby: heap overflow in floating point parsing 2830 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164" id="CVE-2013-4164" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="ruby19-irb" release="31.55.amzn1" version="1.9.3.484"><filename>Packages/ruby19-irb-1.9.3.484-31.55.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-doc" release="31.55.amzn1" version="1.9.3.484"><filename>Packages/ruby19-doc-1.9.3.484-31.55.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-minitest" release="31.55.amzn1" version="2.5.1"><filename>Packages/rubygem19-minitest-2.5.1-31.55.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-rdoc" release="31.55.amzn1" version="3.9.5"><filename>Packages/rubygem19-rdoc-3.9.5-31.55.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems19" release="31.55.amzn1" version="1.8.23"><filename>Packages/rubygems19-1.8.23-31.55.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems19-devel" release="31.55.amzn1" version="1.8.23"><filename>Packages/rubygems19-devel-1.8.23-31.55.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-bigdecimal" release="31.55.amzn1" version="1.1.0"><filename>Packages/rubygem19-bigdecimal-1.1.0-31.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-devel" release="31.55.amzn1" version="1.9.3.484"><filename>Packages/ruby19-devel-1.9.3.484-31.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-debuginfo" release="31.55.amzn1" version="1.9.3.484"><filename>Packages/ruby19-debuginfo-1.9.3.484-31.55.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-rake" release="31.55.amzn1" version="0.9.2.2"><filename>Packages/rubygem19-rake-0.9.2.2-31.55.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19" release="31.55.amzn1" version="1.9.3.484"><filename>Packages/ruby19-1.9.3.484-31.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-libs" release="31.55.amzn1" version="1.9.3.484"><filename>Packages/ruby19-libs-1.9.3.484-31.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-io-console" release="31.55.amzn1" version="0.3"><filename>Packages/rubygem19-io-console-0.3-31.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-json" release="31.55.amzn1" version="1.5.5"><filename>Packages/rubygem19-json-1.5.5-31.55.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-json" release="31.55.amzn1" version="1.5.5"><filename>Packages/rubygem19-json-1.5.5-31.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-io-console" release="31.55.amzn1" version="0.3"><filename>Packages/rubygem19-io-console-0.3-31.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-libs" release="31.55.amzn1" version="1.9.3.484"><filename>Packages/ruby19-libs-1.9.3.484-31.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-bigdecimal" release="31.55.amzn1" version="1.1.0"><filename>Packages/rubygem19-bigdecimal-1.1.0-31.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19" release="31.55.amzn1" version="1.9.3.484"><filename>Packages/ruby19-1.9.3.484-31.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-debuginfo" release="31.55.amzn1" version="1.9.3.484"><filename>Packages/ruby19-debuginfo-1.9.3.484-31.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-doc" release="31.55.amzn1" version="1.9.3.484"><filename>Packages/ruby19-doc-1.9.3.484-31.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-devel" release="31.55.amzn1" version="1.9.3.484"><filename>Packages/ruby19-devel-1.9.3.484-31.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-248</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-248: critical priority package update for ruby</title><issued date="2013-11-22 21:42" /><updated date="2014-09-16 21:54" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2831 CVE-2013-4164: 2832 1033460: 2833 CVE-2013-4164 ruby: heap overflow in floating point parsing 2834 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164" id="CVE-2013-4164" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ruby-debuginfo" release="2.11.amzn1" version="1.8.7.374"><filename>Packages/ruby-debuginfo-1.8.7.374-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-devel" release="2.11.amzn1" version="1.8.7.374"><filename>Packages/ruby-devel-1.8.7.374-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-libs" release="2.11.amzn1" version="1.8.7.374"><filename>Packages/ruby-libs-1.8.7.374-2.11.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby-rdoc" release="2.11.amzn1" version="1.8.7.374"><filename>Packages/ruby-rdoc-1.8.7.374-2.11.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-ri" release="2.11.amzn1" version="1.8.7.374"><filename>Packages/ruby-ri-1.8.7.374-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby-static" release="2.11.amzn1" version="1.8.7.374"><filename>Packages/ruby-static-1.8.7.374-2.11.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby-irb" release="2.11.amzn1" version="1.8.7.374"><filename>Packages/ruby-irb-1.8.7.374-2.11.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby" release="2.11.amzn1" version="1.8.7.374"><filename>Packages/ruby-1.8.7.374-2.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ruby-debuginfo" release="2.11.amzn1" version="1.8.7.374"><filename>Packages/ruby-debuginfo-1.8.7.374-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-devel" release="2.11.amzn1" version="1.8.7.374"><filename>Packages/ruby-devel-1.8.7.374-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby" release="2.11.amzn1" version="1.8.7.374"><filename>Packages/ruby-1.8.7.374-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-libs" release="2.11.amzn1" version="1.8.7.374"><filename>Packages/ruby-libs-1.8.7.374-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-static" release="2.11.amzn1" version="1.8.7.374"><filename>Packages/ruby-static-1.8.7.374-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby-ri" release="2.11.amzn1" version="1.8.7.374"><filename>Packages/ruby-ri-1.8.7.374-2.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-249</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-249: important priority package update for nginx</title><issued date="2013-12-02 20:27" /><updated date="2014-09-16 21:55" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2835 CVE-2013-4547: 2836 1032266: 2837 CVE-2013-4547 nginx: security restriction bypass flaw due to whitespace parsing 2838 nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI. 2839 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4547" id="CVE-2013-4547" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="nginx" release="1.14.amzn1" version="1.4.3"><filename>Packages/nginx-1.4.3-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-debuginfo" release="1.14.amzn1" version="1.4.3"><filename>Packages/nginx-debuginfo-1.4.3-1.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="nginx-debuginfo" release="1.14.amzn1" version="1.4.3"><filename>Packages/nginx-debuginfo-1.4.3-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx" release="1.14.amzn1" version="1.4.3"><filename>Packages/nginx-1.4.3-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-250</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-250: low priority package update for augeas</title><issued date="2013-12-02 20:28" /><updated date="2014-09-16 21:55" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2840 CVE-2012-0787: 2841 Multiple flaws were found in the way Augeas handled configuration files when updating them. An application using Augeas to update configuration files in a directory that is writable to by a different user (for example, an application running as root that is updating files in a directory owned by a non-root service user) could have been tricked into overwriting arbitrary files or leaking information via a symbolic link or mount point attack. 2842 2843 CVE-2012-0786: 2844 Multiple flaws were found in the way Augeas handled configuration files when updating them. An application using Augeas to update configuration files in a directory that is writable to by a different user (for example, an application running as root that is updating files in a directory owned by a non-root service user) could have been tricked into overwriting arbitrary files or leaking information via a symbolic link or mount point attack. 2845 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0787" id="CVE-2012-0787" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0786" id="CVE-2012-0786" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1537.html" id="RHSA-2013:1537" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="augeas-devel" release="5.5.amzn1" version="1.0.0"><filename>Packages/augeas-devel-1.0.0-5.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="augeas" release="5.5.amzn1" version="1.0.0"><filename>Packages/augeas-1.0.0-5.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="augeas-debuginfo" release="5.5.amzn1" version="1.0.0"><filename>Packages/augeas-debuginfo-1.0.0-5.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="augeas-libs" release="5.5.amzn1" version="1.0.0"><filename>Packages/augeas-libs-1.0.0-5.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="augeas-libs" release="5.5.amzn1" version="1.0.0"><filename>Packages/augeas-libs-1.0.0-5.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="augeas-debuginfo" release="5.5.amzn1" version="1.0.0"><filename>Packages/augeas-debuginfo-1.0.0-5.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="augeas" release="5.5.amzn1" version="1.0.0"><filename>Packages/augeas-1.0.0-5.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="augeas-devel" release="5.5.amzn1" version="1.0.0"><filename>Packages/augeas-devel-1.0.0-5.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-251</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-251: medium priority package update for wireshark</title><issued date="2013-12-02 20:29" /><updated date="2014-09-16 22:04" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2846 CVE-2013-5721: 2847 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2848 2849 CVE-2013-4936: 2850 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2851 2852 CVE-2013-4935: 2853 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2854 2855 CVE-2013-4934: 2856 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2857 2858 CVE-2013-4933: 2859 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2860 2861 CVE-2013-4932: 2862 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2863 2864 CVE-2013-4931: 2865 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2866 2867 CVE-2013-4927: 2868 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2869 2870 CVE-2013-4083: 2871 Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. 2872 2873 CVE-2013-4081: 2874 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2875 2876 CVE-2013-3561: 2877 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2878 2879 CVE-2013-3559: 2880 Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. 2881 2882 CVE-2013-3557: 2883 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2884 2885 CVE-2012-6062: 2886 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2887 2888 CVE-2012-6061: 2889 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2890 2891 CVE-2012-6060: 2892 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2893 2894 CVE-2012-6059: 2895 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2896 2897 CVE-2012-6056: 2898 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2899 2900 CVE-2012-5600: 2901 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2902 2903 CVE-2012-5599: 2904 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2905 2906 CVE-2012-5598: 2907 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2908 2909 CVE-2012-5597: 2910 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2911 2912 CVE-2012-5595: 2913 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2914 2915 CVE-2012-4292: 2916 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2917 2918 CVE-2012-4291: 2919 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2920 2921 CVE-2012-4290: 2922 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2923 2924 CVE-2012-4289: 2925 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2926 2927 CVE-2012-4288: 2928 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2929 2930 CVE-2012-4285: 2931 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2932 2933 CVE-2012-3825: 2934 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2935 2936 CVE-2012-2392: 2937 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 2938 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4931" id="CVE-2013-4931" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5598" id="CVE-2012-5598" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3825" id="CVE-2012-3825" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2392" id="CVE-2012-2392" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6056" id="CVE-2012-6056" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4081" id="CVE-2013-4081" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4083" id="CVE-2013-4083" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6061" id="CVE-2012-6061" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6060" id="CVE-2012-6060" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6059" id="CVE-2012-6059" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4932" id="CVE-2013-4932" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4288" id="CVE-2012-4288" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4289" id="CVE-2012-4289" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4285" id="CVE-2012-4285" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3561" id="CVE-2013-3561" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4291" id="CVE-2012-4291" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4933" id="CVE-2013-4933" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4934" id="CVE-2013-4934" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6062" id="CVE-2012-6062" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4292" id="CVE-2012-4292" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5721" id="CVE-2013-5721" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4290" id="CVE-2012-4290" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5599" id="CVE-2012-5599" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3559" id="CVE-2013-3559" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5597" id="CVE-2012-5597" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3557" id="CVE-2013-3557" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5595" id="CVE-2012-5595" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5600" id="CVE-2012-5600" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4935" id="CVE-2013-4935" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4927" id="CVE-2013-4927" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4936" id="CVE-2013-4936" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1569.html" id="RHSA-2013:1569" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="wireshark" release="4.12.amzn1" version="1.8.10"><filename>Packages/wireshark-1.8.10-4.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wireshark-debuginfo" release="4.12.amzn1" version="1.8.10"><filename>Packages/wireshark-debuginfo-1.8.10-4.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wireshark-devel" release="4.12.amzn1" version="1.8.10"><filename>Packages/wireshark-devel-1.8.10-4.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="wireshark" release="4.12.amzn1" version="1.8.10"><filename>Packages/wireshark-1.8.10-4.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wireshark-debuginfo" release="4.12.amzn1" version="1.8.10"><filename>Packages/wireshark-debuginfo-1.8.10-4.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wireshark-devel" release="4.12.amzn1" version="1.8.10"><filename>Packages/wireshark-devel-1.8.10-4.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-252</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-252: medium priority package update for kernel</title><issued date="2013-12-02 20:30" /><updated date="2014-09-16 22:04" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2939 CVE-2013-4470: 2940 1023477: 2941 CVE-2013-4470 Kernel: net: memory corruption with UDP_CORK and UFO 2942 The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. 2943 2944 CVE-2013-4348: 2945 1007939: 2946 CVE-2013-4348 kernel: net: deadloop path in skb_flow_dissect() 2947 The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation. 2948 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4470" id="CVE-2013-4470" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4348" id="CVE-2013-4348" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-tools-3.4.71-63.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-debuginfo-3.4.71-63.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-headers-3.4.71-63.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-devel-3.4.71-63.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.71-63.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-3.4.71-63.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-tools-debuginfo-3.4.71-63.98.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-debuginfo-3.4.71-63.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-devel-3.4.71-63.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-debuginfo-common-i686-3.4.71-63.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-headers-3.4.71-63.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-tools-debuginfo-3.4.71-63.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-3.4.71-63.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-tools-3.4.71-63.98.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="63.98.amzn1" version="3.4.71"><filename>Packages/kernel-doc-3.4.71-63.98.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-253</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-253: medium priority package update for mod_nss</title><issued date="2013-12-03 13:00" /><updated date="2014-09-16 22:05" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2949 CVE-2013-4566: 2950 A flaw was found in the way mod_nss handled the NSSVerifyClient setting for the per-directory context. When configured to not require a client certificate for the initial connection and only require it for a specific directory, mod_nss failed to enforce this requirement and allowed a client to access the directory when no valid client certificate was provided. 2951 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4566" id="CVE-2013-4566" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1779.html" id="RHSA-2013:1779" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod_nss" release="19.12.amzn1" version="1.0.8"><filename>Packages/mod_nss-1.0.8-19.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_nss-debuginfo" release="19.12.amzn1" version="1.0.8"><filename>Packages/mod_nss-debuginfo-1.0.8-19.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod_nss" release="19.12.amzn1" version="1.0.8"><filename>Packages/mod_nss-1.0.8-19.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_nss-debuginfo" release="19.12.amzn1" version="1.0.8"><filename>Packages/mod_nss-debuginfo-1.0.8-19.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-254</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-254: medium priority package update for mod24_nss</title><issued date="2013-12-03 13:00" /><updated date="2014-09-16 22:05" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2952 CVE-2013-4566: 2953 A flaw was found in the way mod_nss handled the NSSVerifyClient setting for the per-directory context. When configured to not require a client certificate for the initial connection and only require it for a specific directory, mod_nss failed to enforce this requirement and allowed a client to access the directory when no valid client certificate was provided. 2954 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4566" id="CVE-2013-4566" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1779.html" id="RHSA-2013:1779" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod24_nss" release="24.17.amzn1" version="1.0.8"><filename>Packages/mod24_nss-1.0.8-24.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_nss-debuginfo" release="24.17.amzn1" version="1.0.8"><filename>Packages/mod24_nss-debuginfo-1.0.8-24.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod24_nss-debuginfo" release="24.17.amzn1" version="1.0.8"><filename>Packages/mod24_nss-debuginfo-1.0.8-24.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_nss" release="24.17.amzn1" version="1.0.8"><filename>Packages/mod24_nss-1.0.8-24.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-255</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-255: important priority package update for 389-ds-base</title><issued date="2013-12-11 20:32" /><updated date="2014-09-16 22:05" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2955 CVE-2013-4485: 2956 It was discovered that the 389 Directory Server did not properly handle certain Get Effective Rights (GER) search queries when the attribute list, which is a part of the query, included several names using the '@' character. An attacker able to submit search queries to the 389 Directory Server could cause it to crash. 2957 389 Directory Server 1.2.11.15 (aka Red Hat Directory Server before 8.2.11-14) allows remote authenticated users to cause a denial of service (crash) via multiple @ characters in a GER attribute list in a search request. 2958 1024552: 2959 CVE-2013-4485 389-ds-base: DoS due to improper handling of ger attr searches 2960 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4485" id="CVE-2013-4485" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base" release="1.8.amzn1" version="1.3.1.16"><filename>Packages/389-ds-base-1.3.1.16-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="1.8.amzn1" version="1.3.1.16"><filename>Packages/389-ds-base-debuginfo-1.3.1.16-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="1.8.amzn1" version="1.3.1.16"><filename>Packages/389-ds-base-libs-1.3.1.16-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="1.8.amzn1" version="1.3.1.16"><filename>Packages/389-ds-base-devel-1.3.1.16-1.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="1.8.amzn1" version="1.3.1.16"><filename>Packages/389-ds-base-devel-1.3.1.16-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="1.8.amzn1" version="1.3.1.16"><filename>Packages/389-ds-base-libs-1.3.1.16-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="1.8.amzn1" version="1.3.1.16"><filename>Packages/389-ds-base-1.3.1.16-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="1.8.amzn1" version="1.3.1.16"><filename>Packages/389-ds-base-debuginfo-1.3.1.16-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-256</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-256: medium priority package update for openmpi</title><issued date="2013-12-11 20:32" /><updated date="2014-09-16 22:06" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2961 CVE-2013-2561: 2962 A flaw was found in the way ibutils handled temporary files. A local attacker could use this flaw to cause arbitrary files to be overwritten as the root user via a symbolic link attack. 2963 927430: 2964 CVE-2013-2561 ibutils: insecure handling of files in the /tmp directory 2965 OpenFabrics ibutils 1.5.7 allows local users to overwrite arbitrary files via a symlink attack on (1) ibdiagnet.db, (2) ibdiagnet.fdbs, (3) ibdiagnet_ibis.log, (4) ibdiagnet.log, (5) ibdiagnet.lst, (6) ibdiagnet.mcfdbs, (7) ibdiagnet.pkey, (8) ibdiagnet.psl, (9) ibdiagnet.slvl, or (10) ibdiagnet.sm in /tmp/. 2966 2967 CVE-2012-4516: 2968 865483: 2969 CVE-2012-4516 librdmacm: Tried to connect to port 6125 if ibacm.port was not found 2970 It was discovered that librdmacm used a static port to connect to the ib_acm service. A local attacker able to run a specially crafted ib_acm service on that port could use this flaw to provide incorrect address resolution information to librmdacm applications. 2971 librdmacm 1.0.16, when ibacm.port is not specified, connects to port 6125, which allows remote attackers to specify the address resolution information for the application via a malicious ib_acm service. 2972 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2561" id="CVE-2013-2561" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4516" id="CVE-2012-4516" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openmpi-debuginfo" release="2.24.amzn1" version="1.5.4"><filename>Packages/openmpi-debuginfo-1.5.4-2.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openmpi" release="2.24.amzn1" version="1.5.4"><filename>Packages/openmpi-1.5.4-2.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openmpi-devel" release="2.24.amzn1" version="1.5.4"><filename>Packages/openmpi-devel-1.5.4-2.24.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openmpi-debuginfo" release="2.24.amzn1" version="1.5.4"><filename>Packages/openmpi-debuginfo-1.5.4-2.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openmpi-devel" release="2.24.amzn1" version="1.5.4"><filename>Packages/openmpi-devel-1.5.4-2.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openmpi" release="2.24.amzn1" version="1.5.4"><filename>Packages/openmpi-1.5.4-2.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-257</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-257: medium priority package update for dracut</title><issued date="2013-12-11 20:33" /><updated date="2014-09-16 22:09" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2973 CVE-2012-4453: 2974 It was discovered that dracut created initramfs images as world readable. A local user could possibly use this flaw to obtain sensitive information from these files, such as iSCSI authentication passwords, encrypted root file system crypttab passwords, or other information. 2975 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4453" id="CVE-2012-4453" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1674.html" id="RHSA-2013:1674" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="dracut-tools" release="336.21.amzn1" version="004"><filename>Packages/dracut-tools-004-336.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="dracut" release="336.21.amzn1" version="004"><filename>Packages/dracut-004-336.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="dracut-caps" release="336.21.amzn1" version="004"><filename>Packages/dracut-caps-004-336.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="dracut-kernel" release="336.21.amzn1" version="004"><filename>Packages/dracut-kernel-004-336.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="dracut-fips" release="336.21.amzn1" version="004"><filename>Packages/dracut-fips-004-336.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="dracut-generic" release="336.21.amzn1" version="004"><filename>Packages/dracut-generic-004-336.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="dracut-fips-aesni" release="336.21.amzn1" version="004"><filename>Packages/dracut-fips-aesni-004-336.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="dracut-network" release="336.21.amzn1" version="004"><filename>Packages/dracut-network-004-336.21.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-258</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-258: low priority package update for kernel</title><issued date="2013-12-11 20:33" /><updated date="2014-09-16 22:08" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2976 CVE-2013-6382: 2977 1033603: 2978 CVE-2013-6382 Kernel: fs: xfs: missing check for ZERO_SIZE_PTR 2979 Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. 2980 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6382" id="CVE-2013-6382" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-debuginfo-3.4.73-64.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-3.4.73-64.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-headers-3.4.73-64.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-tools-3.4.73-64.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.73-64.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-tools-debuginfo-3.4.73-64.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-devel-3.4.73-64.112.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-tools-debuginfo-3.4.73-64.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-debuginfo-3.4.73-64.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-debuginfo-common-i686-3.4.73-64.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-headers-3.4.73-64.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-3.4.73-64.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-tools-3.4.73-64.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-devel-3.4.73-64.112.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="64.112.amzn1" version="3.4.73"><filename>Packages/kernel-doc-3.4.73-64.112.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-259</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-259: low priority package update for sudo</title><issued date="2013-12-11 20:34" /><updated date="2014-09-16 22:10" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2981 CVE-2013-2777: 2982 It was found that sudo did not properly validate the controlling terminal device when the tty_tickets option was enabled in the /etc/sudoers file. An attacker able to run code as a local user could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password. 2983 2984 CVE-2013-2776: 2985 It was found that sudo did not properly validate the controlling terminal device when the tty_tickets option was enabled in the /etc/sudoers file. An attacker able to run code as a local user could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password. 2986 2987 CVE-2013-1775: 2988 A flaw was found in the way sudo handled time stamp files. An attacker able to run code as a local user and with the ability to control the system clock could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password. 2989 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775" id="CVE-2013-1775" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2777" id="CVE-2013-2777" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2776" id="CVE-2013-2776" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1701.html" id="RHSA-2013:1701" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="sudo-devel" release="12.17.amzn1" version="1.8.6p3"><filename>Packages/sudo-devel-1.8.6p3-12.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sudo" release="12.17.amzn1" version="1.8.6p3"><filename>Packages/sudo-1.8.6p3-12.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sudo-debuginfo" release="12.17.amzn1" version="1.8.6p3"><filename>Packages/sudo-debuginfo-1.8.6p3-12.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="sudo-devel" release="12.17.amzn1" version="1.8.6p3"><filename>Packages/sudo-devel-1.8.6p3-12.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sudo-debuginfo" release="12.17.amzn1" version="1.8.6p3"><filename>Packages/sudo-debuginfo-1.8.6p3-12.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sudo" release="12.17.amzn1" version="1.8.6p3"><filename>Packages/sudo-1.8.6p3-12.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-260</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-260: low priority package update for xorg-x11-server</title><issued date="2013-12-11 20:34" /><updated date="2014-09-16 22:09" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2990 CVE-2013-1940: 2991 A flaw was found in the way the X.org X11 server registered new hot plugged devices. If a local user switched to a different session and plugged in a new device, input from that device could become available in the previous session, possibly leading to information disclosure. 2992 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1940" id="CVE-2013-1940" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1620.html" id="RHSA-2013:1620" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="xorg-x11-server-common" release="23.0.23.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-common-1.13.0-23.0.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xnest" release="23.0.23.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xnest-1.13.0-23.0.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xvfb" release="23.0.23.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xvfb-1.13.0-23.0.23.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="xorg-x11-server-source" release="23.0.23.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-source-1.13.0-23.0.23.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xephyr" release="23.0.23.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xephyr-1.13.0-23.0.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-debuginfo" release="23.0.23.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-debuginfo-1.13.0-23.0.23.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-common" release="23.0.23.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-common-1.13.0-23.0.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xephyr" release="23.0.23.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xephyr-1.13.0-23.0.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xnest" release="23.0.23.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xnest-1.13.0-23.0.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xvfb" release="23.0.23.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xvfb-1.13.0-23.0.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-debuginfo" release="23.0.23.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-debuginfo-1.13.0-23.0.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-261</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-261: low priority package update for coreutils</title><issued date="2013-12-11 20:34" /><updated date="2014-09-16 22:10" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 2993 CVE-2013-0223: 2994 It was discovered that the sort, uniq, and join utilities did not properly restrict the use of the alloca() function. An attacker could use this flaw to crash those utilities by providing long input strings. 2995 2996 CVE-2013-0222: 2997 It was discovered that the sort, uniq, and join utilities did not properly restrict the use of the alloca() function. An attacker could use this flaw to crash those utilities by providing long input strings. 2998 2999 CVE-2013-0221: 3000 It was discovered that the sort, uniq, and join utilities did not properly restrict the use of the alloca() function. An attacker could use this flaw to crash those utilities by providing long input strings. 3001 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0221" id="CVE-2013-0221" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0223" id="CVE-2013-0223" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0222" id="CVE-2013-0222" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1652.html" id="RHSA-2013:1652" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="coreutils-libs" release="31.17.amzn1" version="8.4"><filename>Packages/coreutils-libs-8.4-31.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="coreutils" release="31.17.amzn1" version="8.4"><filename>Packages/coreutils-8.4-31.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="coreutils-debuginfo" release="31.17.amzn1" version="8.4"><filename>Packages/coreutils-debuginfo-8.4-31.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="coreutils-libs" release="31.17.amzn1" version="8.4"><filename>Packages/coreutils-libs-8.4-31.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="coreutils" release="31.17.amzn1" version="8.4"><filename>Packages/coreutils-8.4-31.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="coreutils-debuginfo" release="31.17.amzn1" version="8.4"><filename>Packages/coreutils-debuginfo-8.4-31.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-262</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-262: critical priority package update for php</title><issued date="2013-12-17 21:29" /><updated date="2014-09-16 22:11" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3002 CVE-2013-6420: 3003 1036830: 3004 CVE-2013-6420 php: memory corruption in openssl_x509_parse() 3005 A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter. 3006 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420" id="CVE-2013-6420" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php-common" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-common-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mssql" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-mssql-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysql" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-mysql-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-soap" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-soap-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-odbc" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-odbc-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-recode" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-recode-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysqlnd" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-mysqlnd-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xmlrpc" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-xmlrpc-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-embedded" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-embedded-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-enchant" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-enchant-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-dba" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-dba-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-cli" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-cli-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-snmp" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-snmp-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mcrypt" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-mcrypt-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pgsql" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-pgsql-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-imap" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-imap-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pspell" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-pspell-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-bcmath" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-bcmath-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-devel" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-devel-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-fpm" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-fpm-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-ldap" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-ldap-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mbstring" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-mbstring-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-gd" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-gd-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xml" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-xml-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-debuginfo" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-debuginfo-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-tidy" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-tidy-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pdo" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-pdo-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-intl" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-intl-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-process" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-process-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php-mysqlnd" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-mysqlnd-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-snmp" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-snmp-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-debuginfo" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-debuginfo-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-common" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-common-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-imap" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-imap-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-fpm" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-fpm-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-enchant" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-enchant-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mcrypt" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-mcrypt-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mbstring" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-mbstring-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-dba" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-dba-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-odbc" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-odbc-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-ldap" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-ldap-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pgsql" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-pgsql-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-soap" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-soap-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-recode" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-recode-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysql" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-mysql-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xml" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-xml-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pspell" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-pspell-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mssql" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-mssql-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-bcmath" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-bcmath-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-cli" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-cli-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-process" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-process-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-embedded" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-embedded-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pdo" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-pdo-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-intl" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-intl-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xmlrpc" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-xmlrpc-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-gd" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-gd-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-tidy" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-tidy-5.3.28-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-devel" release="1.2.amzn1" version="5.3.28"><filename>Packages/php-devel-5.3.28-1.2.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-263</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-263: critical priority package update for php54</title><issued date="2013-12-17 21:29" /><updated date="2014-09-16 22:11" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3007 CVE-2013-6420: 3008 1036830: 3009 CVE-2013-6420 php: memory corruption in openssl_x509_parse() 3010 A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter. 3011 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420" id="CVE-2013-6420" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-xml" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-xml-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-xmlrpc-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-gd-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-recode-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-pgsql-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-mssql-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-mcrypt-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-odbc-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-fpm-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-pspell-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-soap-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-enchant-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-common-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-bcmath-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-cli-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-snmp-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-pdo-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-mysql-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-embedded-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-intl-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-process-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-imap-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-ldap-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-tidy-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-devel-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-dba-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-debuginfo-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-mysqlnd-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-mbstring-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-recode-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-mysqlnd-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-enchant-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-common-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-xml-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-imap-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-tidy-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-process-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-snmp-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-gd-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-soap-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-mssql-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-embedded-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-ldap-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-pgsql-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-fpm-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-odbc-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-pspell-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-devel-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-intl-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-pdo-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-cli-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-mbstring-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-mcrypt-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-xmlrpc-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-dba-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-bcmath-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-mysql-5.4.23-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.49.amzn1" version="5.4.23"><filename>Packages/php54-debuginfo-5.4.23-1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-264</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-264: critical priority package update for php55</title><issued date="2013-12-17 21:29" /><updated date="2014-09-16 22:11" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3012 CVE-2013-6420: 3013 1036830: 3014 CVE-2013-6420 php: memory corruption in openssl_x509_parse() 3015 A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter. 3016 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420" id="CVE-2013-6420" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-cli" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-cli-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-gd-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-recode-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-fpm-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-mssql-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-dba-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-soap-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-snmp-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-embedded-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-imap-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-opcache-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-mcrypt-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-pspell-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-xml-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-pgsql-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-intl-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-gmp-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-process-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-odbc-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-tidy-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-ldap-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-mbstring-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-common-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-bcmath-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-devel-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-pdo-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-xmlrpc-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-mysqlnd-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-enchant-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-debuginfo-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-gd-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-pspell-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-ldap-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-cli-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-process-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-tidy-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-recode-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-snmp-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-pgsql-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-mysqlnd-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-imap-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-pdo-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-debuginfo-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-odbc-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-fpm-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-opcache-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-bcmath-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-soap-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-common-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-devel-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-xml-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-intl-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-embedded-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-gmp-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-enchant-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-mbstring-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-mcrypt-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-dba-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-mssql-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-xmlrpc-5.5.7-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.61.amzn1" version="5.5.7"><filename>Packages/php55-5.5.7-1.61.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-265</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-265: important priority package update for nss</title><issued date="2013-12-17 21:31" /><updated date="2014-09-16 22:12" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3017 CVE-2013-5607: 3018 An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. 3019 3020 CVE-2013-5606: 3021 It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. 3022 3023 CVE-2013-5605: 3024 A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 3025 3026 CVE-2013-1741: 3027 An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. 3028 3029 CVE-2013-1739: 3030 It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. 3031 3032 CVE-2013-1620: 3033 It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. 3034 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1741" id="CVE-2013-1741" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1739" id="CVE-2013-1739" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605" id="CVE-2013-5605" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5606" id="CVE-2013-5606" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5607" id="CVE-2013-5607" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620" id="CVE-2013-1620" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1829.html" id="RHSA-2013:1829" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-debuginfo" release="2.31.amzn1" version="3.15.3"><filename>Packages/nss-debuginfo-3.15.3-2.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="2.31.amzn1" version="3.15.3"><filename>Packages/nss-devel-3.15.3-2.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="2.31.amzn1" version="3.15.3"><filename>Packages/nss-tools-3.15.3-2.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="2.31.amzn1" version="3.15.3"><filename>Packages/nss-pkcs11-devel-3.15.3-2.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="2.31.amzn1" version="3.15.3"><filename>Packages/nss-sysinit-3.15.3-2.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="2.31.amzn1" version="3.15.3"><filename>Packages/nss-3.15.3-2.31.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="2.31.amzn1" version="3.15.3"><filename>Packages/nss-3.15.3-2.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="2.31.amzn1" version="3.15.3"><filename>Packages/nss-devel-3.15.3-2.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="2.31.amzn1" version="3.15.3"><filename>Packages/nss-debuginfo-3.15.3-2.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="2.31.amzn1" version="3.15.3"><filename>Packages/nss-sysinit-3.15.3-2.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="2.31.amzn1" version="3.15.3"><filename>Packages/nss-tools-3.15.3-2.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="2.31.amzn1" version="3.15.3"><filename>Packages/nss-pkcs11-devel-3.15.3-2.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-266</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-266: important priority package update for nspr</title><issued date="2013-12-17 21:31" /><updated date="2014-09-16 22:12" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3035 CVE-2013-5607: 3036 An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. 3037 3038 CVE-2013-5606: 3039 It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. 3040 3041 CVE-2013-5605: 3042 A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 3043 3044 CVE-2013-1741: 3045 An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. 3046 3047 CVE-2013-1739: 3048 It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. 3049 3050 CVE-2013-1620: 3051 It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. 3052 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1741" id="CVE-2013-1741" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1739" id="CVE-2013-1739" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605" id="CVE-2013-5605" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5606" id="CVE-2013-5606" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5607" id="CVE-2013-5607" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620" id="CVE-2013-1620" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1829.html" id="RHSA-2013:1829" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nspr-debuginfo" release="1.19.amzn1" version="4.10.2"><filename>Packages/nspr-debuginfo-4.10.2-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nspr-devel" release="1.19.amzn1" version="4.10.2"><filename>Packages/nspr-devel-4.10.2-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nspr" release="1.19.amzn1" version="4.10.2"><filename>Packages/nspr-4.10.2-1.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nspr-debuginfo" release="1.19.amzn1" version="4.10.2"><filename>Packages/nspr-debuginfo-4.10.2-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nspr-devel" release="1.19.amzn1" version="4.10.2"><filename>Packages/nspr-devel-4.10.2-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nspr" release="1.19.amzn1" version="4.10.2"><filename>Packages/nspr-4.10.2-1.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-267</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-267: medium priority package update for libjpeg-turbo</title><issued date="2013-12-17 21:32" /><updated date="2014-09-16 22:13" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3053 CVE-2013-6630: 3054 An uninitialized memory read issue was found in the way libjpeg-turbo decoded images with missing Start Of Scan (SOS) JPEG markers or Define Huffman Table (DHT) JPEG markers. A remote attacker could create a specially crafted JPEG image that, when decoded, could possibly lead to a disclosure of potentially sensitive information. 3055 3056 CVE-2013-6629: 3057 An uninitialized memory read issue was found in the way libjpeg-turbo decoded images with missing Start Of Scan (SOS) JPEG markers or Define Huffman Table (DHT) JPEG markers. A remote attacker could create a specially crafted JPEG image that, when decoded, could possibly lead to a disclosure of potentially sensitive information. 3058 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6630" id="CVE-2013-6630" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629" id="CVE-2013-6629" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1803.html" id="RHSA-2013:1803" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libjpeg-turbo-static" release="3.4.amzn1" version="1.2.1"><filename>Packages/libjpeg-turbo-static-1.2.1-3.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libjpeg-turbo-debuginfo" release="3.4.amzn1" version="1.2.1"><filename>Packages/libjpeg-turbo-debuginfo-1.2.1-3.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libjpeg-turbo-devel" release="3.4.amzn1" version="1.2.1"><filename>Packages/libjpeg-turbo-devel-1.2.1-3.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="turbojpeg-devel" release="3.4.amzn1" version="1.2.1"><filename>Packages/turbojpeg-devel-1.2.1-3.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libjpeg-turbo-utils" release="3.4.amzn1" version="1.2.1"><filename>Packages/libjpeg-turbo-utils-1.2.1-3.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="turbojpeg" release="3.4.amzn1" version="1.2.1"><filename>Packages/turbojpeg-1.2.1-3.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libjpeg-turbo" release="3.4.amzn1" version="1.2.1"><filename>Packages/libjpeg-turbo-1.2.1-3.4.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo-static" release="3.4.amzn1" version="1.2.1"><filename>Packages/libjpeg-turbo-static-1.2.1-3.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo-debuginfo" release="3.4.amzn1" version="1.2.1"><filename>Packages/libjpeg-turbo-debuginfo-1.2.1-3.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo-utils" release="3.4.amzn1" version="1.2.1"><filename>Packages/libjpeg-turbo-utils-1.2.1-3.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="turbojpeg" release="3.4.amzn1" version="1.2.1"><filename>Packages/turbojpeg-1.2.1-3.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="turbojpeg-devel" release="3.4.amzn1" version="1.2.1"><filename>Packages/turbojpeg-devel-1.2.1-3.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo-devel" release="3.4.amzn1" version="1.2.1"><filename>Packages/libjpeg-turbo-devel-1.2.1-3.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo" release="3.4.amzn1" version="1.2.1"><filename>Packages/libjpeg-turbo-1.2.1-3.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-268</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-268: medium priority package update for ganglia</title><issued date="2013-12-17 21:39" /><updated date="2014-09-16 22:14" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3059 CVE-2013-6395: 3060 1034527: 3061 CVE-2013-6395 ganglia: cross-site scripting flaw in the web interface 3062 Cross-site scripting (XSS) vulnerability in header.php in Ganglia Web 3.5.8 and 3.5.10 allows remote attackers to inject arbitrary web script or HTML via the host_regex parameter to the default URI, which is processed by get_context.php. 3063 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6395" id="CVE-2013-6395" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ganglia-gmond" release="3.6.amzn1" version="3.6.0"><filename>Packages/ganglia-gmond-3.6.0-3.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ganglia-devel" release="3.6.amzn1" version="3.6.0"><filename>Packages/ganglia-devel-3.6.0-3.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ganglia" release="3.6.amzn1" version="3.6.0"><filename>Packages/ganglia-3.6.0-3.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ganglia-debuginfo" release="3.6.amzn1" version="3.6.0"><filename>Packages/ganglia-debuginfo-3.6.0-3.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ganglia-gmond-python" release="3.6.amzn1" version="3.6.0"><filename>Packages/ganglia-gmond-python-3.6.0-3.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ganglia-web" release="3.6.amzn1" version="3.5.10"><filename>Packages/ganglia-web-3.5.10-3.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ganglia-gmetad" release="3.6.amzn1" version="3.6.0"><filename>Packages/ganglia-gmetad-3.6.0-3.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ganglia-web" release="3.6.amzn1" version="3.5.10"><filename>Packages/ganglia-web-3.5.10-3.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ganglia-gmond-python" release="3.6.amzn1" version="3.6.0"><filename>Packages/ganglia-gmond-python-3.6.0-3.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ganglia-gmetad" release="3.6.amzn1" version="3.6.0"><filename>Packages/ganglia-gmetad-3.6.0-3.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ganglia-gmond" release="3.6.amzn1" version="3.6.0"><filename>Packages/ganglia-gmond-3.6.0-3.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ganglia-devel" release="3.6.amzn1" version="3.6.0"><filename>Packages/ganglia-devel-3.6.0-3.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ganglia" release="3.6.amzn1" version="3.6.0"><filename>Packages/ganglia-3.6.0-3.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ganglia-debuginfo" release="3.6.amzn1" version="3.6.0"><filename>Packages/ganglia-debuginfo-3.6.0-3.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-269</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-269: medium priority package update for subversion</title><issued date="2013-12-17 21:39" /><updated date="2014-09-16 22:14" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3064 CVE-2013-4558: 3065 The get_parent_resource function in repos.c in mod_dav_svn Apache HTTPD server module in Subversion 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4, when built with assertions enabled and SVNAutoversioning is enabled, allows remote attackers to cause a denial of service (assertion failure and Apache process abort) via a non-canonical URL in a request, as demonstrated using a trailing /. 3066 1033431: 3067 CVE-2013-4558 subversion: mod_dav_svn assertion when handling certain requests with autoversioning enabled 3068 3069 CVE-2013-4505: 3070 The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request. 3071 1033995: 3072 CVE-2013-4505 subversion: mod_dontdothat does not block requests from certain clients 3073 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4505" id="CVE-2013-4505" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4558" id="CVE-2013-4558" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="subversion-devel" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-devel-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-perl" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-perl-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-ruby" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-ruby-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-debuginfo" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-debuginfo-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-javahl" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-javahl-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_dav_svn" release="1.36.amzn1" version="1.7.14"><filename>Packages/mod_dav_svn-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-libs" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-libs-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-tools" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-tools-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-python-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="subversion-ruby" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-ruby-1.7.14-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-1.7.14-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-javahl" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-javahl-1.7.14-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-tools" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-tools-1.7.14-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-libs" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-libs-1.7.14-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-devel" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-devel-1.7.14-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn" release="1.36.amzn1" version="1.7.14"><filename>Packages/mod_dav_svn-1.7.14-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-perl" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-perl-1.7.14-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-python-1.7.14-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-debuginfo" release="1.36.amzn1" version="1.7.14"><filename>Packages/subversion-debuginfo-1.7.14-1.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2013-270</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-270: medium priority package update for glibc</title><issued date="2013-12-17 21:39" /><updated date="2014-09-16 22:16" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3074 CVE-2013-4332: 3075 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in glibc's memory allocator functions (pvalloc, valloc, and memalign). If an application used such a function, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 3076 3077 CVE-2013-1914: 3078 It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker-controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash. 3079 3080 CVE-2013-0242: 3081 A flaw was found in the regular expression matching routines that process multibyte character input. If an application utilized the glibc regular expression matching mechanism, an attacker could provide specially-crafted input that, when processed, would cause the application to crash. 3082 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0242" id="CVE-2013-0242" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1914" id="CVE-2013-1914" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4332" id="CVE-2013-4332" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1605.html" id="RHSA-2013:1605" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glibc" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="1.132.45.amzn1" version="2.12"><filename>Packages/nscd-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-devel-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-common-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-headers-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-static-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-common-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-utils-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-2.12-1.132.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-utils-2.12-1.132.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-common-2.12-1.132.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-common-2.12-1.132.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-headers-2.12-1.132.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-static-2.12-1.132.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-debuginfo-2.12-1.132.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="1.132.45.amzn1" version="2.12"><filename>Packages/nscd-2.12-1.132.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="1.132.45.amzn1" version="2.12"><filename>Packages/glibc-devel-2.12-1.132.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-271</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-271: important priority package update for openjpeg</title><issued date="2014-01-14 15:55" /><updated date="2014-09-16 22:15" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3083 CVE-2013-6054: 3084 Multiple heap-based buffer overflow flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 3085 3086 CVE-2013-6052: 3087 Multiple denial of service flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash 3088 3089 CVE-2013-6045: 3090 Multiple heap-based buffer overflow flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 3091 3092 CVE-2013-1447: 3093 Multiple denial of service flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash 3094 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6054" id="CVE-2013-6054" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1447" id="CVE-2013-1447" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6045" id="CVE-2013-6045" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6052" id="CVE-2013-6052" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1850.html" id="RHSA-2013:1850" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openjpeg" release="10.7.amzn1" version="1.3"><filename>Packages/openjpeg-1.3-10.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openjpeg-debuginfo" release="10.7.amzn1" version="1.3"><filename>Packages/openjpeg-debuginfo-1.3-10.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openjpeg-devel" release="10.7.amzn1" version="1.3"><filename>Packages/openjpeg-devel-1.3-10.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openjpeg-libs" release="10.7.amzn1" version="1.3"><filename>Packages/openjpeg-libs-1.3-10.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openjpeg-libs" release="10.7.amzn1" version="1.3"><filename>Packages/openjpeg-libs-1.3-10.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openjpeg-devel" release="10.7.amzn1" version="1.3"><filename>Packages/openjpeg-devel-1.3-10.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openjpeg-debuginfo" release="10.7.amzn1" version="1.3"><filename>Packages/openjpeg-debuginfo-1.3-10.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openjpeg" release="10.7.amzn1" version="1.3"><filename>Packages/openjpeg-1.3-10.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-272</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-272: important priority package update for pixman</title><issued date="2014-01-14 15:56" /><updated date="2014-09-16 22:16" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3095 CVE-2013-6425: 3096 An integer overflow, which led to a heap-based buffer overflow, was found in the way pixman handled trapezoids. If a remote attacker could trick an application using pixman into rendering a trapezoid shape with specially crafted coordinates, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. 3097 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6425" id="CVE-2013-6425" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1869.html" id="RHSA-2013:1869" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="pixman-debuginfo" release="5.10.amzn1" version="0.26.2"><filename>Packages/pixman-debuginfo-0.26.2-5.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pixman" release="5.10.amzn1" version="0.26.2"><filename>Packages/pixman-0.26.2-5.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pixman-devel" release="5.10.amzn1" version="0.26.2"><filename>Packages/pixman-devel-0.26.2-5.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="pixman" release="5.10.amzn1" version="0.26.2"><filename>Packages/pixman-0.26.2-5.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pixman-debuginfo" release="5.10.amzn1" version="0.26.2"><filename>Packages/pixman-debuginfo-0.26.2-5.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pixman-devel" release="5.10.amzn1" version="0.26.2"><filename>Packages/pixman-devel-0.26.2-5.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-273</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-273: important priority package update for openssl</title><issued date="2014-01-14 15:56" /><updated date="2014-09-16 22:16" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3098 CVE-2013-6450: 3099 1047840: 3100 CVE-2013-6450 openssl: crash in DTLS renegotiation after packet loss 3101 It was discovered that the Datagram Transport Layer Security (DTLS) protocol implementation in OpenSSL did not properly maintain encryption and digest contexts during renegotiation. A lost or discarded renegotiation handshake packet could cause a DTLS client or server using OpenSSL to crash. 3102 The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c. 3103 3104 CVE-2013-6449: 3105 The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client. 3106 A flaw was found in the way OpenSSL determined which hashing algorithm to use when TLS protocol version 1.2 was enabled. This could possibly cause OpenSSL to use an incorrect hashing algorithm, leading to a crash of an application using the library. 3107 1045363: 3108 CVE-2013-6449 openssl: crash when using TLS 1.2 caused by use of incorrect hash algorithm 3109 3110 CVE-2013-4353: 3111 A NULL pointer dereference flaw was found in the way OpenSSL handled TLS/SSL protocol handshake packets. A specially crafted handshake packet could cause a TLS/SSL client using OpenSSL to crash. 3112 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6450" id="CVE-2013-6450" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4353" id="CVE-2013-4353" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449" id="CVE-2013-6449" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0015.html" id="RHSA-2014:0015" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="4.55.amzn1" version="1.0.1e"><filename>Packages/openssl-debuginfo-1.0.1e-4.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="4.55.amzn1" version="1.0.1e"><filename>Packages/openssl-1.0.1e-4.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="4.55.amzn1" version="1.0.1e"><filename>Packages/openssl-static-1.0.1e-4.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="4.55.amzn1" version="1.0.1e"><filename>Packages/openssl-perl-1.0.1e-4.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="4.55.amzn1" version="1.0.1e"><filename>Packages/openssl-devel-1.0.1e-4.55.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="4.55.amzn1" version="1.0.1e"><filename>Packages/openssl-static-1.0.1e-4.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="4.55.amzn1" version="1.0.1e"><filename>Packages/openssl-perl-1.0.1e-4.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="4.55.amzn1" version="1.0.1e"><filename>Packages/openssl-1.0.1e-4.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="4.55.amzn1" version="1.0.1e"><filename>Packages/openssl-devel-1.0.1e-4.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="4.55.amzn1" version="1.0.1e"><filename>Packages/openssl-debuginfo-1.0.1e-4.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-274</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-274: medium priority package update for nss</title><issued date="2014-01-14 15:56" /><updated date="2014-09-16 22:17" /><severity>medium</severity><description /><references><reference href="https://rhn.redhat.com/errata/RHSA-2013:1861.html" id="RHSA-2013:1861" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-tools" release="3.32.amzn1" version="3.15.3"><filename>Packages/nss-tools-3.15.3-3.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="3.32.amzn1" version="3.15.3"><filename>Packages/nss-devel-3.15.3-3.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="3.32.amzn1" version="3.15.3"><filename>Packages/nss-pkcs11-devel-3.15.3-3.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="3.32.amzn1" version="3.15.3"><filename>Packages/nss-3.15.3-3.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="3.32.amzn1" version="3.15.3"><filename>Packages/nss-sysinit-3.15.3-3.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="3.32.amzn1" version="3.15.3"><filename>Packages/nss-debuginfo-3.15.3-3.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="3.32.amzn1" version="3.15.3"><filename>Packages/nss-tools-3.15.3-3.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="3.32.amzn1" version="3.15.3"><filename>Packages/nss-debuginfo-3.15.3-3.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="3.32.amzn1" version="3.15.3"><filename>Packages/nss-sysinit-3.15.3-3.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="3.32.amzn1" version="3.15.3"><filename>Packages/nss-devel-3.15.3-3.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="3.32.amzn1" version="3.15.3"><filename>Packages/nss-pkcs11-devel-3.15.3-3.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="3.32.amzn1" version="3.15.3"><filename>Packages/nss-3.15.3-3.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-275</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-275: medium priority package update for munin</title><issued date="2014-01-14 15:57" /><updated date="2014-09-16 22:18" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3113 CVE-2013-6359: 3114 1037888: 3115 CVE-2013-6048 CVE-2013-6359 munin: two denial of service flaws fixed in 2.0.18 3116 Munin::Master::Node in Munin before 2.0.18 allows remote attackers to cause a denial of service (abort data collection for node) via a plugin that uses "multigraph" as a multigraph service name. 3117 3118 CVE-2013-6048: 3119 The get_group_tree function in lib/Munin/Master/HTMLConfig.pm in Munin before 2.0.18 allows remote nodes to cause a denial of service (infinite loop and memory consumption in the munin-html process) via crafted multigraph data. 3120 1037888: 3121 CVE-2013-6048 CVE-2013-6359 munin: two denial of service flaws fixed in 2.0.18 3122 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6048" id="CVE-2013-6048" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6359" id="CVE-2013-6359" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="munin-cgi" release="1.32.amzn1" version="2.0.19"><filename>Packages/munin-cgi-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-common" release="1.32.amzn1" version="2.0.19"><filename>Packages/munin-common-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-node" release="1.32.amzn1" version="2.0.19"><filename>Packages/munin-node-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-nginx" release="1.32.amzn1" version="2.0.19"><filename>Packages/munin-nginx-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-netip-plugins" release="1.32.amzn1" version="2.0.19"><filename>Packages/munin-netip-plugins-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin" release="1.32.amzn1" version="2.0.19"><filename>Packages/munin-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-java-plugins" release="1.32.amzn1" version="2.0.19"><filename>Packages/munin-java-plugins-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-async" release="1.32.amzn1" version="2.0.19"><filename>Packages/munin-async-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-ruby-plugins" release="1.32.amzn1" version="2.0.19"><filename>Packages/munin-ruby-plugins-2.0.19-1.32.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-276</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-276: medium priority package update for varnish</title><issued date="2014-01-14 16:09" /><updated date="2014-09-16 22:18" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3123 CVE-2013-4484: 3124 1025127: 3125 CVE-2013-4484 varnish: denial of service handling certain GET requests 3126 Varnish before 3.0.5 allows remote attackers to cause a denial of service (child-process crash and temporary caching outage) via a GET request with trailing whitespace characters and no URI. 3127 3128 CVE-2013-0345: 3129 915412: 3130 CVE-2013-0345 varnish: world-readable log files 3131 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4484" id="CVE-2013-4484" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0345" id="CVE-2013-0345" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="varnish-libs-devel" release="1.14.amzn1" version="3.0.5"><filename>Packages/varnish-libs-devel-3.0.5-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="varnish-libs" release="1.14.amzn1" version="3.0.5"><filename>Packages/varnish-libs-3.0.5-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="varnish" release="1.14.amzn1" version="3.0.5"><filename>Packages/varnish-3.0.5-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="varnish-docs" release="1.14.amzn1" version="3.0.5"><filename>Packages/varnish-docs-3.0.5-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="varnish-debuginfo" release="1.14.amzn1" version="3.0.5"><filename>Packages/varnish-debuginfo-3.0.5-1.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="varnish-debuginfo" release="1.14.amzn1" version="3.0.5"><filename>Packages/varnish-debuginfo-3.0.5-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="varnish-docs" release="1.14.amzn1" version="3.0.5"><filename>Packages/varnish-docs-3.0.5-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="varnish-libs-devel" release="1.14.amzn1" version="3.0.5"><filename>Packages/varnish-libs-devel-3.0.5-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="varnish-libs" release="1.14.amzn1" version="3.0.5"><filename>Packages/varnish-libs-3.0.5-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="varnish" release="1.14.amzn1" version="3.0.5"><filename>Packages/varnish-3.0.5-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-277</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-277: important priority package update for xorg-x11-server</title><issued date="2014-01-14 16:16" /><updated date="2014-09-16 22:19" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3132 CVE-2013-6424: 3133 An integer overflow, which led to a heap-based buffer overflow, was found in the way X.Org server handled trapezoids. A malicious, authorized client could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with root privileges. 3134 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6424" id="CVE-2013-6424" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1868.html" id="RHSA-2013:1868" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="xorg-x11-server-devel" release="23.1.36.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-devel-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xephyr" release="23.1.36.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xephyr-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-debuginfo" release="23.1.36.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-debuginfo-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-common" release="23.1.36.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-common-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xnest" release="23.1.36.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xnest-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xorg" release="23.1.36.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xorg-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="xorg-x11-server-source" release="23.1.36.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-source-1.13.0-23.1.36.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xvfb" release="23.1.36.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xvfb-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xdmx" release="23.1.36.amzn1" version="1.13.0"><filename>Packages/xorg-x11-server-Xdmx-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-278</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-278: medium priority package update for gnupg</title><issued date="2014-01-14 16:18" /><updated date="2014-09-16 22:19" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3135 CVE-2013-4576: 3136 1043327: 3137 CVE-2013-4576 gnupg: RSA secret key recovery via acoustic cryptanalysis 3138 GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE. 3139 It was found that GnuPG was vulnerable to side-channel attacks via acoustic cryptanalysis. An attacker in close range to a target system that is decrypting ciphertexts could possibly use this flaw to recover the RSA secret key from that system. 3140 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4576" id="CVE-2013-4576" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnupg-debuginfo" release="2.23.amzn1" version="1.4.16"><filename>Packages/gnupg-debuginfo-1.4.16-2.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg" release="2.23.amzn1" version="1.4.16"><filename>Packages/gnupg-1.4.16-2.23.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnupg" release="2.23.amzn1" version="1.4.16"><filename>Packages/gnupg-1.4.16-2.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg-debuginfo" release="2.23.amzn1" version="1.4.16"><filename>Packages/gnupg-debuginfo-1.4.16-2.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-279</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-279: medium priority package update for quagga</title><issued date="2014-01-14 17:02" /><updated date="2014-09-16 22:19" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3141 CVE-2013-6051: 3142 The bgp_attr_unknown function in bgp_attr.c in Quagga 0.99.21 does not properly initialize the total variable, which allows remote attackers to cause a denial of service (bgpd crash) via a crafted BGP update. 3143 1043370: 3144 CVE-2013-6051 quagga: bgp crash when receiving bgp updates 3145 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6051" id="CVE-2013-6051" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="quagga-contrib" release="6.12.amzn1" version="0.99.21"><filename>Packages/quagga-contrib-0.99.21-6.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="quagga" release="6.12.amzn1" version="0.99.21"><filename>Packages/quagga-0.99.21-6.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="quagga-debuginfo" release="6.12.amzn1" version="0.99.21"><filename>Packages/quagga-debuginfo-0.99.21-6.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="quagga-devel" release="6.12.amzn1" version="0.99.21"><filename>Packages/quagga-devel-0.99.21-6.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="quagga-devel" release="6.12.amzn1" version="0.99.21"><filename>Packages/quagga-devel-0.99.21-6.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="quagga-contrib" release="6.12.amzn1" version="0.99.21"><filename>Packages/quagga-contrib-0.99.21-6.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="quagga" release="6.12.amzn1" version="0.99.21"><filename>Packages/quagga-0.99.21-6.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="quagga-debuginfo" release="6.12.amzn1" version="0.99.21"><filename>Packages/quagga-debuginfo-0.99.21-6.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-280</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-280: critical priority package update for java-1.7.0-openjdk</title><issued date="2014-01-15 10:28" /><updated date="2014-09-16 22:20" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3146 CVE-2014-0428: 3147 Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 3148 3149 CVE-2014-0423: 3150 It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. 3151 3152 CVE-2014-0422: 3153 Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 3154 3155 CVE-2014-0416: 3156 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3157 3158 CVE-2014-0411: 3159 It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys. 3160 3161 CVE-2014-0376: 3162 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3163 3164 CVE-2014-0373: 3165 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3166 3167 CVE-2014-0368: 3168 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3169 3170 CVE-2013-5910: 3171 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3172 3173 CVE-2013-5907: 3174 An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. 3175 3176 CVE-2013-5896: 3177 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3178 3179 CVE-2013-5893: 3180 Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 3181 3182 CVE-2013-5884: 3183 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3184 3185 CVE-2013-5878: 3186 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3187 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0368" id="CVE-2014-0368" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0411" id="CVE-2014-0411" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5878" id="CVE-2013-5878" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5910" id="CVE-2013-5910" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0416" id="CVE-2014-0416" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0373" id="CVE-2014-0373" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5893" id="CVE-2013-5893" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5907" id="CVE-2013-5907" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5884" id="CVE-2013-5884" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5896" id="CVE-2013-5896" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0428" id="CVE-2014-0428" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0422" id="CVE-2014-0422" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0376" id="CVE-2014-0376" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0423" id="CVE-2014-0423" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0026.html" id="RHSA-2014:0026" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.4.4.1.34.amzn1" version="1.7.0.51"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.4.4.1.34.amzn1" version="1.7.0.51"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.4.4.1.34.amzn1" version="1.7.0.51"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.4.4.1.34.amzn1" version="1.7.0.51"><filename>Packages/java-1.7.0-openjdk-1.7.0.51-2.4.4.1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.4.4.1.34.amzn1" version="1.7.0.51"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.34.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.4.4.1.34.amzn1" version="1.7.0.51"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.51-2.4.4.1.34.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.4.4.1.34.amzn1" version="1.7.0.51"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.4.4.1.34.amzn1" version="1.7.0.51"><filename>Packages/java-1.7.0-openjdk-1.7.0.51-2.4.4.1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.4.4.1.34.amzn1" version="1.7.0.51"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.4.4.1.34.amzn1" version="1.7.0.51"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.4.4.1.34.amzn1" version="1.7.0.51"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-281</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-281: medium priority package update for ca-certificates</title><issued date="2014-01-15 11:58" /><updated date="2014-09-16 22:20" /><severity>medium</severity><description /><references><reference href="https://rhn.redhat.com/errata/RHSA-2013:1866.html" id="RHSA-2013:1866" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="ca-certificates" release="3.12.amzn1" version="2012.1.95"><filename>Packages/ca-certificates-2012.1.95-3.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-282</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-282: important priority package update for libXfont</title><issued date="2014-02-03 15:26" /><updated date="2014-09-16 22:21" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3188 CVE-2013-6462: 3189 A stack-based buffer overflow flaw was found in the way the libXfont library parsed Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could exploit this issue to potentially execute arbitrary code with the privileges of the X.Org server. 3190 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6462" id="CVE-2013-6462" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0018.html" id="RHSA-2014:0018" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libXfont-devel" release="3.8.amzn1" version="1.4.5"><filename>Packages/libXfont-devel-1.4.5-3.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXfont-debuginfo" release="3.8.amzn1" version="1.4.5"><filename>Packages/libXfont-debuginfo-1.4.5-3.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXfont" release="3.8.amzn1" version="1.4.5"><filename>Packages/libXfont-1.4.5-3.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXfont-devel" release="3.8.amzn1" version="1.4.5"><filename>Packages/libXfont-devel-1.4.5-3.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXfont" release="3.8.amzn1" version="1.4.5"><filename>Packages/libXfont-1.4.5-3.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXfont-debuginfo" release="3.8.amzn1" version="1.4.5"><filename>Packages/libXfont-debuginfo-1.4.5-3.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-283</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-283: important priority package update for java-1.6.0-openjdk</title><issued date="2014-02-03 15:27" /><updated date="2014-09-16 22:21" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3191 CVE-2014-0428: 3192 Multiple improper permission check issues were discovered in the CORBA and JNDI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 3193 3194 CVE-2014-0423: 3195 It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability. 3196 3197 CVE-2014-0422: 3198 Multiple improper permission check issues were discovered in the CORBA and JNDI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 3199 3200 CVE-2014-0416: 3201 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3202 3203 CVE-2014-0411: 3204 It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to a disclosure of information about the used encryption keys. 3205 3206 CVE-2014-0376: 3207 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3208 3209 CVE-2014-0373: 3210 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3211 3212 CVE-2014-0368: 3213 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3214 3215 CVE-2013-5910: 3216 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3217 3218 CVE-2013-5907: 3219 An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger a Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. 3220 3221 CVE-2013-5896: 3222 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3223 3224 CVE-2013-5884: 3225 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3226 3227 CVE-2013-5878: 3228 Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3229 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0368" id="CVE-2014-0368" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0411" id="CVE-2014-0411" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5878" id="CVE-2013-5878" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5910" id="CVE-2013-5910" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0416" id="CVE-2014-0416" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0373" id="CVE-2014-0373" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5907" id="CVE-2013-5907" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5884" id="CVE-2013-5884" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5896" id="CVE-2013-5896" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0428" id="CVE-2014-0428" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0422" id="CVE-2014-0422" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0376" id="CVE-2014-0376" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0423" id="CVE-2014-0423" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0097.html" id="RHSA-2014:0097" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="66.1.13.1.62.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-66.1.13.1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="66.1.13.1.62.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-66.1.13.1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="66.1.13.1.62.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-66.1.13.1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="66.1.13.1.62.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-66.1.13.1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="66.1.13.1.62.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-66.1.13.1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="66.1.13.1.62.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-66.1.13.1.62.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="66.1.13.1.62.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-66.1.13.1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="66.1.13.1.62.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-66.1.13.1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="66.1.13.1.62.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-66.1.13.1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="66.1.13.1.62.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-66.1.13.1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="66.1.13.1.62.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-66.1.13.1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="66.1.13.1.62.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-66.1.13.1.62.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-284</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-284: medium priority package update for graphviz</title><issued date="2014-02-03 15:27" /><updated date="2014-09-16 22:22" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3230 CVE-2014-0978: 3231 Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file. 3232 1049165: 3233 CVE-2014-0978 graphviz: stack-based buffer overflow in yyerror() 3234 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0978" id="CVE-2014-0978" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="graphviz-tcl" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-tcl-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-gd" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-gd-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-ruby" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-ruby-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-debuginfo" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-debuginfo-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-devel" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-devel-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-doc" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-doc-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-php54" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-php54-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-perl" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-perl-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-java" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-java-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-R" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-R-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-graphs" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-graphs-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-python" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-python-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-lua" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-lua-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-guile" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-guile-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-php54" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-php54-2.30.1-6.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-perl" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-perl-2.30.1-6.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-lua" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-lua-2.30.1-6.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-guile" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-guile-2.30.1-6.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-gd" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-gd-2.30.1-6.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-ruby" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-ruby-2.30.1-6.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-python" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-python-2.30.1-6.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-graphs" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-graphs-2.30.1-6.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-debuginfo" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-debuginfo-2.30.1-6.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-tcl" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-tcl-2.30.1-6.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-devel" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-devel-2.30.1-6.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-R" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-R-2.30.1-6.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-2.30.1-6.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-doc" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-doc-2.30.1-6.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-java" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-java-2.30.1-6.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-285</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-285: medium priority package update for graphviz-php</title><issued date="2014-02-03 15:27" /><updated date="2014-09-16 22:21" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3235 CVE-2014-0978: 3236 Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file. 3237 1049165: 3238 CVE-2014-0978 graphviz: stack-based buffer overflow in yyerror() 3239 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0978" id="CVE-2014-0978" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="graphviz-php" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-php-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-php" release="6.30.amzn1" version="2.30.1"><filename>Packages/graphviz-php-2.30.1-6.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-286</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-286: medium priority package update for augeas</title><issued date="2014-02-03 15:28" /><updated date="2014-09-16 22:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3240 CVE-2013-6412: 3241 A flaw was found in the way Augeas handled certain umask settings when creating new configuration files. This flaw could result in configuration files being created as world writable, allowing unprivileged local users to modify their content. 3242 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6412" id="CVE-2013-6412" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0044.html" id="RHSA-2014:0044" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="augeas" release="5.7.amzn1" version="1.0.0"><filename>Packages/augeas-1.0.0-5.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="augeas-devel" release="5.7.amzn1" version="1.0.0"><filename>Packages/augeas-devel-1.0.0-5.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="augeas-libs" release="5.7.amzn1" version="1.0.0"><filename>Packages/augeas-libs-1.0.0-5.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="augeas-debuginfo" release="5.7.amzn1" version="1.0.0"><filename>Packages/augeas-debuginfo-1.0.0-5.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="augeas" release="5.7.amzn1" version="1.0.0"><filename>Packages/augeas-1.0.0-5.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="augeas-debuginfo" release="5.7.amzn1" version="1.0.0"><filename>Packages/augeas-debuginfo-1.0.0-5.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="augeas-devel" release="5.7.amzn1" version="1.0.0"><filename>Packages/augeas-devel-1.0.0-5.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="augeas-libs" release="5.7.amzn1" version="1.0.0"><filename>Packages/augeas-libs-1.0.0-5.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-287</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-287: medium priority package update for bind</title><issued date="2014-02-03 15:28" /><updated date="2014-09-16 22:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3243 CVE-2014-0591: 3244 A denial of service flaw was found in the way BIND handled queries for NSEC3-signed zones. A remote attacker could use this flaw against an authoritative name server that served NCES3-signed zones by sending a specially crafted query, which, when processed, would cause named to crash. 3245 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591" id="CVE-2014-0591" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0043.html" id="RHSA-2014:0043" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-devel" release="0.23.rc1.32.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.23.rc1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.23.rc1.32.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.23.rc1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.23.rc1.32.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.23.rc1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.23.rc1.32.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.23.rc1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.23.rc1.32.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.23.rc1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.23.rc1.32.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.23.rc1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.23.rc1.32.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.23.rc1.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.23.rc1.32.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.23.rc1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.23.rc1.32.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.23.rc1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.23.rc1.32.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.23.rc1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.23.rc1.32.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.23.rc1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.23.rc1.32.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.23.rc1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.23.rc1.32.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.23.rc1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.23.rc1.32.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.23.rc1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-288</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-288: low priority package update for puppet</title><issued date="2014-02-03 15:28" /><updated date="2014-09-16 22:31" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3246 CVE-2013-4969: 3247 Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files. 3248 1045212: 3249 CVE-2013-4969 Puppet: Unsafe use of Temp files in File type 3250 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4969" id="CVE-2013-4969" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="puppet-debuginfo" release="1.2.amzn1" version="2.7.25"><filename>Packages/puppet-debuginfo-2.7.25-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet" release="1.2.amzn1" version="2.7.25"><filename>Packages/puppet-2.7.25-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="puppet-server" release="1.2.amzn1" version="2.7.25"><filename>Packages/puppet-server-2.7.25-1.2.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="puppet" release="1.2.amzn1" version="2.7.25"><filename>Packages/puppet-2.7.25-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet-server" release="1.2.amzn1" version="2.7.25"><filename>Packages/puppet-server-2.7.25-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="puppet-debuginfo" release="1.2.amzn1" version="2.7.25"><filename>Packages/puppet-debuginfo-2.7.25-1.2.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-289</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-289: medium priority package update for kernel</title><issued date="2014-02-26 14:26" /><updated date="2014-09-16 22:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3251 CVE-2014-1874: 3252 1062356: 3253 CVE-2014-1874 Kernel: SELinux: local denial-of-service 3254 3255 CVE-2014-0069: 3256 1064253: 3257 CVE-2014-0069 kernel: cifs: incorrect handling of bogus user pointers during uncached writes 3258 3259 CVE-2013-7265: 3260 The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. 3261 1035875: 3262 CVE-2013-7263 CVE-2013-7265 Kernel: net: leakage of uninitialized memory to user-space via recv syscalls 3263 3264 CVE-2013-7263: 3265 The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. 3266 1035875: 3267 CVE-2013-7263 CVE-2013-7265 Kernel: net: leakage of uninitialized memory to user-space via recv syscalls 3268 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7265" id="CVE-2013-7265" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1874" id="CVE-2014-1874" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7263" id="CVE-2013-7263" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0069" id="CVE-2014-0069" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-headers" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-headers-3.4.82-69.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-3.4.82-69.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-tools-debuginfo-3.4.82-69.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.82-69.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-devel-3.4.82-69.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-debuginfo-3.4.82-69.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-tools-3.4.82-69.112.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-tools-3.4.82-69.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-tools-debuginfo-3.4.82-69.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-3.4.82-69.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-headers-3.4.82-69.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-debuginfo-common-i686-3.4.82-69.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-devel-3.4.82-69.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-debuginfo-3.4.82-69.112.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="69.112.amzn1" version="3.4.82"><filename>Packages/kernel-doc-3.4.82-69.112.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-290</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-290: medium priority package update for ruby19</title><issued date="2014-02-26 14:27" /><updated date="2014-09-16 22:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3269 CVE-2013-4363: 3270 Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287. 3271 1009720: 3272 CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix 3273 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4363" id="CVE-2013-4363" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="rubygem19-bigdecimal" release="32.60.amzn1" version="1.1.0"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-json" release="32.60.amzn1" version="1.5.5"><filename>Packages/rubygem19-json-1.5.5-32.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-doc" release="32.60.amzn1" version="1.9.3.545"><filename>Packages/ruby19-doc-1.9.3.545-32.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-devel" release="32.60.amzn1" version="1.9.3.545"><filename>Packages/ruby19-devel-1.9.3.545-32.60.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-rake" release="32.60.amzn1" version="0.9.2.2"><filename>Packages/rubygem19-rake-0.9.2.2-32.60.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-rdoc" release="32.60.amzn1" version="3.9.5"><filename>Packages/rubygem19-rdoc-3.9.5-32.60.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems19-devel" release="32.60.amzn1" version="1.8.23.2"><filename>Packages/rubygems19-devel-1.8.23.2-32.60.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-minitest" release="32.60.amzn1" version="2.5.1"><filename>Packages/rubygem19-minitest-2.5.1-32.60.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-debuginfo" release="32.60.amzn1" version="1.9.3.545"><filename>Packages/ruby19-debuginfo-1.9.3.545-32.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-libs" release="32.60.amzn1" version="1.9.3.545"><filename>Packages/ruby19-libs-1.9.3.545-32.60.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems19" release="32.60.amzn1" version="1.8.23.2"><filename>Packages/rubygems19-1.8.23.2-32.60.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-io-console" release="32.60.amzn1" version="0.3"><filename>Packages/rubygem19-io-console-0.3-32.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19" release="32.60.amzn1" version="1.9.3.545"><filename>Packages/ruby19-1.9.3.545-32.60.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby19-irb" release="32.60.amzn1" version="1.9.3.545"><filename>Packages/ruby19-irb-1.9.3.545-32.60.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-io-console" release="32.60.amzn1" version="0.3"><filename>Packages/rubygem19-io-console-0.3-32.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-doc" release="32.60.amzn1" version="1.9.3.545"><filename>Packages/ruby19-doc-1.9.3.545-32.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-bigdecimal" release="32.60.amzn1" version="1.1.0"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-libs" release="32.60.amzn1" version="1.9.3.545"><filename>Packages/ruby19-libs-1.9.3.545-32.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19" release="32.60.amzn1" version="1.9.3.545"><filename>Packages/ruby19-1.9.3.545-32.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-debuginfo" release="32.60.amzn1" version="1.9.3.545"><filename>Packages/ruby19-debuginfo-1.9.3.545-32.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-devel" release="32.60.amzn1" version="1.9.3.545"><filename>Packages/ruby19-devel-1.9.3.545-32.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-json" release="32.60.amzn1" version="1.5.5"><filename>Packages/rubygem19-json-1.5.5-32.60.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-291</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-291: important priority package update for libyaml</title><issued date="2014-02-26 14:27" /><updated date="2014-09-16 22:32" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3274 CVE-2013-6393: 3275 1033990: 3276 CVE-2013-6393 libyaml: heap-based buffer overflow when parsing YAML tags 3277 The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow. 3278 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393" id="CVE-2013-6393" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libyaml-debuginfo" release="6.5.amzn1" version="0.1.4"><filename>Packages/libyaml-debuginfo-0.1.4-6.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libyaml" release="6.5.amzn1" version="0.1.4"><filename>Packages/libyaml-0.1.4-6.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libyaml-devel" release="6.5.amzn1" version="0.1.4"><filename>Packages/libyaml-devel-0.1.4-6.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libyaml-devel" release="6.5.amzn1" version="0.1.4"><filename>Packages/libyaml-devel-0.1.4-6.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libyaml-debuginfo" release="6.5.amzn1" version="0.1.4"><filename>Packages/libyaml-debuginfo-0.1.4-6.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libyaml" release="6.5.amzn1" version="0.1.4"><filename>Packages/libyaml-0.1.4-6.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-292</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-292: medium priority package update for python26</title><issued date="2014-02-26 14:28" /><updated date="2014-09-16 22:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3279 CVE-2014-1912: 3280 1062370: 3281 CVE-2014-1912 python: buffer overflow in socket.recvfrom_into() 3282 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912" id="CVE-2014-1912" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python26-devel" release="1.43.amzn1" version="2.6.9"><filename>Packages/python26-devel-2.6.9-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26" release="1.43.amzn1" version="2.6.9"><filename>Packages/python26-2.6.9-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-test" release="1.43.amzn1" version="2.6.9"><filename>Packages/python26-test-2.6.9-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-debuginfo" release="1.43.amzn1" version="2.6.9"><filename>Packages/python26-debuginfo-2.6.9-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-tools" release="1.43.amzn1" version="2.6.9"><filename>Packages/python26-tools-2.6.9-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-libs" release="1.43.amzn1" version="2.6.9"><filename>Packages/python26-libs-2.6.9-1.43.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python26-devel" release="1.43.amzn1" version="2.6.9"><filename>Packages/python26-devel-2.6.9-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-libs" release="1.43.amzn1" version="2.6.9"><filename>Packages/python26-libs-2.6.9-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-debuginfo" release="1.43.amzn1" version="2.6.9"><filename>Packages/python26-debuginfo-2.6.9-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26" release="1.43.amzn1" version="2.6.9"><filename>Packages/python26-2.6.9-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-test" release="1.43.amzn1" version="2.6.9"><filename>Packages/python26-test-2.6.9-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-tools" release="1.43.amzn1" version="2.6.9"><filename>Packages/python26-tools-2.6.9-1.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-293</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-293: medium priority package update for python27</title><issued date="2014-02-26 14:28" /><updated date="2014-09-16 22:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3283 CVE-2014-1912: 3284 1062370: 3285 CVE-2014-1912 python: buffer overflow in socket.recvfrom_into() 3286 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912" id="CVE-2014-1912" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python27-tools" release="11.32.amzn1" version="2.7.5"><filename>Packages/python27-tools-2.7.5-11.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libs" release="11.32.amzn1" version="2.7.5"><filename>Packages/python27-libs-2.7.5-11.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-devel" release="11.32.amzn1" version="2.7.5"><filename>Packages/python27-devel-2.7.5-11.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27" release="11.32.amzn1" version="2.7.5"><filename>Packages/python27-2.7.5-11.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-debuginfo" release="11.32.amzn1" version="2.7.5"><filename>Packages/python27-debuginfo-2.7.5-11.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-test" release="11.32.amzn1" version="2.7.5"><filename>Packages/python27-test-2.7.5-11.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python27-tools" release="11.32.amzn1" version="2.7.5"><filename>Packages/python27-tools-2.7.5-11.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-test" release="11.32.amzn1" version="2.7.5"><filename>Packages/python27-test-2.7.5-11.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27" release="11.32.amzn1" version="2.7.5"><filename>Packages/python27-2.7.5-11.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-debuginfo" release="11.32.amzn1" version="2.7.5"><filename>Packages/python27-debuginfo-2.7.5-11.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libs" release="11.32.amzn1" version="2.7.5"><filename>Packages/python27-libs-2.7.5-11.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-devel" release="11.32.amzn1" version="2.7.5"><filename>Packages/python27-devel-2.7.5-11.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-294</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-294: medium priority package update for openldap</title><issued date="2014-02-26 16:22" /><updated date="2014-09-16 22:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3287 CVE-2013-4449: 3288 The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search. 3289 1019490: 3290 CVE-2013-4449 openldap: segfault on certain queries with rwm overlay 3291 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4449" id="CVE-2013-4449" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openldap-servers" release="34.23.amzn1" version="2.4.23"><filename>Packages/openldap-servers-2.4.23-34.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-clients" release="34.23.amzn1" version="2.4.23"><filename>Packages/openldap-clients-2.4.23-34.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-devel" release="34.23.amzn1" version="2.4.23"><filename>Packages/openldap-devel-2.4.23-34.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-debuginfo" release="34.23.amzn1" version="2.4.23"><filename>Packages/openldap-debuginfo-2.4.23-34.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap" release="34.23.amzn1" version="2.4.23"><filename>Packages/openldap-2.4.23-34.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-servers-sql" release="34.23.amzn1" version="2.4.23"><filename>Packages/openldap-servers-sql-2.4.23-34.23.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openldap-servers-sql" release="34.23.amzn1" version="2.4.23"><filename>Packages/openldap-servers-sql-2.4.23-34.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-devel" release="34.23.amzn1" version="2.4.23"><filename>Packages/openldap-devel-2.4.23-34.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-debuginfo" release="34.23.amzn1" version="2.4.23"><filename>Packages/openldap-debuginfo-2.4.23-34.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap" release="34.23.amzn1" version="2.4.23"><filename>Packages/openldap-2.4.23-34.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-servers" release="34.23.amzn1" version="2.4.23"><filename>Packages/openldap-servers-2.4.23-34.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-clients" release="34.23.amzn1" version="2.4.23"><filename>Packages/openldap-clients-2.4.23-34.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-295</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-295: medium priority package update for curl</title><issued date="2014-02-26 16:51" /><updated date="2014-09-16 22:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3292 CVE-2014-0015: 3293 cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request. 3294 1053903: 3295 CVE-2014-0015 curl: re-use of wrong HTTP NTLM connection in libcurl 3296 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015" id="CVE-2014-0015" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="curl" release="2.42.amzn1" version="7.35.0"><filename>Packages/curl-7.35.0-2.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="2.42.amzn1" version="7.35.0"><filename>Packages/curl-debuginfo-7.35.0-2.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="2.42.amzn1" version="7.35.0"><filename>Packages/libcurl-devel-7.35.0-2.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="2.42.amzn1" version="7.35.0"><filename>Packages/libcurl-7.35.0-2.42.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="2.42.amzn1" version="7.35.0"><filename>Packages/curl-7.35.0-2.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="2.42.amzn1" version="7.35.0"><filename>Packages/libcurl-7.35.0-2.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="2.42.amzn1" version="7.35.0"><filename>Packages/libcurl-devel-7.35.0-2.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="2.42.amzn1" version="7.35.0"><filename>Packages/curl-debuginfo-7.35.0-2.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-296</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-296: medium priority package update for graphviz</title><issued date="2014-03-06 14:55" /><updated date="2014-09-16 22:35" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3297 CVE-2014-1236: 3298 1050872: 3299 CVE-2014-1236 graphviz: buffer overflow vulnerability 3300 Stack-based buffer overflow in the chkNum function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via vectors related to a "badly formed number" and a "long digit list." 3301 3302 CVE-2014-1235: 3303 1050871: 3304 CVE-2014-1235 graphviz: buffer overflow in yyerror() due to improper fix for CVE-2014-0978 3305 3306 CVE-2014-0978: 3307 Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file. 3308 1049165: 3309 CVE-2014-0978 graphviz: stack-based buffer overflow in yyerror() 3310 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1235" id="CVE-2014-1235" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1236" id="CVE-2014-1236" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0978" id="CVE-2014-0978" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="graphviz-guile" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-guile-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-gd" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-gd-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-doc" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-doc-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-R" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-R-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-ruby" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-ruby-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-lua" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-lua-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-tcl" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-tcl-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-java" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-java-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-debuginfo" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-debuginfo-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-perl" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-perl-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-graphs" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-graphs-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-devel" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-devel-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-python" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-python-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-php54" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-php54-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-lua" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-lua-2.30.1-12.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-java" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-java-2.30.1-12.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-python" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-python-2.30.1-12.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-ruby" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-ruby-2.30.1-12.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-guile" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-guile-2.30.1-12.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-php54" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-php54-2.30.1-12.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-tcl" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-tcl-2.30.1-12.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-gd" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-gd-2.30.1-12.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-doc" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-doc-2.30.1-12.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-graphs" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-graphs-2.30.1-12.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-devel" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-devel-2.30.1-12.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-2.30.1-12.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-debuginfo" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-debuginfo-2.30.1-12.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-perl" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-perl-2.30.1-12.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-R" release="12.39.amzn1" version="2.30.1"><filename>Packages/graphviz-R-2.30.1-12.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-297</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-297: medium priority package update for graphviz-php</title><issued date="2014-03-06 14:55" /><updated date="2014-09-16 22:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3311 CVE-2014-1236: 3312 1050872: 3313 CVE-2014-1236 graphviz: buffer overflow vulnerability 3314 Stack-based buffer overflow in the chkNum function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via vectors related to a "badly formed number" and a "long digit list." 3315 3316 CVE-2014-1235: 3317 1050871: 3318 CVE-2014-1235 graphviz: buffer overflow in yyerror() due to improper fix for CVE-2014-0978 3319 3320 CVE-2014-0978: 3321 Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file. 3322 1049165: 3323 CVE-2014-0978 graphviz: stack-based buffer overflow in yyerror() 3324 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1235" id="CVE-2014-1235" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1236" id="CVE-2014-1236" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0978" id="CVE-2014-0978" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="graphviz-php" release="12.37.amzn1" version="2.30.1"><filename>Packages/graphviz-php-2.30.1-12.37.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-php" release="12.37.amzn1" version="2.30.1"><filename>Packages/graphviz-php-2.30.1-12.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-298</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-298: medium priority package update for mysql51</title><issued date="2014-03-06 14:56" /><updated date="2014-09-16 22:37" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3325 CVE-2014-0437: 3326 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 3327 3328 CVE-2014-0412: 3329 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 3330 3331 CVE-2014-0402: 3332 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 3333 3334 CVE-2014-0401: 3335 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 3336 3337 CVE-2014-0393: 3338 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 3339 3340 CVE-2014-0386: 3341 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 3342 3343 CVE-2014-0001: 3344 A buffer overflow flaw was found in the way the MySQL command line client tool (mysql) processed excessively long version strings. If a user connected to a malicious MySQL server via the mysql client, the server could use this flaw to crash the mysql client or, potentially, execute arbitrary code as the user running the mysql client. 3345 3346 CVE-2013-5908: 3347 This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section. 3348 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0412" id="CVE-2014-0412" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0437" id="CVE-2014-0437" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5908" id="CVE-2013-5908" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0393" id="CVE-2014-0393" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0386" id="CVE-2014-0386" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0001" id="CVE-2014-0001" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0401" id="CVE-2014-0401" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0402" id="CVE-2014-0402" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0164.html" id="RHSA-2014:0164" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql51-server" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-server-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-libs" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-libs-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-test" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-test-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-debuginfo" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-debuginfo-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded-devel" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-embedded-devel-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-embedded-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-bench" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-bench-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-devel" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-devel-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-common" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-common-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-embedded-5.1.73-3.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-common" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-common-5.1.73-3.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-5.1.73-3.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-devel" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-devel-5.1.73-3.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-server" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-server-5.1.73-3.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-bench" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-bench-5.1.73-3.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-debuginfo" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-debuginfo-5.1.73-3.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-test" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-test-5.1.73-3.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded-devel" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-embedded-devel-5.1.73-3.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-libs" release="3.68.amzn1" version="5.1.73"><filename>Packages/mysql51-libs-5.1.73-3.68.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-299</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-299: medium priority package update for lighttpd</title><issued date="2014-03-06 14:57" /><updated date="2014-09-16 22:37" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3349 CVE-2013-4560: 3350 1029664: 3351 CVE-2013-4560 lighttpd: Use after free if FAMMonitorDirectory fails 3352 Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures. 3353 3354 CVE-2013-4559: 3355 1029663: 3356 CVE-2013-4559 lighttpd: setuid/setgid/setgroups return value check 3357 lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached. 3358 3359 CVE-2013-4508: 3360 1026566: 3361 CVE-2013-4508 lighttpd: uses vulnerable cipher suites when SNI is used 3362 lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network. 3363 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4560" id="CVE-2013-4560" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4508" id="CVE-2013-4508" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4559" id="CVE-2013-4559" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="lighttpd-fastcgi" release="4.12.amzn1" version="1.4.34"><filename>Packages/lighttpd-fastcgi-1.4.34-4.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-mod_geoip" release="4.12.amzn1" version="1.4.34"><filename>Packages/lighttpd-mod_geoip-1.4.34-4.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-mod_mysql_vhost" release="4.12.amzn1" version="1.4.34"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.34-4.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-debuginfo" release="4.12.amzn1" version="1.4.34"><filename>Packages/lighttpd-debuginfo-1.4.34-4.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd" release="4.12.amzn1" version="1.4.34"><filename>Packages/lighttpd-1.4.34-4.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_geoip" release="4.12.amzn1" version="1.4.34"><filename>Packages/lighttpd-mod_geoip-1.4.34-4.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-fastcgi" release="4.12.amzn1" version="1.4.34"><filename>Packages/lighttpd-fastcgi-1.4.34-4.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-debuginfo" release="4.12.amzn1" version="1.4.34"><filename>Packages/lighttpd-debuginfo-1.4.34-4.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd" release="4.12.amzn1" version="1.4.34"><filename>Packages/lighttpd-1.4.34-4.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_mysql_vhost" release="4.12.amzn1" version="1.4.34"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.34-4.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-300</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-300: low priority package update for socat</title><issued date="2014-03-06 14:57" /><updated date="2014-09-16 22:36" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3364 CVE-2014-0019: 3365 1057746: 3366 CVE-2014-0019 socat: PROXY-CONNECT address overflow 3367 Stack-based buffer overflow in socat 1.3.0.0 through 1.7.2.2 and 2.0.0-b1 through 2.0.0-b6 allows local users to cause a denial of service (segmentation fault) via a long server name in the PROXY-CONNECT address in the command line. 3368 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0019" id="CVE-2014-0019" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="socat-debuginfo" release="1.10.amzn1" version="1.7.2.3"><filename>Packages/socat-debuginfo-1.7.2.3-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="socat" release="1.10.amzn1" version="1.7.2.3"><filename>Packages/socat-1.7.2.3-1.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="socat" release="1.10.amzn1" version="1.7.2.3"><filename>Packages/socat-1.7.2.3-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="socat-debuginfo" release="1.10.amzn1" version="1.7.2.3"><filename>Packages/socat-debuginfo-1.7.2.3-1.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-301</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-301: important priority package update for gnutls</title><issued date="2014-03-06 14:58" /><updated date="2014-09-17 22:49" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3369 CVE-2014-0092: 3370 It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker. 3371 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092" id="CVE-2014-0092" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0246.html" id="RHSA-2014:0246" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnutls" release="13.11.amzn1" version="2.8.5"><filename>Packages/gnutls-2.8.5-13.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-devel" release="13.11.amzn1" version="2.8.5"><filename>Packages/gnutls-devel-2.8.5-13.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-debuginfo" release="13.11.amzn1" version="2.8.5"><filename>Packages/gnutls-debuginfo-2.8.5-13.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-guile" release="13.11.amzn1" version="2.8.5"><filename>Packages/gnutls-guile-2.8.5-13.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-utils" release="13.11.amzn1" version="2.8.5"><filename>Packages/gnutls-utils-2.8.5-13.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-guile" release="13.11.amzn1" version="2.8.5"><filename>Packages/gnutls-guile-2.8.5-13.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-utils" release="13.11.amzn1" version="2.8.5"><filename>Packages/gnutls-utils-2.8.5-13.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-devel" release="13.11.amzn1" version="2.8.5"><filename>Packages/gnutls-devel-2.8.5-13.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls" release="13.11.amzn1" version="2.8.5"><filename>Packages/gnutls-2.8.5-13.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-debuginfo" release="13.11.amzn1" version="2.8.5"><filename>Packages/gnutls-debuginfo-2.8.5-13.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-302</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-302: low priority package update for numpy</title><issued date="2014-03-10 09:40" /><updated date="2014-09-17 22:50" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3372 CVE-2014-1859: 3373 1062009: 3374 CVE-2014-1858 CVE-2014-1859 numpy: f2py insecure temporary file use 3375 3376 CVE-2014-1858: 3377 1062009: 3378 CVE-2014-1858 CVE-2014-1859 numpy: f2py insecure temporary file use 3379 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1858" id="CVE-2014-1858" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1859" id="CVE-2014-1859" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="numpy-doc" release="8.10.amzn1" version="1.7.2"><filename>Packages/numpy-doc-1.7.2-8.10.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="numpy" release="8.10.amzn1" version="1.7.2"><filename>Packages/numpy-1.7.2-8.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="numpy-f2py" release="8.10.amzn1" version="1.7.2"><filename>Packages/numpy-f2py-1.7.2-8.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="numpy-debuginfo" release="8.10.amzn1" version="1.7.2"><filename>Packages/numpy-debuginfo-1.7.2-8.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="numpy-f2py" release="8.10.amzn1" version="1.7.2"><filename>Packages/numpy-f2py-1.7.2-8.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="numpy-debuginfo" release="8.10.amzn1" version="1.7.2"><filename>Packages/numpy-debuginfo-1.7.2-8.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="numpy" release="8.10.amzn1" version="1.7.2"><filename>Packages/numpy-1.7.2-8.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-303</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-303: medium priority package update for openswan</title><issued date="2014-03-10 09:40" /><updated date="2014-09-17 22:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3380 CVE-2013-6466: 3381 A NULL pointer dereference flaw was discovered in the way Openswan's IKE daemon processed IKEv2 payloads. A remote attacker could send specially crafted IKEv2 payloads that, when processed, would lead to a denial of service (daemon crash), possibly causing existing VPN connections to be dropped. 3382 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6466" id="CVE-2013-6466" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0185.html" id="RHSA-2014:0185" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openswan-doc" release="3.17.amzn1" version="2.6.37"><filename>Packages/openswan-doc-2.6.37-3.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openswan-debuginfo" release="3.17.amzn1" version="2.6.37"><filename>Packages/openswan-debuginfo-2.6.37-3.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openswan" release="3.17.amzn1" version="2.6.37"><filename>Packages/openswan-2.6.37-3.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openswan" release="3.17.amzn1" version="2.6.37"><filename>Packages/openswan-2.6.37-3.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openswan-debuginfo" release="3.17.amzn1" version="2.6.37"><filename>Packages/openswan-debuginfo-2.6.37-3.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openswan-doc" release="3.17.amzn1" version="2.6.37"><filename>Packages/openswan-doc-2.6.37-3.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-304</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-304: medium priority package update for file</title><issued date="2014-03-13 18:12" /><updated date="2014-09-17 22:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3383 CVE-2014-1943: 3384 1065836: 3385 CVE-2014-1943 file: infinite recursion 3386 Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file. 3387 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943" id="CVE-2014-1943" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="file-debuginfo" release="13.14.amzn1" version="5.11"><filename>Packages/file-debuginfo-5.11-13.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file" release="13.14.amzn1" version="5.11"><filename>Packages/file-5.11-13.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-static" release="13.14.amzn1" version="5.11"><filename>Packages/file-static-5.11-13.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-devel" release="13.14.amzn1" version="5.11"><filename>Packages/file-devel-5.11-13.14.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="python-magic" release="13.14.amzn1" version="5.11"><filename>Packages/python-magic-5.11-13.14.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="file-libs" release="13.14.amzn1" version="5.11"><filename>Packages/file-libs-5.11-13.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="file-debuginfo" release="13.14.amzn1" version="5.11"><filename>Packages/file-debuginfo-5.11-13.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-devel" release="13.14.amzn1" version="5.11"><filename>Packages/file-devel-5.11-13.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-static" release="13.14.amzn1" version="5.11"><filename>Packages/file-static-5.11-13.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file" release="13.14.amzn1" version="5.11"><filename>Packages/file-5.11-13.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-libs" release="13.14.amzn1" version="5.11"><filename>Packages/file-libs-5.11-13.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-305</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-305: important priority package update for postgresql8</title><issued date="2014-03-13 18:12" /><updated date="2014-09-17 22:51" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3388 CVE-2014-0066: 3389 It was found that the chkpass extension of PostgreSQL did not check the return value of the crypt() function. An authenticated database user could possibly use this flaw to crash PostgreSQL via a null pointer dereference. 3390 3391 CVE-2014-0065: 3392 Multiple potential buffer overflow flaws were found in PostgreSQL. An authenticated database user could possibly use these flaws to crash PostgreSQL or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. 3393 3394 CVE-2014-0064: 3395 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in various type input functions in PostgreSQL. An authenticated database user could possibly use these flaws to crash PostgreSQL or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. 3396 3397 CVE-2014-0063: 3398 Multiple stack-based buffer overflow flaws were found in the date/time implementation of PostgreSQL. An authenticated database user could provide a specially crafted date/time value that, when processed, could cause PostgreSQL to crash or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. 3399 3400 CVE-2014-0062: 3401 A race condition was found in the way the CREATE INDEX command performed multiple independent lookups of a table that had to be indexed. An authenticated database user could possibly use this flaw to escalate their privileges. 3402 3403 CVE-2014-0061: 3404 A flaw was found in the validator functions provided by PostgreSQL's procedural languages (PLs). An authenticated database user could possibly use this flaw to escalate their privileges. 3405 3406 CVE-2014-0060: 3407 It was found that granting an SQL role to a database user in a PostgreSQL database without specifying the "ADMIN" option allowed the grantee to remove other users from their granted role. An authenticated database user could use this flaw to remove a user from an SQL role which they were granted access to. 3408 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0066" id="CVE-2014-0066" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0064" id="CVE-2014-0064" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0065" id="CVE-2014-0065" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0062" id="CVE-2014-0062" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0063" id="CVE-2014-0063" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0060" id="CVE-2014-0060" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0061" id="CVE-2014-0061" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0211.html" id="RHSA-2014:0211" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql8-pltcl" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-pltcl-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-contrib" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-contrib-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-server" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-server-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plpython" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-plpython-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-libs" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-libs-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-debuginfo" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-debuginfo-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plperl" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-plperl-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-docs" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-docs-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-test" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-test-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-devel" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-devel-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-libs" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-libs-8.4.20-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-test" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-test-8.4.20-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plpython" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-plpython-8.4.20-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-debuginfo" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-debuginfo-8.4.20-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-pltcl" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-pltcl-8.4.20-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-devel" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-devel-8.4.20-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plperl" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-plperl-8.4.20-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-contrib" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-contrib-8.4.20-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-8.4.20-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-server" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-server-8.4.20-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-docs" release="1.44.amzn1" version="8.4.20"><filename>Packages/postgresql8-docs-8.4.20-1.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-306</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-306: important priority package update for postgresql9</title><issued date="2014-03-13 18:12" /><updated date="2014-09-17 22:52" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3409 CVE-2014-0066: 3410 It was found that the chkpass extension of PostgreSQL did not check the return value of the crypt() function. An authenticated database user could possibly use this flaw to crash PostgreSQL via a null pointer dereference. 3411 3412 CVE-2014-0065: 3413 Multiple potential buffer overflow flaws were found in PostgreSQL. An authenticated database user could possibly use these flaws to crash PostgreSQL or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. 3414 3415 CVE-2014-0064: 3416 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in various type input functions in PostgreSQL. An authenticated database user could possibly use these flaws to crash PostgreSQL or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. 3417 3418 CVE-2014-0063: 3419 Multiple stack-based buffer overflow flaws were found in the date/time implementation of PostgreSQL. An authenticated database user could provide a specially crafted date/time value that, when processed, could cause PostgreSQL to crash or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. 3420 3421 CVE-2014-0062: 3422 A race condition was found in the way the CREATE INDEX command performed multiple independent lookups of a table that had to be indexed. An authenticated database user could possibly use this flaw to escalate their privileges. 3423 3424 CVE-2014-0061: 3425 A flaw was found in the validator functions provided by PostgreSQL's procedural languages (PLs). An authenticated database user could possibly use this flaw to escalate their privileges. 3426 3427 CVE-2014-0060: 3428 It was found that granting an SQL role to a database user in a PostgreSQL database without specifying the "ADMIN" option allowed the grantee to remove other users from their granted role. An authenticated database user could use this flaw to remove a user from an SQL role which they were granted access to. 3429 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0066" id="CVE-2014-0066" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0064" id="CVE-2014-0064" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0065" id="CVE-2014-0065" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0062" id="CVE-2014-0062" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0063" id="CVE-2014-0063" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0060" id="CVE-2014-0060" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0061" id="CVE-2014-0061" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0211.html" id="RHSA-2014:0211" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql9-server" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-server-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-test" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-test-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-upgrade" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-upgrade-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-pltcl" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-pltcl-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-contrib" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-contrib-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-docs" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-docs-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-plpython" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-plpython-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-debuginfo" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-debuginfo-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-devel" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-devel-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-plperl" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-plperl-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql9-libs" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-libs-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-server" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-server-9.2.7-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-libs" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-libs-9.2.7-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-upgrade" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-upgrade-9.2.7-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-plpython" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-plpython-9.2.7-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-contrib" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-contrib-9.2.7-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-test" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-test-9.2.7-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-debuginfo" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-debuginfo-9.2.7-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-pltcl" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-pltcl-9.2.7-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-plperl" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-plperl-9.2.7-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-9.2.7-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-docs" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-docs-9.2.7-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql9-devel" release="1.40.amzn1" version="9.2.7"><filename>Packages/postgresql9-devel-9.2.7-1.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-307</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-307: medium priority package update for libtiff</title><issued date="2014-03-13 18:13" /><updated date="2014-09-17 22:52" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3430 CVE-2013-4244: 3431 Multiple buffer overflow flaws were found in the gif2tiff tool. An attacker could use these flaws to create a specially crafted GIF file that could cause gif2tiff to crash or, possibly, execute arbitrary code. 3432 3433 CVE-2013-4243: 3434 Multiple buffer overflow flaws were found in the gif2tiff tool. An attacker could use these flaws to create a specially crafted GIF file that could cause gif2tiff to crash or, possibly, execute arbitrary code. 3435 3436 CVE-2013-4232: 3437 A heap-based buffer overflow and a use-after-free flaw were found in the tiff2pdf tool. An attacker could use these flaws to create a specially crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code. 3438 3439 CVE-2013-4231: 3440 Multiple buffer overflow flaws were found in the gif2tiff tool. An attacker could use these flaws to create a specially crafted GIF file that could cause gif2tiff to crash or, possibly, execute arbitrary code. 3441 3442 CVE-2013-1961: 3443 Multiple buffer overflow flaws were found in the tiff2pdf tool. An attacker could use these flaws to create a specially crafted TIFF file that would cause tiff2pdf to crash. 3444 3445 CVE-2013-1960: 3446 A heap-based buffer overflow and a use-after-free flaw were found in the tiff2pdf tool. An attacker could use these flaws to create a specially crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code. 3447 3448 CVE-2010-2596: 3449 A flaw was found in the way libtiff handled OJPEG-encoded TIFF images. An attacker could use this flaw to create a specially crafted TIFF file that would cause an application using libtiff to crash. 3450 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2596" id="CVE-2010-2596" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4244" id="CVE-2013-4244" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4232" id="CVE-2013-4232" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1960" id="CVE-2013-1960" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4231" id="CVE-2013-4231" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1961" id="CVE-2013-1961" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243" id="CVE-2013-4243" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0222.html" id="RHSA-2014:0222" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libtiff-debuginfo" release="10.12.amzn1" version="3.9.4"><filename>Packages/libtiff-debuginfo-3.9.4-10.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-devel" release="10.12.amzn1" version="3.9.4"><filename>Packages/libtiff-devel-3.9.4-10.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff" release="10.12.amzn1" version="3.9.4"><filename>Packages/libtiff-3.9.4-10.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-static" release="10.12.amzn1" version="3.9.4"><filename>Packages/libtiff-static-3.9.4-10.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libtiff" release="10.12.amzn1" version="3.9.4"><filename>Packages/libtiff-3.9.4-10.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-static" release="10.12.amzn1" version="3.9.4"><filename>Packages/libtiff-static-3.9.4-10.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-debuginfo" release="10.12.amzn1" version="3.9.4"><filename>Packages/libtiff-debuginfo-3.9.4-10.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-devel" release="10.12.amzn1" version="3.9.4"><filename>Packages/libtiff-devel-3.9.4-10.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-308</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-308: important priority package update for nginx</title><issued date="2014-03-24 23:32" /><updated date="2014-09-17 22:53" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3451 CVE-2014-0133: 3452 1077988: 3453 CVE-2014-0133 nginx: heap-based buffer overflow in SPDY implementation 3454 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0133" id="CVE-2014-0133" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="nginx-debuginfo" release="1.17.amzn1" version="1.4.7"><filename>Packages/nginx-debuginfo-1.4.7-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx" release="1.17.amzn1" version="1.4.7"><filename>Packages/nginx-1.4.7-1.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="nginx-debuginfo" release="1.17.amzn1" version="1.4.7"><filename>Packages/nginx-debuginfo-1.4.7-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx" release="1.17.amzn1" version="1.4.7"><filename>Packages/nginx-1.4.7-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-309</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-309: medium priority package update for httpd24</title><issued date="2014-03-24 23:33" /><updated date="2014-09-17 22:53" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3455 CVE-2014-0098: 3456 1077871: 3457 CVE-2014-0098 httpd: mod_log_config does not properly handle logging certain cookies resulting in DoS 3458 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098" id="CVE-2014-0098" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod24_ldap" release="1.54.amzn1" version="2.4.9"><filename>Packages/mod24_ldap-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24" release="1.54.amzn1" version="2.4.9"><filename>Packages/httpd24-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="1.54.amzn1" version="2.4.9"><filename>Packages/mod24_proxy_html-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="1.54.amzn1" version="2.4.9"><filename>Packages/mod24_session-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-tools" release="1.54.amzn1" version="2.4.9"><filename>Packages/httpd24-tools-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd24-manual" release="1.54.amzn1" version="2.4.9"><filename>Packages/httpd24-manual-2.4.9-1.54.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="1.54.amzn1" version="2.4.9"><filename>Packages/httpd24-debuginfo-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_ssl" release="1.54.amzn1" version="2.4.9"><filename>Packages/mod24_ssl-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-devel" release="1.54.amzn1" version="2.4.9"><filename>Packages/httpd24-devel-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="1.54.amzn1" version="2.4.9"><filename>Packages/httpd24-debuginfo-2.4.9-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="1.54.amzn1" version="2.4.9"><filename>Packages/httpd24-2.4.9-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="1.54.amzn1" version="2.4.9"><filename>Packages/httpd24-devel-2.4.9-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="1.54.amzn1" version="2.4.9"><filename>Packages/mod24_ldap-2.4.9-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="1.54.amzn1" version="2.4.9"><filename>Packages/mod24_ssl-2.4.9-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="1.54.amzn1" version="2.4.9"><filename>Packages/httpd24-tools-2.4.9-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="1.54.amzn1" version="2.4.9"><filename>Packages/mod24_session-2.4.9-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="1.54.amzn1" version="2.4.9"><filename>Packages/mod24_proxy_html-2.4.9-1.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-310</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-310: important priority package update for mutt</title><issued date="2014-03-24 23:33" /><updated date="2014-09-17 22:53" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3459 CVE-2014-0467: 3460 A heap-based buffer overflow flaw was found in the way mutt processed certain email headers. A remote attacker could use this flaw to send an email with specially crafted headers that, when processed, could cause mutt to crash or, potentially, execute arbitrary code with the permissions of the user running mutt. 3461 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0467" id="CVE-2014-0467" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0304.html" id="RHSA-2014:0304" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="5" name="mutt-debuginfo" release="4.20091214hg736b6a.7.amzn1" version="1.5.20"><filename>Packages/mutt-debuginfo-1.5.20-4.20091214hg736b6a.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="5" name="mutt" release="4.20091214hg736b6a.7.amzn1" version="1.5.20"><filename>Packages/mutt-1.5.20-4.20091214hg736b6a.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="5" name="mutt-debuginfo" release="4.20091214hg736b6a.7.amzn1" version="1.5.20"><filename>Packages/mutt-debuginfo-1.5.20-4.20091214hg736b6a.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="5" name="mutt" release="4.20091214hg736b6a.7.amzn1" version="1.5.20"><filename>Packages/mutt-1.5.20-4.20091214hg736b6a.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-311</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-311: important priority package update for 389-ds-base</title><issued date="2014-03-24 23:34" /><updated date="2014-09-17 22:53" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3462 CVE-2014-0132: 3463 1074845: 3464 CVE-2014-0132 389-ds: flaw in parsing authzid can lead to privilege escalation 3465 It was discovered that the 389 Directory Server did not properly handle certain SASL-based authentication mechanisms. A user able to authenticate to the directory using these SASL mechanisms could connect as any other directory user, including the administrative Directory Manager account. This could allow them to modify configuration values, as well as read and write any data the directory holds. 3466 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0132" id="CVE-2014-0132" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base" release="1.16.amzn1" version="1.3.2.16"><filename>Packages/389-ds-base-1.3.2.16-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="1.16.amzn1" version="1.3.2.16"><filename>Packages/389-ds-base-devel-1.3.2.16-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="1.16.amzn1" version="1.3.2.16"><filename>Packages/389-ds-base-libs-1.3.2.16-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="1.16.amzn1" version="1.3.2.16"><filename>Packages/389-ds-base-debuginfo-1.3.2.16-1.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="1.16.amzn1" version="1.3.2.16"><filename>Packages/389-ds-base-devel-1.3.2.16-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="1.16.amzn1" version="1.3.2.16"><filename>Packages/389-ds-base-1.3.2.16-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="1.16.amzn1" version="1.3.2.16"><filename>Packages/389-ds-base-debuginfo-1.3.2.16-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="1.16.amzn1" version="1.3.2.16"><filename>Packages/389-ds-base-libs-1.3.2.16-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-312</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-312: medium priority package update for tomcat7</title><issued date="2014-03-24 23:36" /><updated date="2014-09-17 22:54" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3467 CVE-2014-0050: 3468 1062337: 3469 CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream 3470 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050" id="CVE-2014-0050" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.38.amzn1" version="7.0.47"><filename>Packages/tomcat7-docs-webapp-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.38.amzn1" version="7.0.47"><filename>Packages/tomcat7-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.38.amzn1" version="7.0.47"><filename>Packages/tomcat7-lib-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.38.amzn1" version="7.0.47"><filename>Packages/tomcat7-webapps-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.38.amzn1" version="7.0.47"><filename>Packages/tomcat7-el-2.2-api-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.38.amzn1" version="7.0.47"><filename>Packages/tomcat7-javadoc-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.38.amzn1" version="7.0.47"><filename>Packages/tomcat7-jsp-2.2-api-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.38.amzn1" version="7.0.47"><filename>Packages/tomcat7-admin-webapps-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.38.amzn1" version="7.0.47"><filename>Packages/tomcat7-servlet-3.0-api-7.0.47-1.38.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-313</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-313: medium priority package update for php54</title><issued date="2014-03-24 23:37" /><updated date="2014-09-17 22:54" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3471 CVE-2014-2270: 3472 1072220: 3473 CVE-2014-2270 file: out-of-bounds memory access when parsing Portable Executable (PE) format files 3474 3475 CVE-2014-1943: 3476 1065836: 3477 CVE-2014-1943 file: unrestricted recursion in handling of indirect type rules 3478 1065836: 3479 CVE-2014-1943 file: infinite recursion 3480 Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file. 3481 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943" id="CVE-2014-1943" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270" id="CVE-2014-2270" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-dba" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-dba-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-embedded-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-mysqlnd-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-xmlrpc-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-mssql-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-fpm-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-cli-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-devel-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-debuginfo-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-mbstring-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-odbc-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-gd-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-common-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-pgsql-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-xml-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-bcmath-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-pspell-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-mysql-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-imap-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-enchant-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-tidy-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-pdo-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-recode-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-snmp-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-process-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-intl-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-ldap-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-soap-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-mcrypt-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-mssql-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-dba-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-mbstring-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-mysqlnd-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-snmp-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-enchant-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-mcrypt-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-cli-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-tidy-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-common-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-mysql-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-bcmath-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-debuginfo-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-recode-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-odbc-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-pdo-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-pspell-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-devel-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-intl-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-fpm-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-xmlrpc-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-pgsql-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-soap-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-gd-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-xml-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-process-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-imap-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-ldap-5.4.26-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.51.amzn1" version="5.4.26"><filename>Packages/php54-embedded-5.4.26-1.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-314</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-314: important priority package update for php55</title><issued date="2014-03-24 23:37" /><updated date="2014-09-18 00:05" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3482 CVE-2014-2270: 3483 1072220: 3484 CVE-2014-2270 file: out-of-bounds memory access when parsing Portable Executable (PE) format files 3485 3486 CVE-2014-1943: 3487 1065836: 3488 CVE-2014-1943 file: unrestricted recursion in handling of indirect type rules 3489 1065836: 3490 CVE-2014-1943 file: infinite recursion 3491 Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file. 3492 3493 CVE-2013-7327: 3494 1065108: 3495 CVE-2013-7226 CVE-2013-7327 CVE-2013-7328 CVE-2014-2020 php: multiple vulnerabilities in gdImageCrop() 3496 The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL pointer as a return value, a different vulnerability than CVE-2013-7226. 3497 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943" id="CVE-2014-1943" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7327" id="CVE-2013-7327" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270" id="CVE-2014-2270" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-soap" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-soap-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-xmlrpc-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-xml-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-pspell-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-intl-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-fpm-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-snmp-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-tidy-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-enchant-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-process-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-imap-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-pgsql-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-devel-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-ldap-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-mbstring-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-mysqlnd-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-odbc-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-bcmath-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-recode-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-mcrypt-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-common-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-pdo-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-gmp-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-gd-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-cli-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-embedded-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-dba-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-debuginfo-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-mssql-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-opcache-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-intl-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-tidy-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-snmp-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-common-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-embedded-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-imap-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-odbc-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-xmlrpc-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-cli-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-process-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-mbstring-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-pdo-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-devel-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-mcrypt-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-fpm-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-debuginfo-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-opcache-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-ldap-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-recode-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-gd-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-pgsql-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-gmp-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-bcmath-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-pspell-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-enchant-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-dba-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-xml-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-mysqlnd-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-mssql-5.5.10-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.67.amzn1" version="5.5.10"><filename>Packages/php55-soap-5.5.10-1.67.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-315</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-315: medium priority package update for yum</title><issued date="2014-03-24 23:38" /><updated date="2014-09-18 00:05" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3498 CVE-2014-0022: 3499 1057377: 3500 CVE-2014-0022 yum: yum-cron installs unsigned packages 3501 The installUpdates function in yum-cron/yum-cron.py in yum 3.4.3 and earlier does not properly check the return value of the sigCheckPkg function, which allows remote attackers to bypass the RMP package signing restriction via an unsigned package. 3502 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0022" id="CVE-2014-0022" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="yum-cron-security" release="137.49.amzn1" version="3.4.3"><filename>Packages/yum-cron-security-3.4.3-137.49.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-cron-hourly" release="137.49.amzn1" version="3.4.3"><filename>Packages/yum-cron-hourly-3.4.3-137.49.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum" release="137.49.amzn1" version="3.4.3"><filename>Packages/yum-3.4.3-137.49.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-cron" release="137.49.amzn1" version="3.4.3"><filename>Packages/yum-cron-3.4.3-137.49.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-cron-daily" release="137.49.amzn1" version="3.4.3"><filename>Packages/yum-cron-daily-3.4.3-137.49.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-316</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-316: medium priority package update for net-snmp</title><issued date="2014-03-24 23:39" /><updated date="2014-09-18 00:06" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3503 CVE-2014-2284: 3504 A buffer overflow flaw was found in the way the decode_icmp_msg() function in the ICMP-MIB implementation processed Internet Control Message Protocol (ICMP) message statistics reported in the /proc/net/snmp file. A remote attacker could send a message for each ICMP message type, which could potentially cause the snmpd service to crash when processing the /proc/net/snmp file. 3505 3506 CVE-2012-6151: 3507 Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB and processing GETNEXT requests, allows remote attackers to cause a denial of service (crash or infinite loop, CPU consumption, and hang) by causing the AgentX subagent to timeout. 3508 1038007: 3509 CVE-2012-6151 net-snmp: snmpd crashes/hangs when AgentX subagent times-out 3510 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6151" id="CVE-2012-6151" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2284" id="CVE-2014-2284" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0321.html" id="RHSA-2014:0321" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="net-snmp-debuginfo" release="49.18.amzn1" version="5.5"><filename>Packages/net-snmp-debuginfo-5.5-49.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-python" release="49.18.amzn1" version="5.5"><filename>Packages/net-snmp-python-5.5-49.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-perl" release="49.18.amzn1" version="5.5"><filename>Packages/net-snmp-perl-5.5-49.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-utils" release="49.18.amzn1" version="5.5"><filename>Packages/net-snmp-utils-5.5-49.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-devel" release="49.18.amzn1" version="5.5"><filename>Packages/net-snmp-devel-5.5-49.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-libs" release="49.18.amzn1" version="5.5"><filename>Packages/net-snmp-libs-5.5-49.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp" release="49.18.amzn1" version="5.5"><filename>Packages/net-snmp-5.5-49.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp" release="49.18.amzn1" version="5.5"><filename>Packages/net-snmp-5.5-49.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-libs" release="49.18.amzn1" version="5.5"><filename>Packages/net-snmp-libs-5.5-49.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-utils" release="49.18.amzn1" version="5.5"><filename>Packages/net-snmp-utils-5.5-49.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-perl" release="49.18.amzn1" version="5.5"><filename>Packages/net-snmp-perl-5.5-49.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-devel" release="49.18.amzn1" version="5.5"><filename>Packages/net-snmp-devel-5.5-49.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-debuginfo" release="49.18.amzn1" version="5.5"><filename>Packages/net-snmp-debuginfo-5.5-49.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-python" release="49.18.amzn1" version="5.5"><filename>Packages/net-snmp-python-5.5-49.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-317</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-317: low priority package update for kernel</title><issued date="2014-03-24 23:39" /><updated date="2014-09-18 00:06" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3511 CVE-2014-0101: 3512 The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk. 3513 1070705: 3514 CVE-2014-0101 kernel: net: sctp: null pointer dereference when processing authenticated cookie_echo chunk 3515 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0101" id="CVE-2014-0101" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-headers" release="37.137.amzn1" version="3.10.34"><filename>Packages/kernel-headers-3.10.34-37.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="37.137.amzn1" version="3.10.34"><filename>Packages/kernel-debuginfo-3.10.34-37.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="37.137.amzn1" version="3.10.34"><filename>Packages/kernel-debuginfo-common-x86_64-3.10.34-37.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="37.137.amzn1" version="3.10.34"><filename>Packages/perf-3.10.34-37.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="37.137.amzn1" version="3.10.34"><filename>Packages/perf-debuginfo-3.10.34-37.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="37.137.amzn1" version="3.10.34"><filename>Packages/kernel-3.10.34-37.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="37.137.amzn1" version="3.10.34"><filename>Packages/kernel-devel-3.10.34-37.137.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="37.137.amzn1" version="3.10.34"><filename>Packages/kernel-headers-3.10.34-37.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="37.137.amzn1" version="3.10.34"><filename>Packages/kernel-debuginfo-3.10.34-37.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="37.137.amzn1" version="3.10.34"><filename>Packages/perf-debuginfo-3.10.34-37.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="37.137.amzn1" version="3.10.34"><filename>Packages/perf-3.10.34-37.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="37.137.amzn1" version="3.10.34"><filename>Packages/kernel-devel-3.10.34-37.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="37.137.amzn1" version="3.10.34"><filename>Packages/kernel-3.10.34-37.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="37.137.amzn1" version="3.10.34"><filename>Packages/kernel-debuginfo-common-i686-3.10.34-37.137.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="37.137.amzn1" version="3.10.34"><filename>Packages/kernel-doc-3.10.34-37.137.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-318</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-318: medium priority package update for subversion</title><issued date="2014-03-25 12:14" /><updated date="2014-09-18 00:07" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3516 CVE-2014-0032: 3517 1062042: 3518 CVE-2014-0032 subversion: mod_dav_svn crash when handling certain requests with SVNListParentPath on 3519 A flaw was found in the way the mod_dav_svn module handled OPTIONS requests. A remote attacker with read access to an SVN repository served via HTTP could use this flaw to cause the httpd process that handled such a request to crash. 3520 The get_resource function in repos.c in the mod_dav_svn module in Apache Subversion before 1.7.15 and 1.8.x before 1.8.6, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via vectors related to the server root and request methods other than GET, as demonstrated by the "svn ls http://svn.example.com" command. 3521 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0032" id="CVE-2014-0032" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="subversion-ruby" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-ruby-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-javahl" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-javahl-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-tools" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-tools-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-perl" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-perl-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-libs" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-libs-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-devel" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-devel-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_dav_svn" release="1.42.amzn1" version="1.8.8"><filename>Packages/mod_dav_svn-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-debuginfo" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-debuginfo-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-python-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="subversion-debuginfo" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-debuginfo-1.8.8-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-devel" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-devel-1.8.8-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-python-1.8.8-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-tools" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-tools-1.8.8-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-libs" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-libs-1.8.8-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-ruby" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-ruby-1.8.8-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-perl" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-perl-1.8.8-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-javahl" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-javahl-1.8.8-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion" release="1.42.amzn1" version="1.8.8"><filename>Packages/subversion-1.8.8-1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn" release="1.42.amzn1" version="1.8.8"><filename>Packages/mod_dav_svn-1.8.8-1.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-319</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-319: important priority package update for openssh</title><issued date="2014-03-28 18:25" /><updated date="2014-09-18 00:48" /><severity>important</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openssh-ldap" release="7.39.amzn1" version="6.2p2"><filename>Packages/openssh-ldap-6.2p2-7.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-clients" release="7.39.amzn1" version="6.2p2"><filename>Packages/openssh-clients-6.2p2-7.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh" release="7.39.amzn1" version="6.2p2"><filename>Packages/openssh-6.2p2-7.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-server" release="7.39.amzn1" version="6.2p2"><filename>Packages/openssh-server-6.2p2-7.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam_ssh_agent_auth" release="5.7.39.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.7.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-debuginfo" release="7.39.amzn1" version="6.2p2"><filename>Packages/openssh-debuginfo-6.2p2-7.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-keycat" release="7.39.amzn1" version="6.2p2"><filename>Packages/openssh-keycat-6.2p2-7.39.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssh-clients" release="7.39.amzn1" version="6.2p2"><filename>Packages/openssh-clients-6.2p2-7.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-keycat" release="7.39.amzn1" version="6.2p2"><filename>Packages/openssh-keycat-6.2p2-7.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-ldap" release="7.39.amzn1" version="6.2p2"><filename>Packages/openssh-ldap-6.2p2-7.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam_ssh_agent_auth" release="5.7.39.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.7.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-server" release="7.39.amzn1" version="6.2p2"><filename>Packages/openssh-server-6.2p2-7.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-debuginfo" release="7.39.amzn1" version="6.2p2"><filename>Packages/openssh-debuginfo-6.2p2-7.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh" release="7.39.amzn1" version="6.2p2"><filename>Packages/openssh-6.2p2-7.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-320</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-320: critical priority package update for openssl</title><issued date="2014-04-07 17:26" /><updated date="2014-09-18 00:19" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3522 CVE-2014-0160: 3523 1084875: 3524 CVE-2014-0160 openssl: information disclosure in handling of TLS heartbeat extension packets 3525 3526 CVE-2013-0169: 3527 The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. 3528 This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. 3529 It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. 3530 907589: 3531 CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13) 3532 This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. 3533 This update fixes three vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. 3534 It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. 3535 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169" id="CVE-2013-0169" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160" id="CVE-2014-0160" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-devel" release="37.66.amzn1" version="1.0.1e"><filename>Packages/openssl-devel-1.0.1e-37.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="37.66.amzn1" version="1.0.1e"><filename>Packages/openssl-1.0.1e-37.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="37.66.amzn1" version="1.0.1e"><filename>Packages/openssl-debuginfo-1.0.1e-37.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="37.66.amzn1" version="1.0.1e"><filename>Packages/openssl-perl-1.0.1e-37.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="37.66.amzn1" version="1.0.1e"><filename>Packages/openssl-static-1.0.1e-37.66.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="37.66.amzn1" version="1.0.1e"><filename>Packages/openssl-1.0.1e-37.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="37.66.amzn1" version="1.0.1e"><filename>Packages/openssl-static-1.0.1e-37.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="37.66.amzn1" version="1.0.1e"><filename>Packages/openssl-perl-1.0.1e-37.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="37.66.amzn1" version="1.0.1e"><filename>Packages/openssl-devel-1.0.1e-37.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="37.66.amzn1" version="1.0.1e"><filename>Packages/openssl-debuginfo-1.0.1e-37.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-321</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-321: important priority package update for libyaml</title><issued date="2014-04-10 23:54" /><updated date="2014-09-18 00:19" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3536 CVE-2014-2525: 3537 1078083: 3538 CVE-2014-2525 libyaml: heap-based buffer overflow when parsing URLs 3539 Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file. 3540 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525" id="CVE-2014-2525" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libyaml-devel" release="1.6.amzn1" version="0.1.6"><filename>Packages/libyaml-devel-0.1.6-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libyaml-debuginfo" release="1.6.amzn1" version="0.1.6"><filename>Packages/libyaml-debuginfo-0.1.6-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libyaml" release="1.6.amzn1" version="0.1.6"><filename>Packages/libyaml-0.1.6-1.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libyaml-debuginfo" release="1.6.amzn1" version="0.1.6"><filename>Packages/libyaml-debuginfo-0.1.6-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libyaml-devel" release="1.6.amzn1" version="0.1.6"><filename>Packages/libyaml-devel-0.1.6-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libyaml" release="1.6.amzn1" version="0.1.6"><filename>Packages/libyaml-0.1.6-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-322</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-322: medium priority package update for curl</title><issued date="2014-04-10 23:54" /><updated date="2014-09-18 00:20" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3541 CVE-2014-0138: 3542 1079148: 3543 CVE-2014-0138 curl: wrong re-use of connections in libcurl 3544 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138" id="CVE-2014-0138" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="curl-debuginfo" release="2.44.amzn1" version="7.36.0"><filename>Packages/curl-debuginfo-7.36.0-2.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl" release="2.44.amzn1" version="7.36.0"><filename>Packages/curl-7.36.0-2.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="2.44.amzn1" version="7.36.0"><filename>Packages/libcurl-7.36.0-2.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="2.44.amzn1" version="7.36.0"><filename>Packages/libcurl-devel-7.36.0-2.44.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="2.44.amzn1" version="7.36.0"><filename>Packages/curl-7.36.0-2.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="2.44.amzn1" version="7.36.0"><filename>Packages/libcurl-devel-7.36.0-2.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="2.44.amzn1" version="7.36.0"><filename>Packages/curl-debuginfo-7.36.0-2.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="2.44.amzn1" version="7.36.0"><filename>Packages/libcurl-7.36.0-2.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-323</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-323: medium priority package update for file</title><issued date="2014-04-10 23:55" /><updated date="2014-09-18 00:20" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3545 CVE-2013-7345: 3546 1079846: 3547 CVE-2013-7345 file: extensive backtracking in awk rule regular expression 3548 The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters. 3549 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345" id="CVE-2013-7345" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python-magic" release="13.16.amzn1" version="5.11"><filename>Packages/python-magic-5.11-13.16.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="file-libs" release="13.16.amzn1" version="5.11"><filename>Packages/file-libs-5.11-13.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-static" release="13.16.amzn1" version="5.11"><filename>Packages/file-static-5.11-13.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file" release="13.16.amzn1" version="5.11"><filename>Packages/file-5.11-13.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-debuginfo" release="13.16.amzn1" version="5.11"><filename>Packages/file-debuginfo-5.11-13.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-devel" release="13.16.amzn1" version="5.11"><filename>Packages/file-devel-5.11-13.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="file-static" release="13.16.amzn1" version="5.11"><filename>Packages/file-static-5.11-13.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-libs" release="13.16.amzn1" version="5.11"><filename>Packages/file-libs-5.11-13.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-debuginfo" release="13.16.amzn1" version="5.11"><filename>Packages/file-debuginfo-5.11-13.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file" release="13.16.amzn1" version="5.11"><filename>Packages/file-5.11-13.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-devel" release="13.16.amzn1" version="5.11"><filename>Packages/file-devel-5.11-13.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-324</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-324: important priority package update for perl-YAML-LibYAML</title><issued date="2014-04-17 14:18" /><updated date="2014-09-18 00:20" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3550 CVE-2014-2525: 3551 1078083: 3552 CVE-2014-2525 libyaml: heap-based buffer overflow when parsing URLs 3553 Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file. 3554 3555 CVE-2013-6393: 3556 1033990: 3557 CVE-2013-6393 libyaml: heap-based buffer overflow when parsing YAML tags 3558 The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow. 3559 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393" id="CVE-2013-6393" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525" id="CVE-2014-2525" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perl-YAML-LibYAML-debuginfo" release="4.9.amzn1" version="0.41"><filename>Packages/perl-YAML-LibYAML-debuginfo-0.41-4.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-YAML-LibYAML" release="4.9.amzn1" version="0.41"><filename>Packages/perl-YAML-LibYAML-0.41-4.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perl-YAML-LibYAML-debuginfo" release="4.9.amzn1" version="0.41"><filename>Packages/perl-YAML-LibYAML-debuginfo-0.41-4.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-YAML-LibYAML" release="4.9.amzn1" version="0.41"><filename>Packages/perl-YAML-LibYAML-0.41-4.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-325</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-325: important priority package update for xalan-j2</title><issued date="2014-04-17 23:50" /><updated date="2014-09-18 00:22" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3560 CVE-2014-0107: 3561 It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java. 3562 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0107" id="CVE-2014-0107" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0348.html" id="RHSA-2014:0348" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="xalan-j2-demo" release="9.9.9.amzn1" version="2.7.0"><filename>Packages/xalan-j2-demo-2.7.0-9.9.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="xalan-j2-javadoc" release="9.9.9.amzn1" version="2.7.0"><filename>Packages/xalan-j2-javadoc-2.7.0-9.9.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="xalan-j2" release="9.9.9.amzn1" version="2.7.0"><filename>Packages/xalan-j2-2.7.0-9.9.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="xalan-j2-manual" release="9.9.9.amzn1" version="2.7.0"><filename>Packages/xalan-j2-manual-2.7.0-9.9.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="xalan-j2-xsltc" release="9.9.9.amzn1" version="2.7.0"><filename>Packages/xalan-j2-xsltc-2.7.0-9.9.9.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-326</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-326: important priority package update for java-1.6.0-openjdk</title><issued date="2014-04-17 23:53" /><updated date="2014-09-18 00:22" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3563 CVE-2014-2427: 3564 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3565 3566 CVE-2014-2423: 3567 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3568 3569 CVE-2014-2421: 3570 Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. 3571 3572 CVE-2014-2414: 3573 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3574 3575 CVE-2014-2412: 3576 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3577 3578 CVE-2014-2403: 3579 It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. 3580 3581 CVE-2014-2398: 3582 It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. 3583 3584 CVE-2014-2397: 3585 Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. 3586 3587 CVE-2014-1876: 3588 An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. 3589 3590 CVE-2014-0461: 3591 Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 3592 3593 CVE-2014-0460: 3594 Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. 3595 3596 CVE-2014-0458: 3597 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3598 3599 CVE-2014-0457: 3600 Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 3601 3602 CVE-2014-0456: 3603 Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. 3604 3605 CVE-2014-0453: 3606 It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. 3607 3608 CVE-2014-0452: 3609 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3610 3611 CVE-2014-0451: 3612 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3613 3614 CVE-2014-0446: 3615 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3616 3617 CVE-2014-0429: 3618 An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. 3619 3620 CVE-2013-5797: 3621 It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. 3622 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0451" id="CVE-2014-0451" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5797" id="CVE-2013-5797" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2427" id="CVE-2014-2427" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2421" id="CVE-2014-2421" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0429" id="CVE-2014-0429" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2414" id="CVE-2014-2414" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2403" id="CVE-2014-2403" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2412" id="CVE-2014-2412" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2423" id="CVE-2014-2423" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2397" id="CVE-2014-2397" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1876" id="CVE-2014-1876" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2398" id="CVE-2014-2398" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0457" id="CVE-2014-0457" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0456" id="CVE-2014-0456" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0453" id="CVE-2014-0453" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0452" id="CVE-2014-0452" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0446" id="CVE-2014-0446" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0460" id="CVE-2014-0460" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0461" id="CVE-2014-0461" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0458" id="CVE-2014-0458" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0408.html" id="RHSA-2014:0408" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="67.1.13.3.64.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-67.1.13.3.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="67.1.13.3.64.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-67.1.13.3.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="67.1.13.3.64.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-67.1.13.3.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="67.1.13.3.64.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-67.1.13.3.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="67.1.13.3.64.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-67.1.13.3.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="67.1.13.3.64.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-67.1.13.3.64.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="67.1.13.3.64.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-67.1.13.3.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="67.1.13.3.64.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-67.1.13.3.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="67.1.13.3.64.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-67.1.13.3.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="67.1.13.3.64.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-67.1.13.3.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="67.1.13.3.64.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-67.1.13.3.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="67.1.13.3.64.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-67.1.13.3.64.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-327</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-327: critical priority package update for java-1.7.0-openjdk</title><issued date="2014-04-17 23:55" /><updated date="2014-09-18 00:23" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3623 CVE-2014-2427: 3624 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3625 3626 CVE-2014-2423: 3627 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3628 3629 CVE-2014-2421: 3630 Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. 3631 3632 CVE-2014-2414: 3633 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3634 3635 CVE-2014-2413: 3636 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3637 3638 CVE-2014-2412: 3639 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3640 3641 CVE-2014-2403: 3642 It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. 3643 3644 CVE-2014-2402: 3645 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3646 3647 CVE-2014-2398: 3648 It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. 3649 3650 CVE-2014-2397: 3651 Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. 3652 3653 CVE-2014-1876: 3654 An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. 3655 3656 CVE-2014-0461: 3657 Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 3658 3659 CVE-2014-0460: 3660 Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. 3661 3662 CVE-2014-0459: 3663 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3664 3665 CVE-2014-0458: 3666 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3667 3668 CVE-2014-0457: 3669 Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 3670 3671 CVE-2014-0456: 3672 Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. 3673 3674 CVE-2014-0455: 3675 Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 3676 3677 CVE-2014-0454: 3678 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3679 3680 CVE-2014-0453: 3681 It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. 3682 3683 CVE-2014-0452: 3684 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3685 3686 CVE-2014-0451: 3687 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3688 3689 CVE-2014-0446: 3690 Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 3691 3692 CVE-2014-0429: 3693 An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. 3694 3695 CVE-2013-5797: 3696 It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. 3697 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0446" id="CVE-2014-0446" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5797" id="CVE-2013-5797" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2427" id="CVE-2014-2427" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2421" id="CVE-2014-2421" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0429" id="CVE-2014-0429" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2414" id="CVE-2014-2414" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2402" id="CVE-2014-2402" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2403" id="CVE-2014-2403" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2413" id="CVE-2014-2413" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2412" id="CVE-2014-2412" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2423" id="CVE-2014-2423" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2397" id="CVE-2014-2397" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1876" id="CVE-2014-1876" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2398" id="CVE-2014-2398" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0457" id="CVE-2014-0457" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0456" id="CVE-2014-0456" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0455" id="CVE-2014-0455" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0454" id="CVE-2014-0454" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0453" id="CVE-2014-0453" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0452" id="CVE-2014-0452" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0451" id="CVE-2014-0451" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0460" id="CVE-2014-0460" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0461" id="CVE-2014-0461" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0459" id="CVE-2014-0459" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0458" id="CVE-2014-0458" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0406.html" id="RHSA-2014:0406" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.4.7.1.40.amzn1" version="1.7.0.55"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.55-2.4.7.1.40.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.4.7.1.40.amzn1" version="1.7.0.55"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.55-2.4.7.1.40.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.4.7.1.40.amzn1" version="1.7.0.55"><filename>Packages/java-1.7.0-openjdk-1.7.0.55-2.4.7.1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.4.7.1.40.amzn1" version="1.7.0.55"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.55-2.4.7.1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.4.7.1.40.amzn1" version="1.7.0.55"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.55-2.4.7.1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.4.7.1.40.amzn1" version="1.7.0.55"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.55-2.4.7.1.40.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.4.7.1.40.amzn1" version="1.7.0.55"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.55-2.4.7.1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.4.7.1.40.amzn1" version="1.7.0.55"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.55-2.4.7.1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.4.7.1.40.amzn1" version="1.7.0.55"><filename>Packages/java-1.7.0-openjdk-1.7.0.55-2.4.7.1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.4.7.1.40.amzn1" version="1.7.0.55"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.55-2.4.7.1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.4.7.1.40.amzn1" version="1.7.0.55"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.55-2.4.7.1.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-328</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-328: medium priority package update for kernel</title><issued date="2014-04-22 10:53" /><updated date="2014-09-18 00:24" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3698 CVE-2014-2523: 3699 net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function. 3700 1077343: 3701 CVE-2014-2523 kernel: netfilter: nf_conntrack_dccp: incorrect skb_header_pointer API usages 3702 3703 CVE-2014-2309: 3704 1074471: 3705 CVE-2014-2309 Kernel: net: IPv6: crash due to router advertisement flooding 3706 The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets. 3707 3708 CVE-2014-0077: 3709 1064440: 3710 CVE-2014-0077 kernel: vhost-net: insufficiency in handling of big packets in handle_rx() 3711 drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions. 3712 3713 CVE-2014-0055: 3714 The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors. 3715 1062577: 3716 CVE-2014-0055 kernel: vhost-net: insufficient handling of error conditions in get_rx_bufs() 3717 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2309" id="CVE-2014-2309" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0077" id="CVE-2014-0077" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2523" id="CVE-2014-2523" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0055" id="CVE-2014-0055" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perf-debuginfo" release="47.135.amzn1" version="3.10.37"><filename>Packages/perf-debuginfo-3.10.37-47.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="47.135.amzn1" version="3.10.37"><filename>Packages/kernel-debuginfo-common-x86_64-3.10.37-47.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="47.135.amzn1" version="3.10.37"><filename>Packages/kernel-debuginfo-3.10.37-47.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="47.135.amzn1" version="3.10.37"><filename>Packages/kernel-3.10.37-47.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="47.135.amzn1" version="3.10.37"><filename>Packages/kernel-headers-3.10.37-47.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="47.135.amzn1" version="3.10.37"><filename>Packages/perf-3.10.37-47.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="47.135.amzn1" version="3.10.37"><filename>Packages/kernel-devel-3.10.37-47.135.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="47.135.amzn1" version="3.10.37"><filename>Packages/kernel-3.10.37-47.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="47.135.amzn1" version="3.10.37"><filename>Packages/perf-debuginfo-3.10.37-47.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="47.135.amzn1" version="3.10.37"><filename>Packages/kernel-debuginfo-3.10.37-47.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="47.135.amzn1" version="3.10.37"><filename>Packages/perf-3.10.37-47.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="47.135.amzn1" version="3.10.37"><filename>Packages/kernel-debuginfo-common-i686-3.10.37-47.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="47.135.amzn1" version="3.10.37"><filename>Packages/kernel-devel-3.10.37-47.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="47.135.amzn1" version="3.10.37"><filename>Packages/kernel-headers-3.10.37-47.135.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="47.135.amzn1" version="3.10.37"><filename>Packages/kernel-doc-3.10.37-47.135.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-329</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-329: medium priority package update for mysql55</title><issued date="2014-04-25 15:48" /><updated date="2014-09-18 00:31" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3718 CVE-2014-2440: 3719 1088197: 3720 CVE-2014-2440 mysql: unspecified vulnerability in MySQL Client subcomponent (CPU April 2014) 3721 Unspecified vulnerability in the MySQL Client component in Oracle MySQL 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. 3722 3723 CVE-2014-2438: 3724 Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Replication. 3725 1088191: 3726 CVE-2014-2438 mysql: unspecified vulnerability in MySQL server related to Replication subcomponent (CPU April 2014) 3727 3728 CVE-2014-2436: 3729 Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RBR. 3730 1088190: 3731 CVE-2014-2436 mysql: unspecified vulnerability in MySQL server related to RBR subcomponent (CPU April 2014) 3732 3733 CVE-2014-2432: 3734 Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Federated. 3735 1088179: 3736 CVE-2014-2432 mysql: unspecified vulnerability in MySQL server related to Federated subcomponent (CPU April 2014) 3737 3738 CVE-2014-2431: 3739 Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect availability via unknown vectors related to Options. 3740 1088146: 3741 CVE-2014-2431 mysql: unspecified vulnerability in MySQL server related to Options subcomponent (CPU April 2014) 3742 3743 CVE-2014-2430: 3744 Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema. 3745 1088143: 3746 CVE-2014-2430 mysql: unspecified vulnerability in MySQL server related to Performance Schema subcomponent (CPU April 2014) 3747 3748 CVE-2014-2419: 3749 1088134: 3750 CVE-2014-2419 mysql: unspecified vulnerability in MySQL server related to Partition subcomponent 3751 Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition. 3752 3753 CVE-2014-0384: 3754 Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to XML. 3755 1088133: 3756 CVE-2014-0384 mysql: unspecified vulnerability in MySQL server related to XML subcomponent (CPU April 2014) 3757 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2440" id="CVE-2014-2440" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0384" id="CVE-2014-0384" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2432" id="CVE-2014-2432" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2431" id="CVE-2014-2431" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2430" id="CVE-2014-2430" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2436" id="CVE-2014-2436" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2438" id="CVE-2014-2438" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2419" id="CVE-2014-2419" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql55-test" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-test-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-server" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-server-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-bench" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-bench-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-embedded-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-embedded-devel-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-libs-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-devel-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-debuginfo-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-common" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-common-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-server-5.5.37-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-debuginfo-5.5.37-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-devel-5.5.37-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-common" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-common-5.5.37-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-test-5.5.37-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-embedded-devel-5.5.37-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-libs-5.5.37-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-5.5.37-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-bench-5.5.37-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="1.46.amzn1" version="5.5.37"><filename>Packages/mysql55-embedded-5.5.37-1.46.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-330</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-330: medium priority package update for wireshark</title><issued date="2014-04-25 15:57" /><updated date="2014-09-18 00:29" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3758 CVE-2014-2299: 3759 Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. 3760 3761 CVE-2014-2283: 3762 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 3763 3764 CVE-2014-2281: 3765 Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. 3766 3767 CVE-2013-7114: 3768 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 3769 3770 CVE-2013-7112: 3771 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 3772 3773 CVE-2013-6340: 3774 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 3775 3776 CVE-2013-6339: 3777 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 3778 3779 CVE-2013-6338: 3780 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 3781 3782 CVE-2013-6337: 3783 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 3784 3785 CVE-2013-6336: 3786 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 3787 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6339" id="CVE-2013-6339" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6338" id="CVE-2013-6338" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7112" id="CVE-2013-7112" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6337" id="CVE-2013-6337" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6336" id="CVE-2013-6336" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7114" id="CVE-2013-7114" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2299" id="CVE-2014-2299" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6340" id="CVE-2013-6340" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2281" id="CVE-2014-2281" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2283" id="CVE-2014-2283" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0342.html" id="RHSA-2014:0342" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="wireshark" release="7.13.amzn1" version="1.8.10"><filename>Packages/wireshark-1.8.10-7.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wireshark-devel" release="7.13.amzn1" version="1.8.10"><filename>Packages/wireshark-devel-1.8.10-7.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wireshark-debuginfo" release="7.13.amzn1" version="1.8.10"><filename>Packages/wireshark-debuginfo-1.8.10-7.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="wireshark" release="7.13.amzn1" version="1.8.10"><filename>Packages/wireshark-1.8.10-7.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wireshark-devel" release="7.13.amzn1" version="1.8.10"><filename>Packages/wireshark-devel-1.8.10-7.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wireshark-debuginfo" release="7.13.amzn1" version="1.8.10"><filename>Packages/wireshark-debuginfo-1.8.10-7.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-331</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-331: medium priority package update for httpd</title><issued date="2014-04-25 16:00" /><updated date="2014-09-18 00:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3788 CVE-2014-0098: 3789 A buffer over-read flaw was found in the httpd mod_log_config module. In configurations where cookie logging is enabled (on Red Hat Enterprise Linux it is disabled by default), a remote attacker could use this flaw to crash the httpd child process via an HTTP request with a malformed cookie header. 3790 3791 CVE-2013-6438: 3792 It was found that the mod_dav module did not correctly strip leading white space from certain elements in a parsed XML. In certain httpd configurations that use the mod_dav module (for example when using the mod_dav_svn module), a remote attacker could send a specially crafted DAV request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. 3793 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438" id="CVE-2013-6438" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098" id="CVE-2014-0098" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0370.html" id="RHSA-2014:0370" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="httpd" release="1.2.amzn1" version="2.2.27"><filename>Packages/httpd-2.2.27-1.2.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd-manual" release="1.2.amzn1" version="2.2.27"><filename>Packages/httpd-manual-2.2.27-1.2.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-devel" release="1.2.amzn1" version="2.2.27"><filename>Packages/httpd-devel-2.2.27-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-tools" release="1.2.amzn1" version="2.2.27"><filename>Packages/httpd-tools-2.2.27-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod_ssl" release="1.2.amzn1" version="2.2.27"><filename>Packages/mod_ssl-2.2.27-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.2.amzn1" version="2.2.27"><filename>Packages/httpd-debuginfo-2.2.27-1.2.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="httpd-tools" release="1.2.amzn1" version="2.2.27"><filename>Packages/httpd-tools-2.2.27-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-devel" release="1.2.amzn1" version="2.2.27"><filename>Packages/httpd-devel-2.2.27-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod_ssl" release="1.2.amzn1" version="2.2.27"><filename>Packages/mod_ssl-2.2.27-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-debuginfo" release="1.2.amzn1" version="2.2.27"><filename>Packages/httpd-debuginfo-2.2.27-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd" release="1.2.amzn1" version="2.2.27"><filename>Packages/httpd-2.2.27-1.2.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-332</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-332: medium priority package update for php55</title><issued date="2014-04-25 16:01" /><updated date="2014-09-18 00:31" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3794 CVE-2013-7345: 3795 1079846: 3796 CVE-2013-7345 file: extensive backtracking in awk rule regular expression 3797 The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters. 3798 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345" id="CVE-2013-7345" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-mbstring-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-dba-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-opcache-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-intl-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-process-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-cli-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-odbc-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-mysqlnd-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-imap-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-gd-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-fpm-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-xml-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-embedded-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-mcrypt-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-mssql-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-bcmath-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-common-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-devel-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-ldap-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-snmp-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-pdo-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-xmlrpc-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-tidy-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-gmp-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-debuginfo-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-recode-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-pgsql-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-enchant-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-soap-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-pspell-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-cli-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-soap-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-pspell-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-recode-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-fpm-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-mysqlnd-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-common-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-gmp-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-embedded-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-mcrypt-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-ldap-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-mssql-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-imap-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-intl-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-dba-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-xml-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-bcmath-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-devel-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-enchant-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-odbc-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-process-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-mbstring-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-debuginfo-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-xmlrpc-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-pgsql-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-pdo-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-tidy-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-opcache-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-snmp-5.5.11-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.71.amzn1" version="5.5.11"><filename>Packages/php55-gd-5.5.11-1.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-333</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-333: medium priority package update for php54</title><issued date="2014-04-25 16:04" /><updated date="2014-09-18 00:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3799 CVE-2013-7345: 3800 1079846: 3801 CVE-2013-7345 file: extensive backtracking in awk rule regular expression 3802 The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters. 3803 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345" id="CVE-2013-7345" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-odbc" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-odbc-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-pspell-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-imap-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-mysqlnd-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-debuginfo-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-recode-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-enchant-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-pgsql-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-tidy-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-gd-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-mssql-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-intl-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-xml-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-soap-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-mbstring-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-pdo-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-embedded-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-fpm-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-mysql-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-process-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-cli-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-common-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-ldap-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-dba-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-bcmath-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-devel-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-mcrypt-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-xmlrpc-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-snmp-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-ldap-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-mssql-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-process-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-gd-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-xml-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-common-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-recode-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-cli-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-mcrypt-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-pgsql-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-xmlrpc-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-soap-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-intl-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-odbc-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-imap-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-bcmath-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-pdo-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-mysql-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-snmp-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-devel-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-pspell-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-mysqlnd-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-embedded-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-dba-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-debuginfo-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-mbstring-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-fpm-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-enchant-5.4.27-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.53.amzn1" version="5.4.27"><filename>Packages/php54-tidy-5.4.27-1.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-334</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-334: medium priority package update for mod24_security</title><issued date="2014-05-06 22:19" /><updated date="2014-09-18 00:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3804 CVE-2013-5705: 3805 1082904: 3806 CVE-2013-5705 mod_security: bypass of intended rules via chunked requests 3807 apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header. 3808 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5705" id="CVE-2013-5705" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod24_security" release="3.24.amzn1" version="2.7.3"><filename>Packages/mod24_security-2.7.3-3.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mlogc24" release="3.24.amzn1" version="2.7.3"><filename>Packages/mlogc24-2.7.3-3.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_security-debuginfo" release="3.24.amzn1" version="2.7.3"><filename>Packages/mod24_security-debuginfo-2.7.3-3.24.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod24_security-debuginfo" release="3.24.amzn1" version="2.7.3"><filename>Packages/mod24_security-debuginfo-2.7.3-3.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_security" release="3.24.amzn1" version="2.7.3"><filename>Packages/mod24_security-2.7.3-3.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mlogc24" release="3.24.amzn1" version="2.7.3"><filename>Packages/mlogc24-2.7.3-3.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-335</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-335: medium priority package update for mod_security</title><issued date="2014-05-06 22:19" /><updated date="2014-09-18 00:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3809 CVE-2013-5705: 3810 1082904: 3811 CVE-2013-5705 mod_security: bypass of intended rules via chunked requests 3812 apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header. 3813 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5705" id="CVE-2013-5705" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod_security" release="3.23.amzn1" version="2.7.3"><filename>Packages/mod_security-2.7.3-3.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mlogc" release="3.23.amzn1" version="2.7.3"><filename>Packages/mlogc-2.7.3-3.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_security-debuginfo" release="3.23.amzn1" version="2.7.3"><filename>Packages/mod_security-debuginfo-2.7.3-3.23.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mlogc" release="3.23.amzn1" version="2.7.3"><filename>Packages/mlogc-2.7.3-3.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_security" release="3.23.amzn1" version="2.7.3"><filename>Packages/mod_security-2.7.3-3.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_security-debuginfo" release="3.23.amzn1" version="2.7.3"><filename>Packages/mod_security-debuginfo-2.7.3-3.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-336</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-336: medium priority package update for ImageMagick</title><issued date="2014-05-13 14:03" /><updated date="2014-09-18 00:34" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3814 CVE-2014-2030: 3815 1083477: 3816 CVE-2014-2030 ImageMagick: PSD writing layer name buffer overflow ("L%06ld") 3817 3818 CVE-2014-1958: 3819 1067276: 3820 CVE-2014-1958 ImageMagick: buffer overflow flaw when handling PSD images that use RLE encoding 3821 3822 CVE-2014-1947: 3823 1064098: 3824 CVE-2014-1947 ImageMagick: PSD writing layer name buffer overflow ("L%02ld") 3825 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1958" id="CVE-2014-1958" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1947" id="CVE-2014-1947" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2030" id="CVE-2014-2030" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ImageMagick-c++-devel" release="10.15.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-c++-devel-6.7.8.9-10.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-debuginfo" release="10.15.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-debuginfo-6.7.8.9-10.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-devel" release="10.15.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-devel-6.7.8.9-10.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-perl" release="10.15.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-perl-6.7.8.9-10.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-doc" release="10.15.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-doc-6.7.8.9-10.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-c++" release="10.15.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-c++-6.7.8.9-10.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick" release="10.15.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-6.7.8.9-10.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick" release="10.15.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-6.7.8.9-10.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-c++-devel" release="10.15.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-c++-devel-6.7.8.9-10.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-devel" release="10.15.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-devel-6.7.8.9-10.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-debuginfo" release="10.15.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-debuginfo-6.7.8.9-10.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-doc" release="10.15.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-doc-6.7.8.9-10.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-c++" release="10.15.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-c++-6.7.8.9-10.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-perl" release="10.15.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-perl-6.7.8.9-10.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-337</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-337: medium priority package update for jbigkit</title><issued date="2014-05-13 16:23" /><updated date="2014-09-18 00:34" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3826 CVE-2013-6369: 3827 Stack-based buffer overflow in the jbg_dec_in function in libjbig/jbig.c in JBIG-KIT before 2.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted image file. 3828 1032273: 3829 CVE-2013-6369 jbigkit: stack-based buffer overflow flaw 3830 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6369" id="CVE-2013-6369" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="jbigkit" release="11.4.amzn1" version="2.0"><filename>Packages/jbigkit-2.0-11.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jbigkit-devel" release="11.4.amzn1" version="2.0"><filename>Packages/jbigkit-devel-2.0-11.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jbigkit-debuginfo" release="11.4.amzn1" version="2.0"><filename>Packages/jbigkit-debuginfo-2.0-11.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jbigkit-libs" release="11.4.amzn1" version="2.0"><filename>Packages/jbigkit-libs-2.0-11.4.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="jbigkit-debuginfo" release="11.4.amzn1" version="2.0"><filename>Packages/jbigkit-debuginfo-2.0-11.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jbigkit-libs" release="11.4.amzn1" version="2.0"><filename>Packages/jbigkit-libs-2.0-11.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jbigkit" release="11.4.amzn1" version="2.0"><filename>Packages/jbigkit-2.0-11.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jbigkit-devel" release="11.4.amzn1" version="2.0"><filename>Packages/jbigkit-devel-2.0-11.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-338</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-338: medium priority package update for cyrus-sasl</title><issued date="2014-05-13 16:37" /><updated date="2014-09-18 00:34" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3831 CVE-2013-4122: 3832 Cyrus SASL 2.1.23, 2.1.26, and earlier does not properly handle when a NULL value is returned upon an error by the crypt function as implemented in glibc 2.17 and later, which allows remote attackers to cause a denial of service (thread crash and consumption) via (1) an invalid salt or, when FIPS-140 is enabled, a (2) DES or (3) MD5 encrypted password, which triggers a NULL pointer dereference. 3833 984669: 3834 CVE-2013-4122 cyrus-sasl: NULL pointer dereference (DoS) when glibc v.2.17 or FIPS-140 enabled Linux system used 3835 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4122" id="CVE-2013-4122" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="cyrus-sasl-ntlm" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-ntlm-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-sasl-ldap" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-ldap-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-sasl-debuginfo" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-debuginfo-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-sasl-sql" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-sql-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-sasl-devel" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-devel-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-sasl-lib" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-lib-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-sasl-plain" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-plain-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-sasl-gssapi" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-gssapi-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-sasl-md5" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-md5-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="cyrus-sasl" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-sasl-ldap" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-ldap-2.1.23-13.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-sasl-ntlm" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-ntlm-2.1.23-13.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-sasl-debuginfo" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-debuginfo-2.1.23-13.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-sasl-sql" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-sql-2.1.23-13.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-sasl-lib" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-lib-2.1.23-13.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-sasl-plain" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-plain-2.1.23-13.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-sasl-devel" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-devel-2.1.23-13.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-sasl-gssapi" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-gssapi-2.1.23-13.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-sasl" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-2.1.23-13.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="cyrus-sasl-md5" release="13.14.amzn1" version="2.1.23"><filename>Packages/cyrus-sasl-md5-2.1.23-13.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-339</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-339: medium priority package update for kernel</title><issued date="2014-05-13 16:40" /><updated date="2014-09-18 00:34" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3836 CVE-2014-0196: 3837 The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. 3838 1094232: 3839 CVE-2014-0196 kernel: pty layer race condition leading to memory corruption 3840 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196" id="CVE-2014-0196" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perf" release="50.136.amzn1" version="3.10.40"><filename>Packages/perf-3.10.40-50.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="50.136.amzn1" version="3.10.40"><filename>Packages/kernel-devel-3.10.40-50.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="50.136.amzn1" version="3.10.40"><filename>Packages/kernel-debuginfo-3.10.40-50.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="50.136.amzn1" version="3.10.40"><filename>Packages/kernel-3.10.40-50.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="50.136.amzn1" version="3.10.40"><filename>Packages/kernel-headers-3.10.40-50.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="50.136.amzn1" version="3.10.40"><filename>Packages/kernel-debuginfo-common-x86_64-3.10.40-50.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="50.136.amzn1" version="3.10.40"><filename>Packages/perf-debuginfo-3.10.40-50.136.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="50.136.amzn1" version="3.10.40"><filename>Packages/perf-debuginfo-3.10.40-50.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="50.136.amzn1" version="3.10.40"><filename>Packages/perf-3.10.40-50.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="50.136.amzn1" version="3.10.40"><filename>Packages/kernel-3.10.40-50.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="50.136.amzn1" version="3.10.40"><filename>Packages/kernel-headers-3.10.40-50.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="50.136.amzn1" version="3.10.40"><filename>Packages/kernel-devel-3.10.40-50.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="50.136.amzn1" version="3.10.40"><filename>Packages/kernel-debuginfo-common-i686-3.10.40-50.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="50.136.amzn1" version="3.10.40"><filename>Packages/kernel-debuginfo-3.10.40-50.136.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="50.136.amzn1" version="3.10.40"><filename>Packages/kernel-doc-3.10.40-50.136.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-340</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-340: low priority package update for libxml2</title><issued date="2014-05-21 10:29" /><updated date="2014-09-18 00:35" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3841 CVE-2013-2877: 3842 983204: 3843 CVE-2013-2877 libxml2: Out-of-bounds read via a document that ends abruptly 3844 parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state. 3845 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877" id="CVE-2013-2877" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libxml2-devel" release="1.1.27.amzn1" version="2.9.1"><filename>Packages/libxml2-devel-2.9.1-1.1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-python" release="1.1.27.amzn1" version="2.9.1"><filename>Packages/libxml2-python-2.9.1-1.1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-static" release="1.1.27.amzn1" version="2.9.1"><filename>Packages/libxml2-static-2.9.1-1.1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-debuginfo" release="1.1.27.amzn1" version="2.9.1"><filename>Packages/libxml2-debuginfo-2.9.1-1.1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2" release="1.1.27.amzn1" version="2.9.1"><filename>Packages/libxml2-2.9.1-1.1.27.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libxml2" release="1.1.27.amzn1" version="2.9.1"><filename>Packages/libxml2-2.9.1-1.1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-static" release="1.1.27.amzn1" version="2.9.1"><filename>Packages/libxml2-static-2.9.1-1.1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-devel" release="1.1.27.amzn1" version="2.9.1"><filename>Packages/libxml2-devel-2.9.1-1.1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-python" release="1.1.27.amzn1" version="2.9.1"><filename>Packages/libxml2-python-2.9.1-1.1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-debuginfo" release="1.1.27.amzn1" version="2.9.1"><filename>Packages/libxml2-debuginfo-2.9.1-1.1.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-341</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-341: medium priority package update for libxml2</title><issued date="2014-05-21 10:31" /><updated date="2014-09-18 00:35" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3846 CVE-2014-0191: 3847 1090976: 3848 CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled 3849 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191" id="CVE-2014-0191" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libxml2-debuginfo" release="1.1.30.amzn1" version="2.9.1"><filename>Packages/libxml2-debuginfo-2.9.1-1.1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-devel" release="1.1.30.amzn1" version="2.9.1"><filename>Packages/libxml2-devel-2.9.1-1.1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-static" release="1.1.30.amzn1" version="2.9.1"><filename>Packages/libxml2-static-2.9.1-1.1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2" release="1.1.30.amzn1" version="2.9.1"><filename>Packages/libxml2-2.9.1-1.1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-python" release="1.1.30.amzn1" version="2.9.1"><filename>Packages/libxml2-python-2.9.1-1.1.30.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-debuginfo" release="1.1.30.amzn1" version="2.9.1"><filename>Packages/libxml2-debuginfo-2.9.1-1.1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-python" release="1.1.30.amzn1" version="2.9.1"><filename>Packages/libxml2-python-2.9.1-1.1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2" release="1.1.30.amzn1" version="2.9.1"><filename>Packages/libxml2-2.9.1-1.1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-devel" release="1.1.30.amzn1" version="2.9.1"><filename>Packages/libxml2-devel-2.9.1-1.1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-static" release="1.1.30.amzn1" version="2.9.1"><filename>Packages/libxml2-static-2.9.1-1.1.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-342</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-342: medium priority package update for php55</title><issued date="2014-05-21 10:40" /><updated date="2014-09-18 00:35" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3850 CVE-2013-7345: 3851 1079846: 3852 CVE-2013-7345 file: extensive backtracking in awk rule regular expression 3853 The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters. 3854 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345" id="CVE-2013-7345" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-mbstring-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-intl-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-dba-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-xml-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-odbc-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-common-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-xmlrpc-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-pdo-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-tidy-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-opcache-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-mysqlnd-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-pgsql-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-fpm-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-embedded-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-recode-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-pspell-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-snmp-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-imap-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-gmp-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-mssql-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-soap-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-process-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-bcmath-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-enchant-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-devel-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-debuginfo-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-mcrypt-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-gd-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-cli-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-ldap-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-recode-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-xml-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-gmp-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-tidy-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-cli-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-process-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-pgsql-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-devel-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-snmp-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-ldap-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-soap-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-xmlrpc-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-gd-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-debuginfo-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-fpm-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-enchant-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-common-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-mcrypt-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-opcache-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-odbc-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-intl-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-dba-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-mysqlnd-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-imap-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-pspell-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-mbstring-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-bcmath-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-pdo-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-embedded-5.5.12-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.71.amzn1" version="5.5.12"><filename>Packages/php55-mssql-5.5.12-1.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-343</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-343: medium priority package update for php54</title><issued date="2014-05-21 10:40" /><updated date="2014-09-18 00:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3855 CVE-2013-7345: 3856 1079846: 3857 CVE-2013-7345 file: extensive backtracking in awk rule regular expression 3858 The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters. 3859 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345" id="CVE-2013-7345" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-mbstring-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-odbc-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-mysql-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-xmlrpc-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-mcrypt-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-pspell-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-pgsql-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-xml-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-recode-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-imap-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-process-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-tidy-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-intl-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-snmp-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-gd-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-enchant-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-dba-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-mysqlnd-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-bcmath-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-embedded-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-pdo-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-fpm-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-debuginfo-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-mssql-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-ldap-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-soap-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-devel-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-common-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-cli-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-tidy-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-recode-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-snmp-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-mysqlnd-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-cli-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-gd-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-pdo-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-odbc-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-mcrypt-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-fpm-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-imap-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-soap-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-bcmath-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-dba-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-mbstring-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-pgsql-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-pspell-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-devel-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-mysql-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-intl-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-ldap-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-enchant-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-mssql-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-debuginfo-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-xml-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-process-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-xmlrpc-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-common-5.4.28-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.54.amzn1" version="5.4.28"><filename>Packages/php54-embedded-5.4.28-1.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-344</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-344: medium priority package update for tomcat6</title><issued date="2014-05-21 10:45" /><updated date="2014-09-18 00:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3860 CVE-2014-0050: 3861 A denial of service flaw was found in the way Apache Commons FileUpload handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing JBoss Web to enter an infinite loop when processing such an incoming request. 3862 3863 CVE-2013-4322: 3864 It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. 3865 3866 CVE-2013-4286: 3867 It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. 3868 3869 CVE-2012-3544: 3870 It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. 3871 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3544" id="CVE-2012-3544" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050" id="CVE-2014-0050" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286" id="CVE-2013-4286" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322" id="CVE-2013-4322" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0429.html" id="RHSA-2014:0429" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat6-servlet-2.5-api" release="1.4.amzn1" version="6.0.39"><filename>Packages/tomcat6-servlet-2.5-api-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-lib" release="1.4.amzn1" version="6.0.39"><filename>Packages/tomcat6-lib-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-webapps" release="1.4.amzn1" version="6.0.39"><filename>Packages/tomcat6-webapps-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-admin-webapps" release="1.4.amzn1" version="6.0.39"><filename>Packages/tomcat6-admin-webapps-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6" release="1.4.amzn1" version="6.0.39"><filename>Packages/tomcat6-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-javadoc" release="1.4.amzn1" version="6.0.39"><filename>Packages/tomcat6-javadoc-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-docs-webapp" release="1.4.amzn1" version="6.0.39"><filename>Packages/tomcat6-docs-webapp-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-jsp-2.1-api" release="1.4.amzn1" version="6.0.39"><filename>Packages/tomcat6-jsp-2.1-api-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-el-2.1-api" release="1.4.amzn1" version="6.0.39"><filename>Packages/tomcat6-el-2.1-api-6.0.39-1.4.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-345</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-345: medium priority package update for elfutils</title><issued date="2014-05-21 10:48" /><updated date="2014-09-18 00:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3872 CVE-2014-0172: 3873 Integer overflow in the check_section function in dwarf_begin_elf.c in the libdw library, as used in elfutils 0.153 and possibly through 0.158 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed compressed debug section in an ELF file, which triggers a heap-based buffer overflow. 3874 1085663: 3875 CVE-2014-0172 elfutils: integer overflow, leading to a heap-based buffer overflow in libdw 3876 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0172" id="CVE-2014-0172" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="elfutils-debuginfo" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-debuginfo-0.158-3.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="elfutils-devel" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-devel-0.158-3.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="elfutils-libelf" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-libelf-0.158-3.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="elfutils-libelf-devel" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-libelf-devel-0.158-3.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="elfutils-libelf-devel-static" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-libelf-devel-static-0.158-3.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="elfutils" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-0.158-3.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="elfutils-devel-static" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-devel-static-0.158-3.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="elfutils-libs" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-libs-0.158-3.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="elfutils-devel-static" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-devel-static-0.158-3.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="elfutils-libelf" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-libelf-0.158-3.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="elfutils-devel" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-devel-0.158-3.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="elfutils-debuginfo" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-debuginfo-0.158-3.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="elfutils-libs" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-libs-0.158-3.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="elfutils" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-0.158-3.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="elfutils-libelf-devel" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-libelf-devel-0.158-3.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="elfutils-libelf-devel-static" release="3.16.amzn1" version="0.158"><filename>Packages/elfutils-libelf-devel-static-0.158-3.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-346</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-346: medium priority package update for lighttpd</title><issued date="2014-06-03 14:50" /><updated date="2014-09-18 00:37" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3877 CVE-2014-2324: 3878 1075703: 3879 CVE-2014-2323 CVE-2014-2324 lighttpd: SQL injection and directory traversal vulnerabilities 3880 Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname. 3881 3882 CVE-2014-2323: 3883 1075703: 3884 CVE-2014-2323 CVE-2014-2324 lighttpd: SQL injection and directory traversal vulnerabilities 3885 SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname. 3886 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2324" id="CVE-2014-2324" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2323" id="CVE-2014-2323" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="lighttpd-mod_mysql_vhost" release="1.9.amzn1" version="1.4.35"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.35-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-debuginfo" release="1.9.amzn1" version="1.4.35"><filename>Packages/lighttpd-debuginfo-1.4.35-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-fastcgi" release="1.9.amzn1" version="1.4.35"><filename>Packages/lighttpd-fastcgi-1.4.35-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-mod_geoip" release="1.9.amzn1" version="1.4.35"><filename>Packages/lighttpd-mod_geoip-1.4.35-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd" release="1.9.amzn1" version="1.4.35"><filename>Packages/lighttpd-1.4.35-1.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_geoip" release="1.9.amzn1" version="1.4.35"><filename>Packages/lighttpd-mod_geoip-1.4.35-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-fastcgi" release="1.9.amzn1" version="1.4.35"><filename>Packages/lighttpd-fastcgi-1.4.35-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd" release="1.9.amzn1" version="1.4.35"><filename>Packages/lighttpd-1.4.35-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-debuginfo" release="1.9.amzn1" version="1.4.35"><filename>Packages/lighttpd-debuginfo-1.4.35-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_mysql_vhost" release="1.9.amzn1" version="1.4.35"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.35-1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-347</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-347: medium priority package update for cacti</title><issued date="2014-06-03 14:59" /><updated date="2014-09-18 00:38" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3887 CVE-2014-2709: 3888 lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters. 3889 1084258: 3890 CVE-2014-2708 CVE-2014-2709 cacti: command injection issues fixed in bug#0002405 3891 3892 CVE-2014-2708: 3893 Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3) graph_height, (4) graph_width, (5) graph_nolegend, (6) print_source, (7) local_graph_id, or (8) rra_id parameter. 3894 1084258: 3895 CVE-2014-2708 CVE-2014-2709 cacti: command injection issues fixed in bug#0002405 3896 3897 CVE-2014-2328: 3898 1082122: 3899 CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 cacti: multiple flaws reported by Deutsche Telekom 3900 lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors. 3901 3902 CVE-2014-2327: 3903 1082122: 3904 CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 cacti: multiple flaws reported by Deutsche Telekom 3905 Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users. 3906 3907 CVE-2014-2326: 3908 1082122: 3909 CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 cacti: multiple flaws reported by Deutsche Telekom 3910 Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 3911 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2327" id="CVE-2014-2327" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2326" id="CVE-2014-2326" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2709" id="CVE-2014-2709" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2708" id="CVE-2014-2708" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2328" id="CVE-2014-2328" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="cacti" release="5.4.amzn1" version="0.8.8b"><filename>Packages/cacti-0.8.8b-5.4.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-348</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-348: low priority package update for munin</title><issued date="2014-06-03 15:03" /><updated date="2014-09-18 00:39" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3912 CVE-2013-6359: 3913 1037888: 3914 CVE-2013-6048 CVE-2013-6359 munin: two denial of service flaws fixed in 2.0.18 3915 Munin::Master::Node in Munin before 2.0.18 allows remote attackers to cause a denial of service (abort data collection for node) via a plugin that uses "multigraph" as a multigraph service name. 3916 3917 CVE-2013-6048: 3918 The get_group_tree function in lib/Munin/Master/HTMLConfig.pm in Munin before 2.0.18 allows remote nodes to cause a denial of service (infinite loop and memory consumption in the munin-html process) via crafted multigraph data. 3919 1037888: 3920 CVE-2013-6048 CVE-2013-6359 munin: two denial of service flaws fixed in 2.0.18 3921 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6048" id="CVE-2013-6048" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6359" id="CVE-2013-6359" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="munin-async" release="1.36.amzn1" version="2.0.20"><filename>Packages/munin-async-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-nginx" release="1.36.amzn1" version="2.0.20"><filename>Packages/munin-nginx-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-cgi" release="1.36.amzn1" version="2.0.20"><filename>Packages/munin-cgi-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-ruby-plugins" release="1.36.amzn1" version="2.0.20"><filename>Packages/munin-ruby-plugins-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin" release="1.36.amzn1" version="2.0.20"><filename>Packages/munin-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-netip-plugins" release="1.36.amzn1" version="2.0.20"><filename>Packages/munin-netip-plugins-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-common" release="1.36.amzn1" version="2.0.20"><filename>Packages/munin-common-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-node" release="1.36.amzn1" version="2.0.20"><filename>Packages/munin-node-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-java-plugins" release="1.36.amzn1" version="2.0.20"><filename>Packages/munin-java-plugins-2.0.20-1.36.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-349</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-349: important priority package update for openssl</title><issued date="2014-06-04 15:45" /><updated date="2015-03-19 13:50" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3922 CVE-2015-0292: 3923 An integer underflow flaw, leading to a heap-based buffer overflow, was found in the way OpenSSL decoded certain base64 strings. A remote attacker could provide a specially crafted base64 string via certain PEM processing routines that, when parsed by the OpenSSL library, would cause the OpenSSL server to crash. 3924 1202395: 3925 CVE-2015-0292 openssl: integer underflow leading to buffer overflow in base64 decoding 3926 3927 CVE-2014-3470: 3928 3929 3930 CVE-2014-0224: 3931 3932 3933 CVE-2014-0221: 3934 3935 3936 CVE-2014-0198: 3937 Multiple flaws were found in the way OpenSSL handled read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was enabled. A TLS/SSL client or server using OpenSSL could crash or unexpectedly drop connections when processing certain SSL traffic. 3938 3939 CVE-2014-0195: 3940 3941 3942 CVE-2010-5298: 3943 Multiple flaws were found in the way OpenSSL handled read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was enabled. A TLS/SSL client or server using OpenSSL could crash or unexpectedly drop connections when processing certain SSL traffic. 3944 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0292" id="CVE-2015-0292" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221" id="CVE-2014-0221" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198" id="CVE-2014-0198" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224" id="CVE-2014-0224" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298" id="CVE-2010-5298" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470" id="CVE-2014-3470" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195" id="CVE-2014-0195" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0625.html" id="RHSA-2014:0625" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="1.72.amzn1" version="1.0.1h"><filename>Packages/openssl-debuginfo-1.0.1h-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="1.72.amzn1" version="1.0.1h"><filename>Packages/openssl-static-1.0.1h-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="1.72.amzn1" version="1.0.1h"><filename>Packages/openssl-devel-1.0.1h-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="1.72.amzn1" version="1.0.1h"><filename>Packages/openssl-perl-1.0.1h-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="1.72.amzn1" version="1.0.1h"><filename>Packages/openssl-1.0.1h-1.72.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="1.72.amzn1" version="1.0.1h"><filename>Packages/openssl-devel-1.0.1h-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="1.72.amzn1" version="1.0.1h"><filename>Packages/openssl-1.0.1h-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="1.72.amzn1" version="1.0.1h"><filename>Packages/openssl-debuginfo-1.0.1h-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="1.72.amzn1" version="1.0.1h"><filename>Packages/openssl-perl-1.0.1h-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="1.72.amzn1" version="1.0.1h"><filename>Packages/openssl-static-1.0.1h-1.72.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-350</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-350: important priority package update for openssl098e</title><issued date="2014-06-05 15:38" /><updated date="2014-09-18 00:40" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3945 CVE-2014-0224: 3946 It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. 3947 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224" id="CVE-2014-0224" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0626.html" id="RHSA-2014:0626" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openssl098e-debuginfo" release="18.2.13.amzn1" version="0.9.8e"><filename>Packages/openssl098e-debuginfo-0.9.8e-18.2.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl098e" release="18.2.13.amzn1" version="0.9.8e"><filename>Packages/openssl098e-0.9.8e-18.2.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssl098e-debuginfo" release="18.2.13.amzn1" version="0.9.8e"><filename>Packages/openssl098e-debuginfo-0.9.8e-18.2.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl098e" release="18.2.13.amzn1" version="0.9.8e"><filename>Packages/openssl098e-0.9.8e-18.2.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-351</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-351: important priority package update for openssl097a</title><issued date="2014-06-05 15:38" /><updated date="2014-09-19 10:19" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3948 CVE-2014-0224: 3949 It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. 3950 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224" id="CVE-2014-0224" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0626.html" id="RHSA-2014:0626" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openssl097a-debuginfo" release="12.1.9.amzn1" version="0.9.7a"><filename>Packages/openssl097a-debuginfo-0.9.7a-12.1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl097a" release="12.1.9.amzn1" version="0.9.7a"><filename>Packages/openssl097a-0.9.7a-12.1.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssl097a" release="12.1.9.amzn1" version="0.9.7a"><filename>Packages/openssl097a-0.9.7a-12.1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl097a-debuginfo" release="12.1.9.amzn1" version="0.9.7a"><filename>Packages/openssl097a-debuginfo-0.9.7a-12.1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-352</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-352: important priority package update for gnutls</title><issued date="2014-06-05 15:38" /><updated date="2014-09-19 10:20" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3951 CVE-2014-3466: 3952 A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. 3953 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466" id="CVE-2014-3466" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0595.html" id="RHSA-2014:0595" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnutls-guile" release="14.13.amzn1" version="2.8.5"><filename>Packages/gnutls-guile-2.8.5-14.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-utils" release="14.13.amzn1" version="2.8.5"><filename>Packages/gnutls-utils-2.8.5-14.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls" release="14.13.amzn1" version="2.8.5"><filename>Packages/gnutls-2.8.5-14.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-debuginfo" release="14.13.amzn1" version="2.8.5"><filename>Packages/gnutls-debuginfo-2.8.5-14.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-devel" release="14.13.amzn1" version="2.8.5"><filename>Packages/gnutls-devel-2.8.5-14.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-devel" release="14.13.amzn1" version="2.8.5"><filename>Packages/gnutls-devel-2.8.5-14.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-utils" release="14.13.amzn1" version="2.8.5"><filename>Packages/gnutls-utils-2.8.5-14.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls" release="14.13.amzn1" version="2.8.5"><filename>Packages/gnutls-2.8.5-14.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-debuginfo" release="14.13.amzn1" version="2.8.5"><filename>Packages/gnutls-debuginfo-2.8.5-14.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-guile" release="14.13.amzn1" version="2.8.5"><filename>Packages/gnutls-guile-2.8.5-14.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-353</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-353: important priority package update for libmicrohttpd</title><issued date="2014-06-15 16:17" /><updated date="2014-09-19 10:20" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3954 CVE-2013-7039: 3955 1039390: 3956 CVE-2013-7039 libmicrohttpd: stack overflow in MHD_digest_auth_check() 3957 Stack-based buffer overflow in the MHD_digest_auth_check function in libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to a large value, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long URI in an authentication header. 3958 3959 CVE-2013-7038: 3960 1039384: 3961 CVE-2013-7038 libmicrohttpd: out-of-bounds read in MHD_http_unescape() 3962 The MHD_http_unescape function in libmicrohttpd before 0.9.32 might allow remote attackers to obtain sensitive information or cause a denial of service (crash) via unspecified vectors that trigger an out-of-bounds read. 3963 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7039" id="CVE-2013-7039" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7038" id="CVE-2013-7038" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libmicrohttpd-devel" release="2.3.amzn1" version="0.9.33"><filename>Packages/libmicrohttpd-devel-0.9.33-2.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libmicrohttpd" release="2.3.amzn1" version="0.9.33"><filename>Packages/libmicrohttpd-0.9.33-2.3.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="libmicrohttpd-doc" release="2.3.amzn1" version="0.9.33"><filename>Packages/libmicrohttpd-doc-0.9.33-2.3.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="libmicrohttpd-debuginfo" release="2.3.amzn1" version="0.9.33"><filename>Packages/libmicrohttpd-debuginfo-0.9.33-2.3.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libmicrohttpd-devel" release="2.3.amzn1" version="0.9.33"><filename>Packages/libmicrohttpd-devel-0.9.33-2.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libmicrohttpd" release="2.3.amzn1" version="0.9.33"><filename>Packages/libmicrohttpd-0.9.33-2.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libmicrohttpd-debuginfo" release="2.3.amzn1" version="0.9.33"><filename>Packages/libmicrohttpd-debuginfo-0.9.33-2.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-354</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-354: medium priority package update for pam</title><issued date="2014-06-15 16:18" /><updated date="2014-09-19 10:21" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3964 CVE-2014-2583: 3965 1080243: 3966 CVE-2014-2583 pam: path traversal issue in pam_timestamp's format_timestamp_name() 3967 Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function. 3968 3969 CVE-2013-7041: 3970 1038555: 3971 CVE-2013-7041 pam: pam_userdb case insensitive password hash comparison 3972 The pam_userdb module for Pam uses a case-insensitive method to compare hashed passwords, which makes it easier for attackers to guess the password via a brute force attack. 3973 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2583" id="CVE-2014-2583" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7041" id="CVE-2013-7041" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="pam" release="9.29.amzn1" version="1.1.8"><filename>Packages/pam-1.1.8-9.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam-devel" release="9.29.amzn1" version="1.1.8"><filename>Packages/pam-devel-1.1.8-9.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam-debuginfo" release="9.29.amzn1" version="1.1.8"><filename>Packages/pam-debuginfo-1.1.8-9.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="pam" release="9.29.amzn1" version="1.1.8"><filename>Packages/pam-1.1.8-9.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam-devel" release="9.29.amzn1" version="1.1.8"><filename>Packages/pam-devel-1.1.8-9.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam-debuginfo" release="9.29.amzn1" version="1.1.8"><filename>Packages/pam-debuginfo-1.1.8-9.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-355</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-355: low priority package update for glibc</title><issued date="2014-06-15 16:19" /><updated date="2014-09-19 10:22" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3974 CVE-2013-4588: 3975 1030800: 3976 CVE-2013-4588 Kernel: net: ipvs: stack buffer overflow 3977 Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function. 3978 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4588" id="CVE-2013-4588" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glibc-static" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-55.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-55.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-55.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-55.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-55.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-2.17-55.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-55.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="55.84.amzn1" version="2.17"><filename>Packages/nscd-2.17-55.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-55.84.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-55.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-55.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="55.84.amzn1" version="2.17"><filename>Packages/nscd-2.17-55.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-55.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-55.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-55.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-55.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-2.17-55.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="55.84.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-55.84.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-356</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-356: low priority package update for perltidy</title><issued date="2014-06-15 16:19" /><updated date="2014-09-19 10:22" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3979 CVE-2014-2277: 3980 1074720: 3981 CVE-2014-2277 perltidy: insecure temporary file creation 3982 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2277" id="CVE-2014-2277" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="perltidy" release="3.8.amzn1" version="20121207"><filename>Packages/perltidy-20121207-3.8.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-357</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-357: low priority package update for readline</title><issued date="2014-06-15 16:20" /><updated date="2014-09-19 10:23" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3983 CVE-2014-2524: 3984 1077023: 3985 CVE-2014-2524 readline: insecure temporary file use in _rl_tropen() 3986 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2524" id="CVE-2014-2524" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="readline-debuginfo" release="9.14.amzn1" version="6.2"><filename>Packages/readline-debuginfo-6.2-9.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="readline-static" release="9.14.amzn1" version="6.2"><filename>Packages/readline-static-6.2-9.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="readline" release="9.14.amzn1" version="6.2"><filename>Packages/readline-6.2-9.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="readline-devel" release="9.14.amzn1" version="6.2"><filename>Packages/readline-devel-6.2-9.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="readline-debuginfo" release="9.14.amzn1" version="6.2"><filename>Packages/readline-debuginfo-6.2-9.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="readline" release="9.14.amzn1" version="6.2"><filename>Packages/readline-6.2-9.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="readline-devel" release="9.14.amzn1" version="6.2"><filename>Packages/readline-devel-6.2-9.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="readline-static" release="9.14.amzn1" version="6.2"><filename>Packages/readline-static-6.2-9.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-358</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-358: low priority package update for perl-Capture-Tiny</title><issued date="2014-06-15 16:20" /><updated date="2014-09-19 10:23" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3987 CVE-2014-1875: 3988 1062424: 3989 CVE-2014-1875 perl-Capture-Tiny: insecure temporary file usage 3990 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1875" id="CVE-2014-1875" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="perl-Capture-Tiny" release="1.5.amzn1" version="0.24"><filename>Packages/perl-Capture-Tiny-0.24-1.5.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-359</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-359: medium priority package update for libtasn1</title><issued date="2014-06-15 16:22" /><updated date="2014-09-19 10:24" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 3991 CVE-2014-3469: 3992 Multiple NULL pointer dereference flaws were found in libtasn1's asn1_read_value() function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way. 3993 3994 CVE-2014-3468: 3995 It was discovered that the asn1_get_bit_der() function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code. 3996 3997 CVE-2014-3467: 3998 Multiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash. 3999 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467" id="CVE-2014-3467" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469" id="CVE-2014-3469" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468" id="CVE-2014-3468" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0596.html" id="RHSA-2014:0596" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libtasn1-debuginfo" release="6.6.amzn1" version="2.3"><filename>Packages/libtasn1-debuginfo-2.3-6.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtasn1" release="6.6.amzn1" version="2.3"><filename>Packages/libtasn1-2.3-6.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtasn1-devel" release="6.6.amzn1" version="2.3"><filename>Packages/libtasn1-devel-2.3-6.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtasn1-tools" release="6.6.amzn1" version="2.3"><filename>Packages/libtasn1-tools-2.3-6.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libtasn1-devel" release="6.6.amzn1" version="2.3"><filename>Packages/libtasn1-devel-2.3-6.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtasn1" release="6.6.amzn1" version="2.3"><filename>Packages/libtasn1-2.3-6.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtasn1-tools" release="6.6.amzn1" version="2.3"><filename>Packages/libtasn1-tools-2.3-6.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtasn1-debuginfo" release="6.6.amzn1" version="2.3"><filename>Packages/libtasn1-debuginfo-2.3-6.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-360</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-360: medium priority package update for squid</title><issued date="2014-06-15 16:22" /><updated date="2014-09-19 10:24" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4000 CVE-2014-0128: 4001 A denial of service flaw was found in the way Squid processed certain HTTPS requests when the SSL Bump feature was enabled. A remote attacker could send specially crafted requests that could cause Squid to crash. 4002 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128" id="CVE-2014-0128" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0597.html" id="RHSA-2014:0597" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="7" name="squid" release="20.15.amzn1" version="3.1.10"><filename>Packages/squid-3.1.10-20.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="7" name="squid-debuginfo" release="20.15.amzn1" version="3.1.10"><filename>Packages/squid-debuginfo-3.1.10-20.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="7" name="squid-debuginfo" release="20.15.amzn1" version="3.1.10"><filename>Packages/squid-debuginfo-3.1.10-20.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="7" name="squid" release="20.15.amzn1" version="3.1.10"><filename>Packages/squid-3.1.10-20.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-361</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-361: medium priority package update for php54</title><issued date="2014-06-15 16:29" /><updated date="2014-09-19 10:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4003 CVE-2014-0238: 4004 The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long. 4005 1098155: 4006 CVE-2014-0238 file: CDF property info parsing nelements infinite loop 4007 4008 CVE-2014-0237: 4009 The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls. 4010 1098193: 4011 CVE-2014-0237 file: cdf_unpack_summary_info() excessive looping DoS 4012 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237" id="CVE-2014-0237" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238" id="CVE-2014-0238" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-pspell" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-pspell-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-recode-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-embedded-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-imap-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-odbc-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-bcmath-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-pgsql-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-cli-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-pdo-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-fpm-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-mcrypt-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-mbstring-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-snmp-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-gd-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-mssql-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-xml-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-mysql-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-enchant-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-xmlrpc-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-dba-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-tidy-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-intl-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-debuginfo-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-soap-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-ldap-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-process-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-common-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-mysqlnd-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-devel-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-tidy-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-mssql-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-soap-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-mysqlnd-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-embedded-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-process-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-recode-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-ldap-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-cli-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-common-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-pspell-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-xml-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-imap-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-snmp-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-pgsql-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-mcrypt-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-intl-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-gd-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-debuginfo-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-fpm-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-xmlrpc-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-pdo-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-dba-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-bcmath-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-mbstring-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-enchant-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-mysql-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-devel-5.4.29-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.55.amzn1" version="5.4.29"><filename>Packages/php54-odbc-5.4.29-1.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-362</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-362: medium priority package update for php55</title><issued date="2014-06-15 16:29" /><updated date="2014-09-19 10:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4013 CVE-2014-0238: 4014 The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long. 4015 1098155: 4016 CVE-2014-0238 file: CDF property info parsing nelements infinite loop 4017 4018 CVE-2014-0237: 4019 The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls. 4020 1098193: 4021 CVE-2014-0237 file: cdf_unpack_summary_info() excessive looping DoS 4022 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237" id="CVE-2014-0237" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238" id="CVE-2014-0238" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-recode" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-recode-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-imap-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-gmp-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-mcrypt-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-debuginfo-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-pdo-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-fpm-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-bcmath-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-cli-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-opcache-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-odbc-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-soap-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-xmlrpc-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-mbstring-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-pgsql-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-snmp-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-mssql-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-ldap-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-tidy-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-devel-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-xml-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-embedded-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-gd-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-enchant-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-pspell-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-mysqlnd-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-intl-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-dba-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-common-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-process-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-odbc-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-mssql-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-soap-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-intl-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-cli-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-bcmath-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-imap-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-mcrypt-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-xml-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-dba-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-mbstring-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-mysqlnd-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-ldap-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-devel-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-gmp-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-embedded-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-opcache-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-enchant-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-common-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-tidy-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-fpm-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-process-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-debuginfo-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-recode-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-pgsql-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-pdo-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-snmp-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-gd-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-xmlrpc-5.5.13-3.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="3.74.amzn1" version="5.5.13"><filename>Packages/php55-pspell-5.5.13-3.74.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-363</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-363: medium priority package update for kernel</title><issued date="2014-06-15 16:30" /><updated date="2014-09-19 10:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4023 CVE-2014-3153: 4024 1103626: 4025 CVE-2014-3153 kernel: futex: pi futexes requeue issue 4026 The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification. 4027 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153" id="CVE-2014-3153" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel" release="52.145.amzn1" version="3.10.42"><filename>Packages/kernel-3.10.42-52.145.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="52.145.amzn1" version="3.10.42"><filename>Packages/perf-3.10.42-52.145.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="52.145.amzn1" version="3.10.42"><filename>Packages/perf-debuginfo-3.10.42-52.145.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="52.145.amzn1" version="3.10.42"><filename>Packages/kernel-headers-3.10.42-52.145.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="52.145.amzn1" version="3.10.42"><filename>Packages/kernel-devel-3.10.42-52.145.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="52.145.amzn1" version="3.10.42"><filename>Packages/kernel-debuginfo-common-x86_64-3.10.42-52.145.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="52.145.amzn1" version="3.10.42"><filename>Packages/kernel-debuginfo-3.10.42-52.145.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="52.145.amzn1" version="3.10.42"><filename>Packages/kernel-debuginfo-common-i686-3.10.42-52.145.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="52.145.amzn1" version="3.10.42"><filename>Packages/kernel-3.10.42-52.145.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="52.145.amzn1" version="3.10.42"><filename>Packages/perf-debuginfo-3.10.42-52.145.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="52.145.amzn1" version="3.10.42"><filename>Packages/kernel-devel-3.10.42-52.145.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="52.145.amzn1" version="3.10.42"><filename>Packages/kernel-debuginfo-3.10.42-52.145.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="52.145.amzn1" version="3.10.42"><filename>Packages/kernel-headers-3.10.42-52.145.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="52.145.amzn1" version="3.10.42"><filename>Packages/perf-3.10.42-52.145.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="52.145.amzn1" version="3.10.42"><filename>Packages/kernel-doc-3.10.42-52.145.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-364</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-364: important priority package update for nrpe</title><issued date="2014-06-26 10:29" /><updated date="2014-09-19 10:26" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4028 CVE-2014-2913: 4029 ** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments. 4030 1089878: 4031 CVE-2014-2913 nrpe: remote command execution when command arguments are enabled 4032 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2913" id="CVE-2014-2913" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nrpe-debuginfo" release="2.7.amzn1" version="2.15"><filename>Packages/nrpe-debuginfo-2.15-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nrpe" release="2.7.amzn1" version="2.15"><filename>Packages/nrpe-2.15-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nagios-plugins-nrpe" release="2.7.amzn1" version="2.15"><filename>Packages/nagios-plugins-nrpe-2.15-2.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nagios-plugins-nrpe" release="2.7.amzn1" version="2.15"><filename>Packages/nagios-plugins-nrpe-2.15-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nrpe-debuginfo" release="2.7.amzn1" version="2.15"><filename>Packages/nrpe-debuginfo-2.15-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nrpe" release="2.7.amzn1" version="2.15"><filename>Packages/nrpe-2.15-2.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-365</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-365: medium priority package update for libtiff</title><issued date="2014-06-26 10:31" /><updated date="2014-09-19 10:27" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4033 CVE-2013-4244: 4034 The LZW decompressor in the gif2tiff tool in libtiff 4.0.3 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted GIF image. 4035 996468: 4036 CVE-2013-4244 libtiff (gif2tiff): OOB Write in LZW decompressor 4037 Multiple buffer overflow flaws were found in the gif2tiff tool. An attacker could use these flaws to create a specially crafted GIF file that could cause gif2tiff to crash or, possibly, execute arbitrary code. 4038 4039 CVE-2013-4243: 4040 Heap-based buffer overflow in the readgifimage function in the gif2tiff tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted height and width values in a GIF image. 4041 996052: 4042 CVE-2013-4243 libtiff (gif2tiff): possible heap-based buffer overflow in readgifimage() 4043 Multiple buffer overflow flaws were found in the gif2tiff tool. An attacker could use these flaws to create a specially crafted GIF file that could cause gif2tiff to crash or, possibly, execute arbitrary code. 4044 4045 CVE-2013-4232: 4046 995975: 4047 CVE-2013-4232 libtiff (tiff2pdf): use-after-free in t2p_readwrite_pdf_image() 4048 Use-after-free vulnerability in the t2p_readwrite_pdf_image function in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) or possible execute arbitrary code via a crafted TIFF image. 4049 A heap-based buffer overflow and a use-after-free flaw were found in the tiff2pdf tool. An attacker could use these flaws to create a specially crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code. 4050 4051 CVE-2013-4231: 4052 Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) extension block in a GIF image or (2) GIF raster image to tools/gif2tiff.c or (3) a long filename for a TIFF image to tools/rgb2ycbcr.c. NOTE: vectors 1 and 3 are disputed by Red Hat, which states that the input cannot exceed the allocated buffer size. 4053 995965: 4054 CVE-2013-4231 libtiff (gif2tiff): GIF LZW decoder missing datasize value check 4055 Multiple buffer overflow flaws were found in the gif2tiff tool. An attacker could use these flaws to create a specially crafted GIF file that could cause gif2tiff to crash or, possibly, execute arbitrary code. 4056 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4232" id="CVE-2013-4232" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4244" id="CVE-2013-4244" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243" id="CVE-2013-4243" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4231" id="CVE-2013-4231" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libtiff-devel" release="15.19.amzn1" version="4.0.3"><filename>Packages/libtiff-devel-4.0.3-15.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-static" release="15.19.amzn1" version="4.0.3"><filename>Packages/libtiff-static-4.0.3-15.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff" release="15.19.amzn1" version="4.0.3"><filename>Packages/libtiff-4.0.3-15.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-debuginfo" release="15.19.amzn1" version="4.0.3"><filename>Packages/libtiff-debuginfo-4.0.3-15.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-devel" release="15.19.amzn1" version="4.0.3"><filename>Packages/libtiff-devel-4.0.3-15.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff" release="15.19.amzn1" version="4.0.3"><filename>Packages/libtiff-4.0.3-15.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-static" release="15.19.amzn1" version="4.0.3"><filename>Packages/libtiff-static-4.0.3-15.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-debuginfo" release="15.19.amzn1" version="4.0.3"><filename>Packages/libtiff-debuginfo-4.0.3-15.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-366</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-366: low priority package update for chrony</title><issued date="2014-07-09 16:20" /><updated date="2014-09-19 10:27" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4057 CVE-2014-0021: 4058 1054790: 4059 CVE-2014-0021 chrony: DDoS via amplification in cmdmon protocol 4060 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0021" id="CVE-2014-0021" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="chrony-debuginfo" release="1.8.amzn1" version="1.29.1"><filename>Packages/chrony-debuginfo-1.29.1-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="chrony" release="1.8.amzn1" version="1.29.1"><filename>Packages/chrony-1.29.1-1.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="chrony" release="1.8.amzn1" version="1.29.1"><filename>Packages/chrony-1.29.1-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="chrony-debuginfo" release="1.8.amzn1" version="1.29.1"><filename>Packages/chrony-debuginfo-1.29.1-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-367</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-367: medium priority package update for php54</title><issued date="2014-07-09 16:24" /><updated date="2014-09-19 10:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4061 CVE-2014-4049: 4062 1108447: 4063 CVE-2014-4049 php: heap-based buffer overflow in DNS TXT record parsing 4064 Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function. 4065 4066 CVE-2014-3981: 4067 1104978: 4068 CVE-2014-3981 php: insecure temporary file use in the configure script 4069 acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file. 4070 4071 CVE-2014-3515: 4072 4073 4074 CVE-2014-3487: 4075 1107544: 4076 CVE-2014-3487 file: cdf_read_property_info insufficient boundary check 4077 4078 CVE-2014-3480: 4079 1104858: 4080 CVE-2014-3480 file: cdf_count_chain insufficient boundary check 4081 4082 CVE-2014-3479: 4083 1104869: 4084 CVE-2014-3479 file: cdf_check_stream_offset insufficient boundary check 4085 4086 CVE-2014-3478: 4087 1104863: 4088 CVE-2014-3478 file: mconvert incorrect handling of truncated pascal string size 4089 4090 CVE-2014-0207: 4091 1091842: 4092 CVE-2014-0207 file: cdf_read_short_sector insufficient boundary check 4093 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3981" id="CVE-2014-3981" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479" id="CVE-2014-3479" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207" id="CVE-2014-0207" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515" id="CVE-2014-3515" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478" id="CVE-2014-3478" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049" id="CVE-2014-4049" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487" id="CVE-2014-3487" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480" id="CVE-2014-3480" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-mcrypt-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-ldap-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-imap-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-snmp-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-pdo-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-pspell-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-dba-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-embedded-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-bcmath-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-intl-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-common-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-xml-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-fpm-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-pgsql-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-cli-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-process-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-soap-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-tidy-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-recode-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-gd-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-enchant-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-mssql-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-debuginfo-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-mysqlnd-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-odbc-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-devel-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-mysql-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-mbstring-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-xmlrpc-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-gd-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-intl-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-snmp-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-mysqlnd-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-bcmath-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-mbstring-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-embedded-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-xml-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-xmlrpc-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-debuginfo-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-pdo-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-dba-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-tidy-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-imap-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-soap-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-enchant-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-devel-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-fpm-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-common-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-cli-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-mysql-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-odbc-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-ldap-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-pspell-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-mssql-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-recode-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-mcrypt-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-pgsql-5.4.30-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.56.amzn1" version="5.4.30"><filename>Packages/php54-process-5.4.30-1.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-368</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-368: medium priority package update for kernel</title><issued date="2014-07-09 16:29" /><updated date="2014-09-19 10:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4094 CVE-2014-4608: 4095 ** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says "the Linux kernel is *not* affected; media hype." 4096 1113899: 4097 CVE-2014-4608 kernel: lzo1x_decompress_safe() integer overflow 4098 4099 CVE-2014-4508: 4100 1111590: 4101 CVE-2014-4508 Kernel: x86_32: BUG in syscall auditing 4102 arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. 4103 4104 CVE-2014-4014: 4105 1107966: 4106 CVE-2014-4014 Kernel: possible privilege escalation in user namespace 4107 The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root. 4108 4109 CVE-2014-0206: 4110 Array index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1 allows local users to obtain sensitive information from kernel memory via a large head value. 4111 1094602: 4112 CVE-2014-0206 kernel: aio: insufficient sanitization of head in aio_read_events_ring() 4113 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4508" id="CVE-2014-4508" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4608" id="CVE-2014-4608" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0206" id="CVE-2014-0206" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4014" id="CVE-2014-4014" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="55.140.amzn1" version="3.10.48"><filename>Packages/kernel-debuginfo-3.10.48-55.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="55.140.amzn1" version="3.10.48"><filename>Packages/kernel-headers-3.10.48-55.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="55.140.amzn1" version="3.10.48"><filename>Packages/kernel-3.10.48-55.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="55.140.amzn1" version="3.10.48"><filename>Packages/kernel-devel-3.10.48-55.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="55.140.amzn1" version="3.10.48"><filename>Packages/kernel-debuginfo-common-x86_64-3.10.48-55.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="55.140.amzn1" version="3.10.48"><filename>Packages/perf-debuginfo-3.10.48-55.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="55.140.amzn1" version="3.10.48"><filename>Packages/perf-3.10.48-55.140.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="55.140.amzn1" version="3.10.48"><filename>Packages/kernel-devel-3.10.48-55.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="55.140.amzn1" version="3.10.48"><filename>Packages/perf-debuginfo-3.10.48-55.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="55.140.amzn1" version="3.10.48"><filename>Packages/kernel-3.10.48-55.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="55.140.amzn1" version="3.10.48"><filename>Packages/kernel-headers-3.10.48-55.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="55.140.amzn1" version="3.10.48"><filename>Packages/kernel-debuginfo-3.10.48-55.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="55.140.amzn1" version="3.10.48"><filename>Packages/perf-3.10.48-55.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="55.140.amzn1" version="3.10.48"><filename>Packages/kernel-debuginfo-common-i686-3.10.48-55.140.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="55.140.amzn1" version="3.10.48"><filename>Packages/kernel-doc-3.10.48-55.140.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-369</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-369: medium priority package update for openssh</title><issued date="2014-07-09 16:32" /><updated date="2014-09-19 10:34" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4114 CVE-2014-2653: 4115 1081338: 4116 CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios 4117 The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. 4118 4119 CVE-2014-2532: 4120 sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. 4121 1077843: 4122 CVE-2014-2532 openssh: AcceptEnv environment restriction bypass flaw 4123 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532" id="CVE-2014-2532" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653" id="CVE-2014-2653" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openssh-ldap" release="8.41.amzn1" version="6.2p2"><filename>Packages/openssh-ldap-6.2p2-8.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-clients" release="8.41.amzn1" version="6.2p2"><filename>Packages/openssh-clients-6.2p2-8.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam_ssh_agent_auth" release="5.8.41.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.8.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh" release="8.41.amzn1" version="6.2p2"><filename>Packages/openssh-6.2p2-8.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-keycat" release="8.41.amzn1" version="6.2p2"><filename>Packages/openssh-keycat-6.2p2-8.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-debuginfo" release="8.41.amzn1" version="6.2p2"><filename>Packages/openssh-debuginfo-6.2p2-8.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-server" release="8.41.amzn1" version="6.2p2"><filename>Packages/openssh-server-6.2p2-8.41.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssh-clients" release="8.41.amzn1" version="6.2p2"><filename>Packages/openssh-clients-6.2p2-8.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh" release="8.41.amzn1" version="6.2p2"><filename>Packages/openssh-6.2p2-8.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam_ssh_agent_auth" release="5.8.41.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.8.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-server" release="8.41.amzn1" version="6.2p2"><filename>Packages/openssh-server-6.2p2-8.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-keycat" release="8.41.amzn1" version="6.2p2"><filename>Packages/openssh-keycat-6.2p2-8.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-ldap" release="8.41.amzn1" version="6.2p2"><filename>Packages/openssh-ldap-6.2p2-8.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-debuginfo" release="8.41.amzn1" version="6.2p2"><filename>Packages/openssh-debuginfo-6.2p2-8.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-370</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-370: important priority package update for chkrootkit</title><issued date="2014-07-09 16:36" /><updated date="2014-09-19 10:35" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4124 CVE-2014-0476: 4125 1104455: 4126 CVE-2014-0476 chkrootkit: local privilege escalation 4127 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0476" id="CVE-2014-0476" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="chkrootkit" release="9.8.amzn1" version="0.49"><filename>Packages/chkrootkit-0.49-9.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="chkrootkit-debuginfo" release="9.8.amzn1" version="0.49"><filename>Packages/chkrootkit-debuginfo-0.49-9.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="chkrootkit-debuginfo" release="9.8.amzn1" version="0.49"><filename>Packages/chkrootkit-debuginfo-0.49-9.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="chkrootkit" release="9.8.amzn1" version="0.49"><filename>Packages/chkrootkit-0.49-9.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-371</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-371: medium priority package update for python-jinja2</title><issued date="2014-07-09 16:39" /><updated date="2014-09-19 10:35" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4128 CVE-2014-1402: 4129 1051421: 4130 CVE-2014-1402 python-jinja2: FileSystemBytecodeCache insecure cache temporary file use 4131 The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp. 4132 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1402" id="CVE-2014-1402" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python-jinja2" release="2.10.amzn1" version="2.7.2"><filename>Packages/python-jinja2-2.7.2-2.10.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-372</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-372: medium priority package update for php55</title><issued date="2014-07-09 16:42" /><updated date="2014-09-19 10:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4133 CVE-2014-4049: 4134 1108447: 4135 CVE-2014-4049 php: heap-based buffer overflow in DNS TXT record parsing 4136 Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function. 4137 4138 CVE-2014-3981: 4139 1104978: 4140 CVE-2014-3981 php: insecure temporary file use in the configure script 4141 acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file. 4142 4143 CVE-2014-3515: 4144 4145 4146 CVE-2014-3487: 4147 1107544: 4148 CVE-2014-3487 file: cdf_read_property_info insufficient boundary check 4149 4150 CVE-2014-3480: 4151 1104858: 4152 CVE-2014-3480 file: cdf_count_chain insufficient boundary check 4153 4154 CVE-2014-3479: 4155 1104869: 4156 CVE-2014-3479 file: cdf_check_stream_offset insufficient boundary check 4157 4158 CVE-2014-3478: 4159 1104863: 4160 CVE-2014-3478 file: mconvert incorrect handling of truncated pascal string size 4161 4162 CVE-2014-0207: 4163 1091842: 4164 CVE-2014-0207 file: cdf_read_short_sector insufficient boundary check 4165 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3981" id="CVE-2014-3981" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479" id="CVE-2014-3479" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207" id="CVE-2014-0207" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515" id="CVE-2014-3515" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478" id="CVE-2014-3478" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049" id="CVE-2014-4049" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487" id="CVE-2014-3487" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480" id="CVE-2014-3480" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-gd" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-gd-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-opcache-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-recode-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-pdo-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-common-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-embedded-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-intl-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-gmp-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-tidy-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-enchant-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-cli-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-snmp-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-soap-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-bcmath-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-xml-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-imap-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-devel-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-mysqlnd-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-mcrypt-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-odbc-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-fpm-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-process-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-mbstring-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-debuginfo-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-xmlrpc-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-ldap-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-dba-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-pgsql-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-pspell-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-mssql-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-mysqlnd-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-soap-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-embedded-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-xml-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-intl-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-recode-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-mssql-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-odbc-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-dba-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-imap-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-enchant-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-gmp-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-debuginfo-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-common-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-bcmath-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-xmlrpc-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-tidy-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-pgsql-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-pdo-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-ldap-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-opcache-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-snmp-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-gd-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-pspell-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-mcrypt-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-mbstring-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-devel-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-fpm-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-cli-5.5.14-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.75.amzn1" version="5.5.14"><filename>Packages/php55-process-5.5.14-1.75.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-373</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-373: medium priority package update for lzo</title><issued date="2014-07-09 16:45" /><updated date="2014-09-19 10:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4166 CVE-2014-4607: 4167 An integer overflow flaw was found in the way the lzo library decompressed 4168 certain archives compressed with the LZO algorithm. An attacker could 4169 create a specially crafted LZO-compressed input that, when decompressed by 4170 an application using the lzo library, would cause that application to crash 4171 or, potentially, execute arbitrary code. (CVE-2014-4607) 4172 1112418: 4173 CVE-2014-4607 lzo: lzo1x_decompress_safe() integer overflow 4174 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607" id="CVE-2014-4607" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="lzo-debuginfo" release="1.5.amzn1" version="2.08"><filename>Packages/lzo-debuginfo-2.08-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lzo-devel" release="1.5.amzn1" version="2.08"><filename>Packages/lzo-devel-2.08-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lzo-minilzo" release="1.5.amzn1" version="2.08"><filename>Packages/lzo-minilzo-2.08-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lzo" release="1.5.amzn1" version="2.08"><filename>Packages/lzo-2.08-1.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="lzo-minilzo" release="1.5.amzn1" version="2.08"><filename>Packages/lzo-minilzo-2.08-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lzo" release="1.5.amzn1" version="2.08"><filename>Packages/lzo-2.08-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lzo-debuginfo" release="1.5.amzn1" version="2.08"><filename>Packages/lzo-debuginfo-2.08-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lzo-devel" release="1.5.amzn1" version="2.08"><filename>Packages/lzo-devel-2.08-1.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-374</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-374: low priority package update for python-simplejson</title><issued date="2014-07-09 16:51" /><updated date="2014-09-19 10:47" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4175 CVE-2014-4616: 4176 1112285: 4177 CVE-2014-4616 python: missing boundary check in JSON module 4178 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4616" id="CVE-2014-4616" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python-simplejson-debuginfo" release="1.7.amzn1" version="3.5.3"><filename>Packages/python-simplejson-debuginfo-3.5.3-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python-simplejson" release="1.7.amzn1" version="3.5.3"><filename>Packages/python-simplejson-3.5.3-1.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python-simplejson-debuginfo" release="1.7.amzn1" version="3.5.3"><filename>Packages/python-simplejson-debuginfo-3.5.3-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python-simplejson" release="1.7.amzn1" version="3.5.3"><filename>Packages/python-simplejson-3.5.3-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-375</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-375: important priority package update for mod24_wsgi</title><issued date="2014-07-09 23:02" /><updated date="2014-09-19 10:37" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4179 CVE-2014-0242: 4180 1101873: 4181 CVE-2014-0242 mod_wsgi: information leak 4182 4183 CVE-2014-0240: 4184 The mod_wsgi module before 3.5 for Apache, when daemon mode is enabled, does not properly handle error codes returned by setuid when run on certain Linux kernels, which allows local users to gain privileges via vectors related to the number of running processes. 4185 1101863: 4186 CVE-2014-0240 mod_wsgi: possible privilege escalation in setuid() failure scenarios 4187 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0242" id="CVE-2014-0242" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0240" id="CVE-2014-0240" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod24_wsgi-py27" release="1.17.amzn1" version="3.5"><filename>Packages/mod24_wsgi-py27-3.5-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_wsgi" release="1.17.amzn1" version="3.5"><filename>Packages/mod24_wsgi-3.5-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_wsgi-debuginfo" release="1.17.amzn1" version="3.5"><filename>Packages/mod24_wsgi-debuginfo-3.5-1.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod24_wsgi" release="1.17.amzn1" version="3.5"><filename>Packages/mod24_wsgi-3.5-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_wsgi-debuginfo" release="1.17.amzn1" version="3.5"><filename>Packages/mod24_wsgi-debuginfo-3.5-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_wsgi-py27" release="1.17.amzn1" version="3.5"><filename>Packages/mod24_wsgi-py27-3.5-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-376</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-376: important priority package update for mod_wsgi</title><issued date="2014-07-09 23:07" /><updated date="2014-09-19 10:18" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4188 CVE-2014-0242: 4189 1101873: 4190 CVE-2014-0242 mod_wsgi: information leak 4191 4192 CVE-2014-0240: 4193 The mod_wsgi module before 3.5 for Apache, when daemon mode is enabled, does not properly handle error codes returned by setuid when run on certain Linux kernels, which allows local users to gain privileges via vectors related to the number of running processes. 4194 1101863: 4195 CVE-2014-0240 mod_wsgi: possible privilege escalation in setuid() failure scenarios 4196 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0242" id="CVE-2014-0242" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0240" id="CVE-2014-0240" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod_wsgi-debuginfo" release="6.8.amzn1" version="3.2"><filename>Packages/mod_wsgi-debuginfo-3.2-6.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_wsgi" release="6.8.amzn1" version="3.2"><filename>Packages/mod_wsgi-3.2-6.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod_wsgi-debuginfo" release="6.8.amzn1" version="3.2"><filename>Packages/mod_wsgi-debuginfo-3.2-6.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_wsgi" release="6.8.amzn1" version="3.2"><filename>Packages/mod_wsgi-3.2-6.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-377</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-377: important priority package update for php-ZendFramework</title><issued date="2014-07-23 13:39" /><updated date="2014-09-19 10:49" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4197 CVE-2014-2685: 4198 1081288: 4199 CVE-2014-2684 CVE-2014-2685 php-ZendFramework: OpenID identity provider could be used to spoof other identity providers (ZF2014-02) 4200 4201 CVE-2014-2684: 4202 1081288: 4203 CVE-2014-2684 CVE-2014-2685 php-ZendFramework: OpenID identity provider could be used to spoof other identity providers (ZF2014-02) 4204 4205 CVE-2014-2683: 4206 1081287: 4207 CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 php-ZendFramework: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws fixed in 1.12.4, 2.1.6, and 2.2.6 (ZF2014-01) 4208 4209 CVE-2014-2682: 4210 1081287: 4211 CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 php-ZendFramework: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws fixed in 1.12.4, 2.1.6, and 2.2.6 (ZF2014-01) 4212 4213 CVE-2014-2681: 4214 1081287: 4215 CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 php-ZendFramework: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws fixed in 1.12.4, 2.1.6, and 2.2.6 (ZF2014-01) 4216 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684" id="CVE-2014-2684" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685" id="CVE-2014-2685" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681" id="CVE-2014-2681" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682" id="CVE-2014-2682" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683" id="CVE-2014-2683" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="php-ZendFramework-Pdf" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Pdf-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Search-Lucene" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Search-Lucene-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Serializer-Adapter-Igbinary" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Serializer-Adapter-Igbinary-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Pgsql" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Libmemcached" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Cache-Backend-Libmemcached-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Mssql" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Services" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Services-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Captcha" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Captcha-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-extras" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-extras-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Ldap" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Ldap-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-full" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-full-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Auth-Adapter-Ldap" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Auth-Adapter-Ldap-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Memcached" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Cache-Backend-Memcached-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Soap" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Soap-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Feed" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Feed-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Mysql" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Dojo" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Dojo-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Apc" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Cache-Backend-Apc-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-demos" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-demos-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Mysqli" release="1.8.amzn1" version="1.12.5"><filename>Packages/php-ZendFramework-Db-Adapter-Mysqli-1.12.5-1.8.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-378</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-378: medium priority package update for gnupg</title><issued date="2014-07-23 13:50" /><updated date="2014-09-19 10:49" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4217 CVE-2014-4617: 4218 1112509: 4219 CVE-2014-4617 gnupg: infinite loop when decompressing data packets 4220 The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence. 4221 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617" id="CVE-2014-4617" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnupg-debuginfo" release="1.25.amzn1" version="1.4.18"><filename>Packages/gnupg-debuginfo-1.4.18-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg" release="1.25.amzn1" version="1.4.18"><filename>Packages/gnupg-1.4.18-1.25.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnupg" release="1.25.amzn1" version="1.4.18"><filename>Packages/gnupg-1.4.18-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg-debuginfo" release="1.25.amzn1" version="1.4.18"><filename>Packages/gnupg-debuginfo-1.4.18-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-379</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-379: medium priority package update for gnupg2</title><issued date="2014-07-23 13:51" /><updated date="2014-09-19 10:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4222 CVE-2014-4617: 4223 1112509: 4224 CVE-2014-4617 gnupg: infinite loop when decompressing data packets 4225 The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence. 4226 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617" id="CVE-2014-4617" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnupg2-smime" release="1.25.amzn1" version="2.0.24"><filename>Packages/gnupg2-smime-2.0.24-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg2-debuginfo" release="1.25.amzn1" version="2.0.24"><filename>Packages/gnupg2-debuginfo-2.0.24-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg2" release="1.25.amzn1" version="2.0.24"><filename>Packages/gnupg2-2.0.24-1.25.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2" release="1.25.amzn1" version="2.0.24"><filename>Packages/gnupg2-2.0.24-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2-debuginfo" release="1.25.amzn1" version="2.0.24"><filename>Packages/gnupg2-debuginfo-2.0.24-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2-smime" release="1.25.amzn1" version="2.0.24"><filename>Packages/gnupg2-smime-2.0.24-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-380</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-380: medium priority package update for python27</title><issued date="2014-07-23 13:53" /><updated date="2014-09-19 10:51" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4227 CVE-2014-4616: 4228 1112285: 4229 CVE-2014-4616 python: missing boundary check in JSON module 4230 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4616" id="CVE-2014-4616" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python27-tools" release="13.35.amzn1" version="2.7.5"><filename>Packages/python27-tools-2.7.5-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libs" release="13.35.amzn1" version="2.7.5"><filename>Packages/python27-libs-2.7.5-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-test" release="13.35.amzn1" version="2.7.5"><filename>Packages/python27-test-2.7.5-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27" release="13.35.amzn1" version="2.7.5"><filename>Packages/python27-2.7.5-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-devel" release="13.35.amzn1" version="2.7.5"><filename>Packages/python27-devel-2.7.5-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-debuginfo" release="13.35.amzn1" version="2.7.5"><filename>Packages/python27-debuginfo-2.7.5-13.35.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python27-tools" release="13.35.amzn1" version="2.7.5"><filename>Packages/python27-tools-2.7.5-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27" release="13.35.amzn1" version="2.7.5"><filename>Packages/python27-2.7.5-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-test" release="13.35.amzn1" version="2.7.5"><filename>Packages/python27-test-2.7.5-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-debuginfo" release="13.35.amzn1" version="2.7.5"><filename>Packages/python27-debuginfo-2.7.5-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libs" release="13.35.amzn1" version="2.7.5"><filename>Packages/python27-libs-2.7.5-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-devel" release="13.35.amzn1" version="2.7.5"><filename>Packages/python27-devel-2.7.5-13.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-381</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-381: medium priority package update for cacti</title><issued date="2014-07-23 13:54" /><updated date="2014-09-19 10:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4231 CVE-2014-4002: 4232 Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7) graphs.php, (8) host.php, or (9) host_templates.php or the (10) graph_template_input_id or (11) graph_template_id parameter to graph_templates_inputs.php. 4233 1113035: 4234 CVE-2014-4002 cacti: Cross-Site Scripting Vulnerability 4235 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4002" id="CVE-2014-4002" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="cacti" release="7.5.amzn1" version="0.8.8b"><filename>Packages/cacti-0.8.8b-7.5.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-382</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-382: medium priority package update for file</title><issued date="2014-07-23 13:57" /><updated date="2014-09-19 15:57" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4236 CVE-2014-3538: 4237 1098222: 4238 CVE-2014-3538 file: extensive backtracking in awk rule regular expression (incomplete fix for CVE-2013-7345) 4239 file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345. 4240 4241 CVE-2014-3487: 4242 The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. 4243 1107544: 4244 CVE-2014-3487 file: cdf_read_property_info insufficient boundary check 4245 4246 CVE-2014-3480: 4247 1104858: 4248 CVE-2014-3480 file: cdf_count_chain insufficient boundary check 4249 The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. 4250 4251 CVE-2014-3479: 4252 1104869: 4253 CVE-2014-3479 file: cdf_check_stream_offset insufficient boundary check 4254 The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file. 4255 4256 CVE-2014-3478: 4257 1104863: 4258 CVE-2014-3478 file: mconvert incorrect handling of truncated pascal string size 4259 Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion. 4260 4261 CVE-2014-0238: 4262 The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long. 4263 1098155: 4264 CVE-2014-0238 file: CDF property info parsing nelements infinite loop 4265 4266 CVE-2014-0237: 4267 The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls. 4268 1098193: 4269 CVE-2014-0237 file: cdf_unpack_summary_info() excessive looping DoS 4270 4271 CVE-2014-0207: 4272 1091842: 4273 CVE-2014-0207 file: cdf_read_short_sector insufficient boundary check 4274 The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file. 4275 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237" id="CVE-2014-0237" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538" id="CVE-2014-3538" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207" id="CVE-2014-0207" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238" id="CVE-2014-0238" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478" id="CVE-2014-3478" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479" id="CVE-2014-3479" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487" id="CVE-2014-3487" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480" id="CVE-2014-3480" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python-magic" release="1.18.amzn1" version="5.19"><filename>Packages/python-magic-5.19-1.18.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="file" release="1.18.amzn1" version="5.19"><filename>Packages/file-5.19-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-devel" release="1.18.amzn1" version="5.19"><filename>Packages/file-devel-5.19-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-libs" release="1.18.amzn1" version="5.19"><filename>Packages/file-libs-5.19-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-debuginfo" release="1.18.amzn1" version="5.19"><filename>Packages/file-debuginfo-5.19-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-static" release="1.18.amzn1" version="5.19"><filename>Packages/file-static-5.19-1.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="file-devel" release="1.18.amzn1" version="5.19"><filename>Packages/file-devel-5.19-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file" release="1.18.amzn1" version="5.19"><filename>Packages/file-5.19-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-static" release="1.18.amzn1" version="5.19"><filename>Packages/file-static-5.19-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-debuginfo" release="1.18.amzn1" version="5.19"><filename>Packages/file-debuginfo-5.19-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-libs" release="1.18.amzn1" version="5.19"><filename>Packages/file-libs-5.19-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-383</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-383: critical priority package update for java-1.7.0-openjdk</title><issued date="2014-07-23 14:01" /><updated date="2014-09-19 11:37" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4276 CVE-2014-4266: 4277 Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4278 4279 CVE-2014-4263: 4280 The Diffie-Hellman (DH) key exchange algorithm implementation in the Security component in OpenJDK failed to validate public DH parameters properly. This could cause OpenJDK to accept and use weak parameters, allowing an attacker to recover the negotiated key. 4281 4282 CVE-2014-4262: 4283 Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 4284 4285 CVE-2014-4252: 4286 Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4287 4288 CVE-2014-4244: 4289 It was discovered that the RSA algorithm in the Security component in OpenJDK did not sufficiently perform blinding while performing operations that were using private keys. An attacker able to measure timing differences of those operations could possibly leak information about the used keys. 4290 4291 CVE-2014-4223: 4292 Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 4293 4294 CVE-2014-4221: 4295 Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4296 4297 CVE-2014-4219: 4298 It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. 4299 4300 CVE-2014-4218: 4301 Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4302 4303 CVE-2014-4216: 4304 It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. 4305 4306 CVE-2014-4209: 4307 Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4308 4309 CVE-2014-2490: 4310 A format string flaw was discovered in the Hotspot component event logger in OpenJDK. An untrusted Java application or applet could use this flaw to crash the Java Virtual Machine or, potentially, execute arbitrary code with the privileges of the Java Virtual Machine. 4311 4312 CVE-2014-2483: 4313 Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 4314 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4262" id="CVE-2014-4262" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4263" id="CVE-2014-4263" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4266" id="CVE-2014-4266" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4252" id="CVE-2014-4252" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2483" id="CVE-2014-2483" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4244" id="CVE-2014-4244" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2490" id="CVE-2014-2490" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4216" id="CVE-2014-4216" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4223" id="CVE-2014-4223" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4219" id="CVE-2014-4219" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4218" id="CVE-2014-4218" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4221" id="CVE-2014-4221" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4209" id="CVE-2014-4209" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0889.html" id="RHSA-2014:0889" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.5.1.2.43.amzn1" version="1.7.0.65"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.65-2.5.1.2.43.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.5.1.2.43.amzn1" version="1.7.0.65"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.65-2.5.1.2.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.5.1.2.43.amzn1" version="1.7.0.65"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.65-2.5.1.2.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.5.1.2.43.amzn1" version="1.7.0.65"><filename>Packages/java-1.7.0-openjdk-1.7.0.65-2.5.1.2.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.5.1.2.43.amzn1" version="1.7.0.65"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.65-2.5.1.2.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.5.1.2.43.amzn1" version="1.7.0.65"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.65-2.5.1.2.43.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.5.1.2.43.amzn1" version="1.7.0.65"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.65-2.5.1.2.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.5.1.2.43.amzn1" version="1.7.0.65"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.65-2.5.1.2.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.5.1.2.43.amzn1" version="1.7.0.65"><filename>Packages/java-1.7.0-openjdk-1.7.0.65-2.5.1.2.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.5.1.2.43.amzn1" version="1.7.0.65"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.65-2.5.1.2.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.5.1.2.43.amzn1" version="1.7.0.65"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.65-2.5.1.2.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-384</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-384: critical priority package update for nspr</title><issued date="2014-07-23 14:07" /><updated date="2014-09-19 11:38" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4315 CVE-2014-1545: 4316 1107432: 4317 CVE-2014-1545 Mozilla: Out of bounds write in NSPR (MFSA 2014-55) 4318 Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via vectors involving the sprintf and console functions. 4319 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1545" id="CVE-2014-1545" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nspr" release="1.22.amzn1" version="4.10.4"><filename>Packages/nspr-4.10.4-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nspr-debuginfo" release="1.22.amzn1" version="4.10.4"><filename>Packages/nspr-debuginfo-4.10.4-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nspr-devel" release="1.22.amzn1" version="4.10.4"><filename>Packages/nspr-devel-4.10.4-1.22.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nspr-debuginfo" release="1.22.amzn1" version="4.10.4"><filename>Packages/nspr-debuginfo-4.10.4-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nspr" release="1.22.amzn1" version="4.10.4"><filename>Packages/nspr-4.10.4-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nspr-devel" release="1.22.amzn1" version="4.10.4"><filename>Packages/nspr-devel-4.10.4-1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-385</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-385: critical priority package update for nss</title><issued date="2014-07-23 14:08" /><updated date="2014-09-19 11:38" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4320 CVE-2014-1544: 4321 Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain. 4322 1116198: 4323 CVE-2014-1544 nss: Race-condition in certificate verification can lead to Remote code execution (MFSA 2014-63) 4324 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1544" id="CVE-2014-1544" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-tools" release="1.36.amzn1" version="3.16.0"><filename>Packages/nss-tools-3.16.0-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="1.36.amzn1" version="3.16.0"><filename>Packages/nss-debuginfo-3.16.0-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="1.36.amzn1" version="3.16.0"><filename>Packages/nss-sysinit-3.16.0-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="1.36.amzn1" version="3.16.0"><filename>Packages/nss-pkcs11-devel-3.16.0-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="1.36.amzn1" version="3.16.0"><filename>Packages/nss-3.16.0-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="1.36.amzn1" version="3.16.0"><filename>Packages/nss-devel-3.16.0-1.36.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="1.36.amzn1" version="3.16.0"><filename>Packages/nss-tools-3.16.0-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="1.36.amzn1" version="3.16.0"><filename>Packages/nss-devel-3.16.0-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="1.36.amzn1" version="3.16.0"><filename>Packages/nss-sysinit-3.16.0-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="1.36.amzn1" version="3.16.0"><filename>Packages/nss-debuginfo-3.16.0-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="1.36.amzn1" version="3.16.0"><filename>Packages/nss-3.16.0-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="1.36.amzn1" version="3.16.0"><filename>Packages/nss-pkcs11-devel-3.16.0-1.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-386</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-386: medium priority package update for dovecot</title><issued date="2014-07-23 14:09" /><updated date="2014-09-19 11:39" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4325 CVE-2014-3430: 4326 1096402: 4327 CVE-2014-3430 dovecot: denial of service through maxxing out SSL connections 4328 Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection. 4329 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3430" id="CVE-2014-3430" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="dovecot-debuginfo" release="7.14.amzn1" version="2.0.9"><filename>Packages/dovecot-debuginfo-2.0.9-7.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="dovecot-pigeonhole" release="7.14.amzn1" version="2.0.9"><filename>Packages/dovecot-pigeonhole-2.0.9-7.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="dovecot-devel" release="7.14.amzn1" version="2.0.9"><filename>Packages/dovecot-devel-2.0.9-7.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="dovecot-pgsql" release="7.14.amzn1" version="2.0.9"><filename>Packages/dovecot-pgsql-2.0.9-7.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="dovecot-mysql" release="7.14.amzn1" version="2.0.9"><filename>Packages/dovecot-mysql-2.0.9-7.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="dovecot" release="7.14.amzn1" version="2.0.9"><filename>Packages/dovecot-2.0.9-7.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="dovecot-pigeonhole" release="7.14.amzn1" version="2.0.9"><filename>Packages/dovecot-pigeonhole-2.0.9-7.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="dovecot-devel" release="7.14.amzn1" version="2.0.9"><filename>Packages/dovecot-devel-2.0.9-7.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="dovecot-debuginfo" release="7.14.amzn1" version="2.0.9"><filename>Packages/dovecot-debuginfo-2.0.9-7.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="dovecot" release="7.14.amzn1" version="2.0.9"><filename>Packages/dovecot-2.0.9-7.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="dovecot-mysql" release="7.14.amzn1" version="2.0.9"><filename>Packages/dovecot-mysql-2.0.9-7.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="dovecot-pgsql" release="7.14.amzn1" version="2.0.9"><filename>Packages/dovecot-pgsql-2.0.9-7.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-387</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-387: important priority package update for java-1.6.0-openjdk</title><issued date="2014-07-31 13:52" /><updated date="2014-09-19 11:38" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4330 CVE-2014-4266: 4331 Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4332 4333 CVE-2014-4263: 4334 The Diffie-Hellman (DH) key exchange algorithm implementation in the Security component in OpenJDK failed to validate public DH parameters properly. This could cause OpenJDK to accept and use weak parameters, allowing an attacker to recover the negotiated key. 4335 4336 CVE-2014-4262: 4337 An improper permission check issue was discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. 4338 4339 CVE-2014-4252: 4340 Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4341 4342 CVE-2014-4244: 4343 It was discovered that the RSA algorithm in the Security component in OpenJDK did not sufficiently perform blinding while performing operations that were using private keys. An attacker able to measure timing differences of those operations could possibly leak information about the used keys. 4344 4345 CVE-2014-4219: 4346 It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. 4347 4348 CVE-2014-4218: 4349 Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4350 4351 CVE-2014-4216: 4352 It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. 4353 4354 CVE-2014-4209: 4355 Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4356 4357 CVE-2014-2490: 4358 A format string flaw was discovered in the Hotspot component event logger in OpenJDK. An untrusted Java application or applet could use this flaw to crash the Java Virtual Machine or, potentially, execute arbitrary code with the privileges of the Java Virtual Machine. 4359 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4262" id="CVE-2014-4262" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4263" id="CVE-2014-4263" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4266" id="CVE-2014-4266" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4252" id="CVE-2014-4252" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2490" id="CVE-2014-2490" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4244" id="CVE-2014-4244" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4216" id="CVE-2014-4216" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4219" id="CVE-2014-4219" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4218" id="CVE-2014-4218" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4209" id="CVE-2014-4209" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0907.html" id="RHSA-2014:0907" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="67.1.13.4.65.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-67.1.13.4.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="67.1.13.4.65.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-67.1.13.4.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="67.1.13.4.65.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-67.1.13.4.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="67.1.13.4.65.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-67.1.13.4.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="67.1.13.4.65.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-67.1.13.4.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="67.1.13.4.65.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-67.1.13.4.65.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="67.1.13.4.65.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-67.1.13.4.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="67.1.13.4.65.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-67.1.13.4.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="67.1.13.4.65.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-67.1.13.4.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="67.1.13.4.65.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-67.1.13.4.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="67.1.13.4.65.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-67.1.13.4.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="67.1.13.4.65.amzn1" version="1.6.0.0"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-67.1.13.4.65.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-388</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-388: important priority package update for httpd</title><issued date="2014-07-31 13:54" /><updated date="2014-09-19 11:39" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4360 CVE-2014-0231: 4361 A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. 4362 4363 CVE-2014-0226: 4364 A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. 4365 4366 CVE-2014-0118: 4367 A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. 4368 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118" id="CVE-2014-0118" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226" id="CVE-2014-0226" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231" id="CVE-2014-0231" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0920.html" id="RHSA-2014:0920" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="httpd-tools" release="1.3.amzn1" version="2.2.27"><filename>Packages/httpd-tools-2.2.27-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-devel" release="1.3.amzn1" version="2.2.27"><filename>Packages/httpd-devel-2.2.27-1.3.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd-manual" release="1.3.amzn1" version="2.2.27"><filename>Packages/httpd-manual-2.2.27-1.3.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="mod_ssl" release="1.3.amzn1" version="2.2.27"><filename>Packages/mod_ssl-2.2.27-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd" release="1.3.amzn1" version="2.2.27"><filename>Packages/httpd-2.2.27-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.3.amzn1" version="2.2.27"><filename>Packages/httpd-debuginfo-2.2.27-1.3.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="httpd-tools" release="1.3.amzn1" version="2.2.27"><filename>Packages/httpd-tools-2.2.27-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-devel" release="1.3.amzn1" version="2.2.27"><filename>Packages/httpd-devel-2.2.27-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd" release="1.3.amzn1" version="2.2.27"><filename>Packages/httpd-2.2.27-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod_ssl" release="1.3.amzn1" version="2.2.27"><filename>Packages/mod_ssl-2.2.27-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-debuginfo" release="1.3.amzn1" version="2.2.27"><filename>Packages/httpd-debuginfo-2.2.27-1.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-389</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-389: important priority package update for httpd24</title><issued date="2014-07-31 13:56" /><updated date="2014-09-19 11:40" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4369 CVE-2014-0231: 4370 1120596: 4371 CVE-2014-0231 httpd: mod_cgid denial of service 4372 A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. 4373 4374 CVE-2014-0226: 4375 1120603: 4376 CVE-2014-0226 httpd: mod_status heap-based buffer overflow 4377 A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. 4378 4379 CVE-2014-0118: 4380 A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. 4381 1120601: 4382 CVE-2014-0118 httpd: mod_deflate denial of service 4383 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118" id="CVE-2014-0118" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226" id="CVE-2014-0226" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231" id="CVE-2014-0231" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="1.59.amzn1" version="2.4.10"><filename>Packages/mod24_proxy_html-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-tools" release="1.59.amzn1" version="2.4.10"><filename>Packages/httpd24-tools-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_ldap" release="1.59.amzn1" version="2.4.10"><filename>Packages/mod24_ldap-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24" release="1.59.amzn1" version="2.4.10"><filename>Packages/httpd24-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="1.59.amzn1" version="2.4.10"><filename>Packages/httpd24-debuginfo-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-devel" release="1.59.amzn1" version="2.4.10"><filename>Packages/httpd24-devel-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="1.59.amzn1" version="2.4.10"><filename>Packages/mod24_session-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd24-manual" release="1.59.amzn1" version="2.4.10"><filename>Packages/httpd24-manual-2.4.10-1.59.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_ssl" release="1.59.amzn1" version="2.4.10"><filename>Packages/mod24_ssl-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="1.59.amzn1" version="2.4.10"><filename>Packages/mod24_proxy_html-2.4.10-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="1.59.amzn1" version="2.4.10"><filename>Packages/httpd24-2.4.10-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="1.59.amzn1" version="2.4.10"><filename>Packages/httpd24-debuginfo-2.4.10-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="1.59.amzn1" version="2.4.10"><filename>Packages/mod24_ldap-2.4.10-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="1.59.amzn1" version="2.4.10"><filename>Packages/httpd24-tools-2.4.10-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="1.59.amzn1" version="2.4.10"><filename>Packages/mod24_ssl-2.4.10-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="1.59.amzn1" version="2.4.10"><filename>Packages/httpd24-devel-2.4.10-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="1.59.amzn1" version="2.4.10"><filename>Packages/mod24_session-2.4.10-1.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-390</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-390: medium priority package update for transmission</title><issued date="2014-07-31 14:00" /><updated date="2014-09-19 11:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4384 CVE-2014-4909: 4385 Integer overflow in the tr_bitfieldEnsureNthBitAlloced function in bitfield.c in Transmission before 2.84 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted peer message, which triggers an out-of-bounds write. 4386 1118290: 4387 CVE-2014-4909 transmission: peer communication vulnerability 4388 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4909" id="CVE-2014-4909" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="transmission-common" release="1.9.amzn1" version="2.84"><filename>Packages/transmission-common-2.84-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="transmission-daemon" release="1.9.amzn1" version="2.84"><filename>Packages/transmission-daemon-2.84-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="transmission" release="1.9.amzn1" version="2.84"><filename>Packages/transmission-2.84-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="transmission-debuginfo" release="1.9.amzn1" version="2.84"><filename>Packages/transmission-debuginfo-2.84-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="transmission-cli" release="1.9.amzn1" version="2.84"><filename>Packages/transmission-cli-2.84-1.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="transmission-cli" release="1.9.amzn1" version="2.84"><filename>Packages/transmission-cli-2.84-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="transmission-daemon" release="1.9.amzn1" version="2.84"><filename>Packages/transmission-daemon-2.84-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="transmission-common" release="1.9.amzn1" version="2.84"><filename>Packages/transmission-common-2.84-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="transmission-debuginfo" release="1.9.amzn1" version="2.84"><filename>Packages/transmission-debuginfo-2.84-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="transmission" release="1.9.amzn1" version="2.84"><filename>Packages/transmission-2.84-1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-391</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-391: medium priority package update for openssl</title><issued date="2014-08-07 12:26" /><updated date="2014-09-19 11:59" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4389 CVE-2014-5139: 4390 1127491: 4391 CVE-2014-5139 openssl: crash with SRP ciphersuite in Server Hello message 4392 4393 CVE-2014-3512: 4394 1127505: 4395 CVE-2014-3512 openssl: SRP buffer overrun 4396 4397 CVE-2014-3511: 4398 1127504: 4399 CVE-2014-3511 openssl: TLS protocol downgrade attack 4400 4401 CVE-2014-3510: 4402 1127503: 4403 CVE-2014-3510 openssl: DTLS anonymous (EC)DH denial of service 4404 4405 CVE-2014-3509: 4406 1127498: 4407 CVE-2014-3509 openssl: race condition in ssl_parse_serverhello_tlsext 4408 4409 CVE-2014-3508: 4410 1127490: 4411 CVE-2014-3508 openssl: information leak in pretty printing functions 4412 4413 CVE-2014-3507: 4414 1127502: 4415 CVE-2014-3507 openssl: DTLS memory leak from zero-length fragments 4416 4417 CVE-2014-3506: 4418 1127500: 4419 CVE-2014-3506 openssl: DTLS memory exhaustion 4420 4421 CVE-2014-3505: 4422 1127499: 4423 CVE-2014-3505 openssl: DTLS packet processing double free 4424 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3505" id="CVE-2014-3505" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506" id="CVE-2014-3506" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507" id="CVE-2014-3507" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512" id="CVE-2014-3512" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511" id="CVE-2014-3511" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510" id="CVE-2014-3510" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508" id="CVE-2014-3508" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509" id="CVE-2014-3509" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139" id="CVE-2014-5139" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-static" release="1.78.amzn1" version="1.0.1i"><filename>Packages/openssl-static-1.0.1i-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="1.78.amzn1" version="1.0.1i"><filename>Packages/openssl-debuginfo-1.0.1i-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="1.78.amzn1" version="1.0.1i"><filename>Packages/openssl-devel-1.0.1i-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="1.78.amzn1" version="1.0.1i"><filename>Packages/openssl-1.0.1i-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="1.78.amzn1" version="1.0.1i"><filename>Packages/openssl-perl-1.0.1i-1.78.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="1.78.amzn1" version="1.0.1i"><filename>Packages/openssl-devel-1.0.1i-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="1.78.amzn1" version="1.0.1i"><filename>Packages/openssl-debuginfo-1.0.1i-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="1.78.amzn1" version="1.0.1i"><filename>Packages/openssl-perl-1.0.1i-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="1.78.amzn1" version="1.0.1i"><filename>Packages/openssl-1.0.1i-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="1.78.amzn1" version="1.0.1i"><filename>Packages/openssl-static-1.0.1i-1.78.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-392</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-392: medium priority package update for kernel</title><issued date="2014-08-21 11:03" /><updated date="2014-09-19 11:43" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4425 CVE-2014-3153: 4426 A flaw was found in the way the Linux kernel's futex subsystem handled the requeuing of certain Priority Inheritance (PI) futexes. A local, unprivileged user could use this flaw to escalate their privileges on the system. 4427 1103626: 4428 CVE-2014-3153 kernel: futex: pi futexes requeue issue 4429 The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification. 4430 4431 CVE-2014-1739: 4432 The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call. 4433 1109774: 4434 CVE-2014-1739 Kernel: drivers: media: an information leakage 4435 4436 CVE-2014-0196: 4437 The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. 4438 1094232: 4439 CVE-2014-0196 kernel: pty layer race condition leading to memory corruption 4440 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1739" id="CVE-2014-1739" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153" id="CVE-2014-3153" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196" id="CVE-2014-0196" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-headers" release="56.140.amzn1" version="3.10.53"><filename>Packages/kernel-headers-3.10.53-56.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="56.140.amzn1" version="3.10.53"><filename>Packages/kernel-3.10.53-56.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="56.140.amzn1" version="3.10.53"><filename>Packages/kernel-debuginfo-3.10.53-56.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="56.140.amzn1" version="3.10.53"><filename>Packages/kernel-devel-3.10.53-56.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="56.140.amzn1" version="3.10.53"><filename>Packages/kernel-debuginfo-common-x86_64-3.10.53-56.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="56.140.amzn1" version="3.10.53"><filename>Packages/perf-3.10.53-56.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="56.140.amzn1" version="3.10.53"><filename>Packages/perf-debuginfo-3.10.53-56.140.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="56.140.amzn1" version="3.10.53"><filename>Packages/perf-debuginfo-3.10.53-56.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="56.140.amzn1" version="3.10.53"><filename>Packages/kernel-headers-3.10.53-56.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="56.140.amzn1" version="3.10.53"><filename>Packages/perf-3.10.53-56.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="56.140.amzn1" version="3.10.53"><filename>Packages/kernel-3.10.53-56.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="56.140.amzn1" version="3.10.53"><filename>Packages/kernel-debuginfo-3.10.53-56.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="56.140.amzn1" version="3.10.53"><filename>Packages/kernel-debuginfo-common-i686-3.10.53-56.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="56.140.amzn1" version="3.10.53"><filename>Packages/kernel-devel-3.10.53-56.140.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="56.140.amzn1" version="3.10.53"><filename>Packages/kernel-doc-3.10.53-56.140.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-393</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-393: medium priority package update for php</title><issued date="2014-08-21 11:15" /><updated date="2014-09-19 12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4441 CVE-2014-4049: 4442 1108447: 4443 CVE-2014-4049 php: heap-based buffer overflow in DNS TXT record parsing 4444 A heap-based buffer overflow flaw was found in the way PHP parsed DNS TXT records. A malicious DNS server or a man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application used the dns_get_record() function to perform a DNS query. 4445 Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function. 4446 4447 CVE-2014-3981: 4448 1104978: 4449 CVE-2014-3981 php: insecure temporary file use in the configure script 4450 acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file. 4451 4452 CVE-2014-3515: 4453 1112154: 4454 CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw 4455 A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application. 4456 4457 CVE-2014-0238: 4458 The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long. 4459 1098155: 4460 CVE-2014-0238 file: CDF property info parsing nelements infinite loop 4461 A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file. 4462 4463 CVE-2014-0237: 4464 The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls. 4465 1098193: 4466 CVE-2014-0237 file: cdf_unpack_summary_info() excessive looping DoS 4467 A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file. 4468 4469 CVE-2014-0207: 4470 1091842: 4471 CVE-2014-0207 file: cdf_read_short_sector insufficient boundary check 4472 A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file. 4473 The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file. 4474 4475 CVE-2013-6712: 4476 A buffer over-read flaw was found in the way the DateInterval class parsed interval specifications. An attacker able to make a PHP application parse a specially crafted specification using DateInterval could possibly cause the PHP interpreter to crash. 4477 1035670: 4478 CVE-2013-6712 php: heap-based buffer over-read in DateInterval 4479 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237" id="CVE-2014-0237" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3981" id="CVE-2014-3981" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712" id="CVE-2013-6712" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049" id="CVE-2014-4049" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207" id="CVE-2014-0207" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515" id="CVE-2014-3515" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238" id="CVE-2014-0238" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php-debuginfo" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-debuginfo-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-tidy" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-tidy-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-enchant" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-enchant-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pdo" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-pdo-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mcrypt" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-mcrypt-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mssql" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-mssql-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-cli" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-cli-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-recode" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-recode-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-ldap" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-ldap-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-dba" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-dba-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xml" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-xml-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-intl" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-intl-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-snmp" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-snmp-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-embedded" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-embedded-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xmlrpc" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-xmlrpc-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-imap" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-imap-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-devel" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-devel-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-bcmath" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-bcmath-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-odbc" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-odbc-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-soap" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-soap-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysql" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-mysql-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysqlnd" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-mysqlnd-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mbstring" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-mbstring-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pgsql" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-pgsql-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-gd" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-gd-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-process" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-process-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-fpm" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-fpm-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-common" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-common-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pspell" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-pspell-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php-enchant" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-enchant-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-devel" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-devel-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xmlrpc" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-xmlrpc-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-bcmath" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-bcmath-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-fpm" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-fpm-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-tidy" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-tidy-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-embedded" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-embedded-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysql" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-mysql-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xml" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-xml-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mcrypt" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-mcrypt-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-snmp" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-snmp-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pspell" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-pspell-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mssql" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-mssql-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-ldap" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-ldap-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-intl" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-intl-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-odbc" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-odbc-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-debuginfo" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-debuginfo-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pdo" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-pdo-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mbstring" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-mbstring-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-gd" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-gd-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-recode" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-recode-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pgsql" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-pgsql-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-imap" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-imap-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-cli" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-cli-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-soap" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-soap-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-process" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-process-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-dba" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-dba-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-common" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-common-5.3.29-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysqlnd" release="1.7.amzn1" version="5.3.29"><filename>Packages/php-mysqlnd-5.3.29-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-394</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-394: medium priority package update for php-ZendFramework</title><issued date="2014-08-21 11:18" /><updated date="2014-09-19 11:48" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4480 CVE-2014-4914: 4481 1117545: 4482 CVE-2014-4914 Zend FrameWork: ZF2014-04: Potential SQL injection in the ORDER implementation of Zend_Db_Select 4483 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914" id="CVE-2014-4914" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="php-ZendFramework-Serializer-Adapter-Igbinary" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Serializer-Adapter-Igbinary-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-full" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-full-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Mysql" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Dojo" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Dojo-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Pdf" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Pdf-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Services" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Services-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Search-Lucene" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Search-Lucene-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Libmemcached" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Cache-Backend-Libmemcached-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Apc" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Cache-Backend-Apc-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-demos" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-demos-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Soap" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Soap-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Mysqli" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Db-Adapter-Mysqli-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Ldap" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Ldap-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-extras" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-extras-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Pgsql" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Captcha" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Captcha-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Mssql" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Feed" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Feed-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Auth-Adapter-Ldap" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Auth-Adapter-Ldap-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Memcached" release="1.9.amzn1" version="1.12.7"><filename>Packages/php-ZendFramework-Cache-Backend-Memcached-1.12.7-1.9.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-395</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-395: low priority package update for exim</title><issued date="2014-08-21 11:19" /><updated date="2014-09-19 11:48" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4484 CVE-2014-2972: 4485 1122552: 4486 CVE-2014-2972 exim: local code execution via string expansion 4487 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2972" id="CVE-2014-2972" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="exim-pgsql" release="6.6.amzn1" version="4.72"><filename>Packages/exim-pgsql-4.72-6.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-mon" release="6.6.amzn1" version="4.72"><filename>Packages/exim-mon-4.72-6.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-greylist" release="6.6.amzn1" version="4.72"><filename>Packages/exim-greylist-4.72-6.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim" release="6.6.amzn1" version="4.72"><filename>Packages/exim-4.72-6.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-debuginfo" release="6.6.amzn1" version="4.72"><filename>Packages/exim-debuginfo-4.72-6.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-mysql" release="6.6.amzn1" version="4.72"><filename>Packages/exim-mysql-4.72-6.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="exim-mon" release="6.6.amzn1" version="4.72"><filename>Packages/exim-mon-4.72-6.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-debuginfo" release="6.6.amzn1" version="4.72"><filename>Packages/exim-debuginfo-4.72-6.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-mysql" release="6.6.amzn1" version="4.72"><filename>Packages/exim-mysql-4.72-6.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-greylist" release="6.6.amzn1" version="4.72"><filename>Packages/exim-greylist-4.72-6.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-pgsql" release="6.6.amzn1" version="4.72"><filename>Packages/exim-pgsql-4.72-6.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim" release="6.6.amzn1" version="4.72"><filename>Packages/exim-4.72-6.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-396</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-396: important priority package update for 389-ds-base</title><issued date="2014-08-21 11:20" /><updated date="2014-09-19 11:49" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4488 CVE-2014-3562: 4489 1123477: 4490 CVE-2014-3562 389-ds: unauthenticated information disclosure 4491 It was found that when replication was enabled for each attribute in Red Hat Directory Server / 389 Directory Server, which is the default configuration, the server returned replicated metadata when the directory was searched while debugging was enabled. A remote attacker could use this flaw to disclose potentially sensitive information. 4492 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3562" id="CVE-2014-3562" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="1.18.amzn1" version="1.3.2.22"><filename>Packages/389-ds-base-libs-1.3.2.22-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="1.18.amzn1" version="1.3.2.22"><filename>Packages/389-ds-base-devel-1.3.2.22-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="1.18.amzn1" version="1.3.2.22"><filename>Packages/389-ds-base-debuginfo-1.3.2.22-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base" release="1.18.amzn1" version="1.3.2.22"><filename>Packages/389-ds-base-1.3.2.22-1.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="1.18.amzn1" version="1.3.2.22"><filename>Packages/389-ds-base-libs-1.3.2.22-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="1.18.amzn1" version="1.3.2.22"><filename>Packages/389-ds-base-1.3.2.22-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="1.18.amzn1" version="1.3.2.22"><filename>Packages/389-ds-base-devel-1.3.2.22-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="1.18.amzn1" version="1.3.2.22"><filename>Packages/389-ds-base-debuginfo-1.3.2.22-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-397</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-397: medium priority package update for libserf</title><issued date="2014-09-03 14:37" /><updated date="2014-09-19 11:49" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4493 CVE-2014-3504: 4494 1128962: 4495 CVE-2014-3504 libserf: failure to properly handle a NUL character in the CommonName or SubjectAltNames fields 4496 The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. 4497 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3504" id="CVE-2014-3504" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libserf" release="1.6.amzn1" version="1.3.7"><filename>Packages/libserf-1.3.7-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libserf-devel" release="1.6.amzn1" version="1.3.7"><filename>Packages/libserf-devel-1.3.7-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libserf-debuginfo" release="1.6.amzn1" version="1.3.7"><filename>Packages/libserf-debuginfo-1.3.7-1.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libserf-debuginfo" release="1.6.amzn1" version="1.3.7"><filename>Packages/libserf-debuginfo-1.3.7-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libserf-devel" release="1.6.amzn1" version="1.3.7"><filename>Packages/libserf-devel-1.3.7-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libserf" release="1.6.amzn1" version="1.3.7"><filename>Packages/libserf-1.3.7-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-398</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-398: medium priority package update for file</title><issued date="2014-09-03 14:38" /><updated date="2014-09-19 11:49" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4498 CVE-2014-3587: 4499 1128587: 4500 CVE-2014-3587 file: incomplete fix for CVE-2012-1571 in cdf_read_property_info 4501 Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571. 4502 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587" id="CVE-2014-3587" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="file-devel" release="4.19.amzn1" version="5.19"><filename>Packages/file-devel-5.19-4.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file" release="4.19.amzn1" version="5.19"><filename>Packages/file-5.19-4.19.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="python-magic" release="4.19.amzn1" version="5.19"><filename>Packages/python-magic-5.19-4.19.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="file-static" release="4.19.amzn1" version="5.19"><filename>Packages/file-static-5.19-4.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-libs" release="4.19.amzn1" version="5.19"><filename>Packages/file-libs-5.19-4.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-debuginfo" release="4.19.amzn1" version="5.19"><filename>Packages/file-debuginfo-5.19-4.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="file-devel" release="4.19.amzn1" version="5.19"><filename>Packages/file-devel-5.19-4.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-libs" release="4.19.amzn1" version="5.19"><filename>Packages/file-libs-5.19-4.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-static" release="4.19.amzn1" version="5.19"><filename>Packages/file-static-5.19-4.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-debuginfo" release="4.19.amzn1" version="5.19"><filename>Packages/file-debuginfo-5.19-4.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file" release="4.19.amzn1" version="5.19"><filename>Packages/file-5.19-4.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-399</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-399: important priority package update for glibc</title><issued date="2014-09-03 14:44" /><updated date="2014-09-19 11:57" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4503 CVE-2014-5119: 4504 1119128: 4505 CVE-2014-5119 glibc: off-by-one error leading to a heap-based buffer overflow flaw in __gconv_translit_find() 4506 An off-by-one heap-based buffer overflow flaw was found in glibc's internal __gconv_translit_find() function. An attacker able to make an application call the iconv_open() function with a specially crafted argument could possibly use this flaw to execute arbitrary code with the privileges of that application. 4507 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119" id="CVE-2014-5119" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-55.85.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-55.85.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-55.85.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-2.17-55.85.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-55.85.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-55.85.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-55.85.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="55.85.amzn1" version="2.17"><filename>Packages/nscd-2.17-55.85.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-55.85.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-55.85.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-2.17-55.85.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-55.85.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="55.85.amzn1" version="2.17"><filename>Packages/nscd-2.17-55.85.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-55.85.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-55.85.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-55.85.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-55.85.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="55.85.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-55.85.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-400</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-400: medium priority package update for glibc</title><issued date="2014-09-17 21:41" /><updated date="2014-09-19 11:58" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4508 CVE-2014-0475: 4509 1102353: 4510 CVE-2014-0475 glibc: directory traversal in LC_* locale handling 4511 A directory traveral flaw was found in the way glibc loaded locale files. An attacker able to make an application use a specially crafted locale name value (for example, specified in an LC_* environment variable) could possibly use this flaw to execute arbitrary code with the privileges of that application. 4512 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0475" id="CVE-2014-0475" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glibc-common" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-55.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="55.86.amzn1" version="2.17"><filename>Packages/nscd-2.17-55.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-55.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-2.17-55.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-55.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-55.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-55.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-55.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-55.86.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-55.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-2.17-55.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-55.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-55.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-55.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-55.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-55.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="55.86.amzn1" version="2.17"><filename>Packages/nscd-2.17-55.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="55.86.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-55.86.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-401</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-401: low priority package update for automake19</title><issued date="2014-09-17 21:41" /><updated date="2014-09-19 12:01" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4513 CVE-2012-3386: 4514 It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck". 4515 838286: 4516 CVE-2012-3386 automake: locally exploitable "make distcheck" bug 4517 The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors. 4518 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3386" id="CVE-2012-3386" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="automake19" release="3.12.amzn1" version="1.9.6"><filename>Packages/automake19-1.9.6-3.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-402</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-402: medium priority package update for lua</title><issued date="2014-09-17 21:44" /><updated date="2014-09-19 12:01" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4519 CVE-2014-5461: 4520 1132304: 4521 CVE-2014-5461 lua: overflow flaw in vararg functions 4522 Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments. 4523 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461" id="CVE-2014-5461" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="lua-devel" release="4.1.9.amzn1" version="5.1.4"><filename>Packages/lua-devel-5.1.4-4.1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lua-debuginfo" release="4.1.9.amzn1" version="5.1.4"><filename>Packages/lua-debuginfo-5.1.4-4.1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lua-static" release="4.1.9.amzn1" version="5.1.4"><filename>Packages/lua-static-5.1.4-4.1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lua" release="4.1.9.amzn1" version="5.1.4"><filename>Packages/lua-5.1.4-4.1.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="lua" release="4.1.9.amzn1" version="5.1.4"><filename>Packages/lua-5.1.4-4.1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lua-devel" release="4.1.9.amzn1" version="5.1.4"><filename>Packages/lua-devel-5.1.4-4.1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lua-debuginfo" release="4.1.9.amzn1" version="5.1.4"><filename>Packages/lua-debuginfo-5.1.4-4.1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lua-static" release="4.1.9.amzn1" version="5.1.4"><filename>Packages/lua-static-5.1.4-4.1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-403</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-403: medium priority package update for libXext</title><issued date="2014-09-17 21:44" /><updated date="2014-09-19 12:02" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4524 CVE-2013-1982: 4525 Multiple integer overflows in X.org libXext 1.3.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XcupGetReservedColormapEntries, (2) XcupStoreColors, (3) XdbeGetVisualInfo, (4) XeviGetVisualInfo, (5) XShapeGetRectangles, and (6) XSyncListSystemCounters functions. 4526 959046: 4527 CVE-2013-1982 libXext: Multiple integer overflows leading to heap-based buffer-overflows 4528 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1982" id="CVE-2013-1982" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libXext-debuginfo" release="2.9.amzn1" version="1.3.1"><filename>Packages/libXext-debuginfo-1.3.1-2.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXext-devel" release="2.9.amzn1" version="1.3.1"><filename>Packages/libXext-devel-1.3.1-2.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXext" release="2.9.amzn1" version="1.3.1"><filename>Packages/libXext-1.3.1-2.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXext-debuginfo" release="2.9.amzn1" version="1.3.1"><filename>Packages/libXext-debuginfo-1.3.1-2.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXext-devel" release="2.9.amzn1" version="1.3.1"><filename>Packages/libXext-devel-1.3.1-2.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXext" release="2.9.amzn1" version="1.3.1"><filename>Packages/libXext-1.3.1-2.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-404</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-404: medium priority package update for libXfont</title><issued date="2014-09-17 21:44" /><updated date="2014-09-19 12:02" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4529 CVE-2014-0211: 4530 1096601: 4531 CVE-2014-0211 libXfont: integer overflows calculating memory needs for xfs replies 4532 Multiple integer overflows in the (1) fs_get_reply, (2) fs_alloc_glyphs, and (3) fs_read_extent_info functions in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs reply, which triggers a buffer overflow. 4533 4534 CVE-2014-0210: 4535 1096597: 4536 CVE-2014-0210 libXfont: unvalidated length fields when parsing xfs protocol replies 4537 Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs protocol reply to the (1) _fs_recv_conn_setup, (2) fs_read_open_font, (3) fs_read_query_info, (4) fs_read_extent_info, (5) fs_read_glyphs, (6) fs_read_list, or (7) fs_read_list_info function. 4538 4539 CVE-2014-0209: 4540 1096593: 4541 CVE-2014-0209 libXfont: integer overflow of allocations in font metadata file parsing 4542 Multiple integer overflows in the (1) FontFileAddEntry and (2) lexAlias functions in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 might allow local users to gain privileges by adding a directory with a large fonts.dir or fonts.alias file to the font path, which triggers a heap-based buffer overflow, related to metadata. 4543 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0211" id="CVE-2014-0211" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0210" id="CVE-2014-0210" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0209" id="CVE-2014-0209" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libXfont" release="3.9.amzn1" version="1.4.5"><filename>Packages/libXfont-1.4.5-3.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXfont-debuginfo" release="3.9.amzn1" version="1.4.5"><filename>Packages/libXfont-debuginfo-1.4.5-3.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXfont-devel" release="3.9.amzn1" version="1.4.5"><filename>Packages/libXfont-devel-1.4.5-3.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXfont" release="3.9.amzn1" version="1.4.5"><filename>Packages/libXfont-1.4.5-3.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXfont-devel" release="3.9.amzn1" version="1.4.5"><filename>Packages/libXfont-devel-1.4.5-3.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXfont-debuginfo" release="3.9.amzn1" version="1.4.5"><filename>Packages/libXfont-debuginfo-1.4.5-3.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-405</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-405: medium priority package update for libxcb</title><issued date="2014-09-17 21:45" /><updated date="2014-09-19 12:04" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4544 CVE-2013-2064: 4545 960367: 4546 CVE-2013-2064 libxcb: Integer overflow leading to heap-based buffer overlow 4547 Integer overflow in X.org libxcb 1.9 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the read_packet function. 4548 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2064" id="CVE-2013-2064" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libxcb" release="1.15.amzn1" version="1.8.1"><filename>Packages/libxcb-1.8.1-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxcb-devel" release="1.15.amzn1" version="1.8.1"><filename>Packages/libxcb-devel-1.8.1-1.15.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="libxcb-doc" release="1.15.amzn1" version="1.8.1"><filename>Packages/libxcb-doc-1.8.1-1.15.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="libxcb-debuginfo" release="1.15.amzn1" version="1.8.1"><filename>Packages/libxcb-debuginfo-1.8.1-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxcb-python" release="1.15.amzn1" version="1.8.1"><filename>Packages/libxcb-python-1.8.1-1.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libxcb-debuginfo" release="1.15.amzn1" version="1.8.1"><filename>Packages/libxcb-debuginfo-1.8.1-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxcb-devel" release="1.15.amzn1" version="1.8.1"><filename>Packages/libxcb-devel-1.8.1-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxcb-python" release="1.15.amzn1" version="1.8.1"><filename>Packages/libxcb-python-1.8.1-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxcb" release="1.15.amzn1" version="1.8.1"><filename>Packages/libxcb-1.8.1-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-406</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-406: medium priority package update for libXtst</title><issued date="2014-09-17 21:45" /><updated date="2014-09-19 12:05" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4549 CVE-2013-2063: 4550 960366: 4551 CVE-2013-2063 libXtst:Integer overflow leading to heap-based buffer overlow 4552 Integer overflow in X.org libXtst 1.2.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XRecordGetContext function. 4553 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2063" id="CVE-2013-2063" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libXtst" release="2.8.amzn1" version="1.2.1"><filename>Packages/libXtst-1.2.1-2.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXtst-debuginfo" release="2.8.amzn1" version="1.2.1"><filename>Packages/libXtst-debuginfo-1.2.1-2.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXtst-devel" release="2.8.amzn1" version="1.2.1"><filename>Packages/libXtst-devel-1.2.1-2.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXtst-debuginfo" release="2.8.amzn1" version="1.2.1"><filename>Packages/libXtst-debuginfo-1.2.1-2.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXtst" release="2.8.amzn1" version="1.2.1"><filename>Packages/libXtst-1.2.1-2.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXtst-devel" release="2.8.amzn1" version="1.2.1"><filename>Packages/libXtst-devel-1.2.1-2.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-407</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-407: medium priority package update for curl</title><issued date="2014-09-17 21:45" /><updated date="2014-09-19 12:07" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4554 CVE-2014-3620: 4555 1138846: 4556 CVE-2014-3620 curl: cookies accepted for TLDs 4557 4558 CVE-2014-3613: 4559 1136154: 4560 CVE-2014-3613 curl: incorrect handling of IP addresses in cookie domain 4561 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3620" id="CVE-2014-3620" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3613" id="CVE-2014-3613" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libcurl-devel" release="1.46.amzn1" version="7.38.0"><filename>Packages/libcurl-devel-7.38.0-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="1.46.amzn1" version="7.38.0"><filename>Packages/curl-debuginfo-7.38.0-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="1.46.amzn1" version="7.38.0"><filename>Packages/libcurl-7.38.0-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl" release="1.46.amzn1" version="7.38.0"><filename>Packages/curl-7.38.0-1.46.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="1.46.amzn1" version="7.38.0"><filename>Packages/libcurl-7.38.0-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="1.46.amzn1" version="7.38.0"><filename>Packages/libcurl-devel-7.38.0-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="1.46.amzn1" version="7.38.0"><filename>Packages/curl-debuginfo-7.38.0-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="1.46.amzn1" version="7.38.0"><filename>Packages/curl-7.38.0-1.46.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-408</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-408: important priority package update for procmail</title><issued date="2014-09-17 21:46" /><updated date="2014-09-19 12:08" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4562 CVE-2014-3618: 4563 A heap-based buffer overflow flaw was found in procmail's formail utility. A remote attacker could send an email with specially crafted headers that, when processed by formail, could cause procmail to crash or, possibly, execute arbitrary code as the user running formail. 4564 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618" id="CVE-2014-3618" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1172.html" id="RHSA-2014:1172" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="procmail-debuginfo" release="25.1.6.amzn1" version="3.22"><filename>Packages/procmail-debuginfo-3.22-25.1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="procmail" release="25.1.6.amzn1" version="3.22"><filename>Packages/procmail-3.22-25.1.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="procmail" release="25.1.6.amzn1" version="3.22"><filename>Packages/procmail-3.22-25.1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="procmail-debuginfo" release="25.1.6.amzn1" version="3.22"><filename>Packages/procmail-debuginfo-3.22-25.1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-409</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-409: medium priority package update for fwsnort</title><issued date="2014-09-17 21:46" /><updated date="2014-09-19 12:08" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4565 CVE-2014-0039: 4566 Untrusted search path vulnerability in fwsnort before 1.6.4, when not running as root, allows local users to execute arbitrary code via a Trojan horse fwsnort.conf in the current working directory. 4567 1060602: 4568 CVE-2014-0039 fwsnort: configuration file can be loaded from cwd when run as a non-root user 4569 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0039" id="CVE-2014-0039" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="fwsnort" release="1.5.amzn1" version="1.6.4"><filename>Packages/fwsnort-1.6.4-1.5.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-410</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-410: important priority package update for jakarta-commons-httpclient</title><issued date="2014-09-17 21:47" /><updated date="2014-09-19 12:09" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4570 CVE-2014-3577: 4571 1129074: 4572 CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix 4573 It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. 4574 4575 CVE-2012-6153: 4576 1129916: 4577 CVE-2012-6153 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-5783 fix 4578 It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. 4579 4580 CVE-2012-5783: 4581 Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. 4582 873317: 4583 CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name 4584 The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. 4585 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783" id="CVE-2012-5783" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577" id="CVE-2014-3577" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153" id="CVE-2012-6153" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="jakarta-commons-httpclient-manual" release="15.8.amzn1" version="3.1"><filename>Packages/jakarta-commons-httpclient-manual-3.1-15.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="1" name="jakarta-commons-httpclient-demo" release="15.8.amzn1" version="3.1"><filename>Packages/jakarta-commons-httpclient-demo-3.1-15.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="1" name="jakarta-commons-httpclient-javadoc" release="15.8.amzn1" version="3.1"><filename>Packages/jakarta-commons-httpclient-javadoc-3.1-15.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="1" name="jakarta-commons-httpclient" release="15.8.amzn1" version="3.1"><filename>Packages/jakarta-commons-httpclient-3.1-15.8.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-411</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-411: important priority package update for squid</title><issued date="2014-09-17 21:47" /><updated date="2014-09-19 12:09" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4586 CVE-2014-3609: 4587 A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid. 4588 4589 CVE-2013-4115: 4590 A buffer overflow flaw was found in Squid's DNS lookup module. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid. 4591 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4115" id="CVE-2013-4115" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3609" id="CVE-2014-3609" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1148.html" id="RHSA-2014:1148" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="7" name="squid" release="22.16.amzn1" version="3.1.10"><filename>Packages/squid-3.1.10-22.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="7" name="squid-debuginfo" release="22.16.amzn1" version="3.1.10"><filename>Packages/squid-debuginfo-3.1.10-22.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="7" name="squid-debuginfo" release="22.16.amzn1" version="3.1.10"><filename>Packages/squid-debuginfo-3.1.10-22.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="7" name="squid" release="22.16.amzn1" version="3.1.10"><filename>Packages/squid-3.1.10-22.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-412</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-412: important priority package update for axis</title><issued date="2014-09-17 21:47" /><updated date="2014-09-19 12:09" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4592 CVE-2014-3596: 4593 It was discovered that Axis incorrectly extracted the host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. 4594 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3596" id="CVE-2014-3596" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1193.html" id="RHSA-2014:1193" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="axis" release="7.5.14.amzn1" version="1.2.1"><filename>Packages/axis-1.2.1-7.5.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="axis-javadoc" release="7.5.14.amzn1" version="1.2.1"><filename>Packages/axis-javadoc-1.2.1-7.5.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="axis-manual" release="7.5.14.amzn1" version="1.2.1"><filename>Packages/axis-manual-1.2.1-7.5.14.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-413</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-413: medium priority package update for subversion</title><issued date="2014-09-17 21:48" /><updated date="2014-09-19 12:09" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4595 CVE-2014-3522: 4596 The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. 4597 1127063: 4598 CVE-2014-3522 subversion: incorrect SSL certificate validation in Serf RA (repository access) layer 4599 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3522" id="CVE-2014-3522" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="subversion-javahl" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-javahl-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-devel" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-devel-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-libs" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-libs-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-python-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-perl" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-perl-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-debuginfo" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-debuginfo-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-ruby" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-ruby-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_dav_svn" release="1.44.amzn1" version="1.8.10"><filename>Packages/mod_dav_svn-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-tools" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-tools-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="subversion-tools" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-tools-1.8.10-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-1.8.10-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-libs" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-libs-1.8.10-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-ruby" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-ruby-1.8.10-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn" release="1.44.amzn1" version="1.8.10"><filename>Packages/mod_dav_svn-1.8.10-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-javahl" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-javahl-1.8.10-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-python-1.8.10-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-perl" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-perl-1.8.10-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-devel" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-devel-1.8.10-1.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-debuginfo" release="1.44.amzn1" version="1.8.10"><filename>Packages/subversion-debuginfo-1.8.10-1.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-414</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-414: low priority package update for httpd</title><issued date="2014-09-17 21:48" /><updated date="2014-09-19 12:10" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4600 CVE-2013-5704: 4601 The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such." 4602 1082903: 4603 CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests 4604 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704" id="CVE-2013-5704" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.4.amzn1" version="2.2.29"><filename>Packages/httpd-debuginfo-2.2.29-1.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-devel" release="1.4.amzn1" version="2.2.29"><filename>Packages/httpd-devel-2.2.29-1.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-tools" release="1.4.amzn1" version="2.2.29"><filename>Packages/httpd-tools-2.2.29-1.4.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd-manual" release="1.4.amzn1" version="2.2.29"><filename>Packages/httpd-manual-2.2.29-1.4.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd" release="1.4.amzn1" version="2.2.29"><filename>Packages/httpd-2.2.29-1.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod_ssl" release="1.4.amzn1" version="2.2.29"><filename>Packages/mod_ssl-2.2.29-1.4.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="mod_ssl" release="1.4.amzn1" version="2.2.29"><filename>Packages/mod_ssl-2.2.29-1.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd" release="1.4.amzn1" version="2.2.29"><filename>Packages/httpd-2.2.29-1.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-debuginfo" release="1.4.amzn1" version="2.2.29"><filename>Packages/httpd-debuginfo-2.2.29-1.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-devel" release="1.4.amzn1" version="2.2.29"><filename>Packages/httpd-devel-2.2.29-1.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-tools" release="1.4.amzn1" version="2.2.29"><filename>Packages/httpd-tools-2.2.29-1.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-415</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-415: medium priority package update for php55</title><issued date="2014-09-18 21:03" /><updated date="2014-09-19 12:11" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4605 CVE-2014-5120: 4606 1132793: 4607 CVE-2014-5120 php: gd extension NUL byte injection in file names 4608 gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function. 4609 4610 CVE-2014-3587: 4611 1128587: 4612 CVE-2014-3587 file: incomplete fix for CVE-2012-1571 in cdf_read_property_info 4613 Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571. 4614 4615 CVE-2014-2497: 4616 1076676: 4617 CVE-2014-2497 gd: NULL pointer dereference in gdImageCreateFromXpm() 4618 The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file. 4619 4620 CVE-2012-1571: 4621 805197: 4622 CVE-2012-1571 file: out of bounds read in CDF parser 4623 A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file. 4624 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1571" id="CVE-2012-1571" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5120" id="CVE-2014-5120" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2497" id="CVE-2014-2497" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587" id="CVE-2014-3587" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-fpm" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-fpm-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-ldap-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-intl-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-odbc-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-mbstring-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-gmp-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-pgsql-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-cli-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-bcmath-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-gd-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-xmlrpc-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-tidy-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-mssql-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-devel-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-xml-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-mcrypt-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-pspell-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-soap-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-pdo-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-common-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-opcache-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-embedded-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-enchant-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-imap-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-snmp-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-debuginfo-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-mysqlnd-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-process-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-recode-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-dba-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-opcache-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-bcmath-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-fpm-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-recode-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-pgsql-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-snmp-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-embedded-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-ldap-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-pdo-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-tidy-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-enchant-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-intl-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-pspell-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-soap-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-common-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-xmlrpc-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-gmp-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-xml-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-devel-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-mssql-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-debuginfo-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-gd-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-dba-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-imap-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-mbstring-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-mcrypt-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-mysqlnd-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-odbc-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-cli-5.5.17-1.90.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.90.amzn1" version="5.5.17"><filename>Packages/php55-process-5.5.17-1.90.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-416</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-416: medium priority package update for json-c</title><issued date="2014-09-18 21:04" /><updated date="2014-09-19 12:11" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4625 CVE-2013-6371: 4626 The hash functionality in json-c before 0.12 allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted JSON data, involving collisions. 4627 1032311: 4628 CVE-2013-6371 json-c: hash collision DoS 4629 4630 CVE-2013-6370: 4631 Buffer overflow in the printbuf APIs in json-c before 0.12 allows remote attackers to cause a denial of service via unspecified vectors. 4632 1032322: 4633 CVE-2013-6370 json-c: buffer overflow if size_t is larger than int 4634 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6371" id="CVE-2013-6371" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6370" id="CVE-2013-6370" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="json-c-debuginfo" release="6.8.amzn1" version="0.11"><filename>Packages/json-c-debuginfo-0.11-6.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="json-c" release="6.8.amzn1" version="0.11"><filename>Packages/json-c-0.11-6.8.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="json-c-doc" release="6.8.amzn1" version="0.11"><filename>Packages/json-c-doc-0.11-6.8.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="json-c-devel" release="6.8.amzn1" version="0.11"><filename>Packages/json-c-devel-0.11-6.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="json-c-debuginfo" release="6.8.amzn1" version="0.11"><filename>Packages/json-c-debuginfo-0.11-6.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="json-c" release="6.8.amzn1" version="0.11"><filename>Packages/json-c-0.11-6.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="json-c-devel" release="6.8.amzn1" version="0.11"><filename>Packages/json-c-devel-0.11-6.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-417</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-417: medium priority package update for kernel</title><issued date="2014-09-18 21:04" /><updated date="2014-09-19 12:11" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4635 CVE-2014-5207: 4636 1129662: 4637 CVE-2014-5206 CVE-2014-5207 kernel: mount flags handling during remount 4638 fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a "mount -o remount" command within a user namespace. 4639 4640 CVE-2014-5206: 4641 1129662: 4642 CVE-2014-5206 CVE-2014-5207 kernel: mount flags handling during remount 4643 The do_remount function in fs/namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a "mount -o remount" command within a user namespace. 4644 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5207" id="CVE-2014-5207" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5206" id="CVE-2014-5206" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perf-debuginfo" release="17.43.amzn1" version="3.14.19"><filename>Packages/perf-debuginfo-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-devel-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="17.43.amzn1" version="3.14.19"><filename>Packages/perf-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-debuginfo-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-tools-devel-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-tools-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-tools-debuginfo-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-headers-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-tools-debuginfo-3.14.19-17.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-3.14.19-17.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-debuginfo-3.14.19-17.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="17.43.amzn1" version="3.14.19"><filename>Packages/perf-3.14.19-17.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-tools-3.14.19-17.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-devel-3.14.19-17.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-tools-devel-3.14.19-17.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="17.43.amzn1" version="3.14.19"><filename>Packages/perf-debuginfo-3.14.19-17.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-headers-3.14.19-17.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-debuginfo-common-i686-3.14.19-17.43.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="17.43.amzn1" version="3.14.19"><filename>Packages/kernel-doc-3.14.19-17.43.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-418</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-418: critical priority package update for bash</title><issued date="2014-09-24 07:48" /><updated date="2014-09-25 22:19" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4645 CVE-2014-6271: 4646 1141597: 4647 CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands 4648 A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. 4649 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271" id="CVE-2014-6271" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="bash" release="15.19.amzn1" version="4.1.2"><filename>Packages/bash-4.1.2-15.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="bash-debuginfo" release="15.19.amzn1" version="4.1.2"><filename>Packages/bash-debuginfo-4.1.2-15.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="bash-doc" release="15.19.amzn1" version="4.1.2"><filename>Packages/bash-doc-4.1.2-15.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="bash-doc" release="15.19.amzn1" version="4.1.2"><filename>Packages/bash-doc-4.1.2-15.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="bash" release="15.19.amzn1" version="4.1.2"><filename>Packages/bash-4.1.2-15.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="bash-debuginfo" release="15.19.amzn1" version="4.1.2"><filename>Packages/bash-debuginfo-4.1.2-15.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-419</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-419: important priority package update for bash</title><issued date="2014-09-24 22:26" /><updated date="2014-09-27 18:29" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4650 CVE-2014-7187: 4651 1146804: 4652 CVE-2014-7187 bash: off-by-one error in deeply nested flow control constructs 4653 An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash. 4654 4655 CVE-2014-7186: 4656 It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. 4657 1146791: 4658 CVE-2014-7186 bash: parser can allow out-of-bounds memory access while handling redir_stack 4659 4660 CVE-2014-7169: 4661 1146319: 4662 CVE-2014-7169 bash: Code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271) 4663 1146319: 4664 CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271) 4665 Details pending 4666 GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271. 4667 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186" id="CVE-2014-7186" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169" id="CVE-2014-7169" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187" id="CVE-2014-7187" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="bash-doc" release="15.21.amzn1" version="4.1.2"><filename>Packages/bash-doc-4.1.2-15.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="bash-debuginfo" release="15.21.amzn1" version="4.1.2"><filename>Packages/bash-debuginfo-4.1.2-15.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="bash" release="15.21.amzn1" version="4.1.2"><filename>Packages/bash-4.1.2-15.21.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="bash-debuginfo" release="15.21.amzn1" version="4.1.2"><filename>Packages/bash-debuginfo-4.1.2-15.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="bash-doc" release="15.21.amzn1" version="4.1.2"><filename>Packages/bash-doc-4.1.2-15.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="bash" release="15.21.amzn1" version="4.1.2"><filename>Packages/bash-4.1.2-15.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-420</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-420: medium priority package update for GraphicsMagick</title><issued date="2014-10-01 16:28" /><updated date="2014-10-01 18:51" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4668 CVE-2014-1947: 4669 1064098: 4670 CVE-2014-1947 ImageMagick: PSD writing layer name buffer overflow ("L%02ld") 4671 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1947" id="CVE-2014-1947" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="GraphicsMagick-doc" release="3.5.amzn1" version="1.3.20"><filename>Packages/GraphicsMagick-doc-1.3.20-3.5.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-devel" release="3.5.amzn1" version="1.3.20"><filename>Packages/GraphicsMagick-devel-1.3.20-3.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++" release="3.5.amzn1" version="1.3.20"><filename>Packages/GraphicsMagick-c++-1.3.20-3.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick" release="3.5.amzn1" version="1.3.20"><filename>Packages/GraphicsMagick-1.3.20-3.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++-devel" release="3.5.amzn1" version="1.3.20"><filename>Packages/GraphicsMagick-c++-devel-1.3.20-3.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-perl" release="3.5.amzn1" version="1.3.20"><filename>Packages/GraphicsMagick-perl-1.3.20-3.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-debuginfo" release="3.5.amzn1" version="1.3.20"><filename>Packages/GraphicsMagick-debuginfo-1.3.20-3.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-debuginfo" release="3.5.amzn1" version="1.3.20"><filename>Packages/GraphicsMagick-debuginfo-1.3.20-3.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick" release="3.5.amzn1" version="1.3.20"><filename>Packages/GraphicsMagick-1.3.20-3.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-devel" release="3.5.amzn1" version="1.3.20"><filename>Packages/GraphicsMagick-devel-1.3.20-3.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++" release="3.5.amzn1" version="1.3.20"><filename>Packages/GraphicsMagick-c++-1.3.20-3.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++-devel" release="3.5.amzn1" version="1.3.20"><filename>Packages/GraphicsMagick-c++-devel-1.3.20-3.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-perl" release="3.5.amzn1" version="1.3.20"><filename>Packages/GraphicsMagick-perl-1.3.20-3.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-421</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-421: medium priority package update for nginx</title><issued date="2014-10-01 16:28" /><updated date="2014-10-01 18:52" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4672 CVE-2014-3616: 4673 1142573: 4674 CVE-2014-3616 nginx: virtual host confusion 4675 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3616" id="CVE-2014-3616" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="nginx" release="1.22.amzn1" version="1.6.2"><filename>Packages/nginx-1.6.2-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-debuginfo" release="1.22.amzn1" version="1.6.2"><filename>Packages/nginx-debuginfo-1.6.2-1.22.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="nginx" release="1.22.amzn1" version="1.6.2"><filename>Packages/nginx-1.6.2-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-debuginfo" release="1.22.amzn1" version="1.6.2"><filename>Packages/nginx-debuginfo-1.6.2-1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-422</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-422: important priority package update for nss-util</title><issued date="2014-10-01 16:32" /><updated date="2014-10-01 18:53" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4676 CVE-2014-1568: 4677 A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. 4678 1145429: 4679 CVE-2014-1568 nss: RSA PKCS#1 signature verification forgery flaw (MFSA 2014-73) 4680 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568" id="CVE-2014-1568" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-util-debuginfo" release="2.4.amzn1" version="3.16.2"><filename>Packages/nss-util-debuginfo-3.16.2-2.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util-devel" release="2.4.amzn1" version="3.16.2"><filename>Packages/nss-util-devel-3.16.2-2.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util" release="2.4.amzn1" version="3.16.2"><filename>Packages/nss-util-3.16.2-2.4.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-util-devel" release="2.4.amzn1" version="3.16.2"><filename>Packages/nss-util-devel-3.16.2-2.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-util" release="2.4.amzn1" version="3.16.2"><filename>Packages/nss-util-3.16.2-2.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-util-debuginfo" release="2.4.amzn1" version="3.16.2"><filename>Packages/nss-util-debuginfo-3.16.2-2.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-423</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-423: important priority package update for nss-softokn</title><issued date="2014-10-01 16:32" /><updated date="2014-10-01 18:53" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4681 CVE-2014-1568: 4682 A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. 4683 1145429: 4684 CVE-2014-1568 nss: RSA PKCS#1 signature verification forgery flaw (MFSA 2014-73) 4685 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568" id="CVE-2014-1568" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-softokn-debuginfo" release="2.2.amzn1" version="3.16.2"><filename>Packages/nss-softokn-debuginfo-3.16.2-2.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn-devel" release="2.2.amzn1" version="3.16.2"><filename>Packages/nss-softokn-devel-3.16.2-2.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn-freebl-devel" release="2.2.amzn1" version="3.16.2"><filename>Packages/nss-softokn-freebl-devel-3.16.2-2.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn" release="2.2.amzn1" version="3.16.2"><filename>Packages/nss-softokn-3.16.2-2.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn-freebl" release="2.2.amzn1" version="3.16.2"><filename>Packages/nss-softokn-freebl-3.16.2-2.2.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-debuginfo" release="2.2.amzn1" version="3.16.2"><filename>Packages/nss-softokn-debuginfo-3.16.2-2.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-devel" release="2.2.amzn1" version="3.16.2"><filename>Packages/nss-softokn-devel-3.16.2-2.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-freebl-devel" release="2.2.amzn1" version="3.16.2"><filename>Packages/nss-softokn-freebl-devel-3.16.2-2.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn" release="2.2.amzn1" version="3.16.2"><filename>Packages/nss-softokn-3.16.2-2.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-freebl" release="2.2.amzn1" version="3.16.2"><filename>Packages/nss-softokn-freebl-3.16.2-2.2.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-424</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-424: important priority package update for nss</title><issued date="2014-10-01 16:32" /><updated date="2014-10-01 18:53" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4686 CVE-2014-1568: 4687 A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS. 4688 1145429: 4689 CVE-2014-1568 nss: RSA PKCS#1 signature verification forgery flaw (MFSA 2014-73) 4690 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568" id="CVE-2014-1568" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss" release="7.49.amzn1" version="3.16.2"><filename>Packages/nss-3.16.2-7.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="7.49.amzn1" version="3.16.2"><filename>Packages/nss-sysinit-3.16.2-7.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="7.49.amzn1" version="3.16.2"><filename>Packages/nss-tools-3.16.2-7.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="7.49.amzn1" version="3.16.2"><filename>Packages/nss-debuginfo-3.16.2-7.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="7.49.amzn1" version="3.16.2"><filename>Packages/nss-devel-3.16.2-7.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="7.49.amzn1" version="3.16.2"><filename>Packages/nss-pkcs11-devel-3.16.2-7.49.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="7.49.amzn1" version="3.16.2"><filename>Packages/nss-pkcs11-devel-3.16.2-7.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="7.49.amzn1" version="3.16.2"><filename>Packages/nss-debuginfo-3.16.2-7.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="7.49.amzn1" version="3.16.2"><filename>Packages/nss-devel-3.16.2-7.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="7.49.amzn1" version="3.16.2"><filename>Packages/nss-sysinit-3.16.2-7.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="7.49.amzn1" version="3.16.2"><filename>Packages/nss-tools-3.16.2-7.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="7.49.amzn1" version="3.16.2"><filename>Packages/nss-3.16.2-7.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-425</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-425: medium priority package update for python-oauth2</title><issued date="2014-10-14 10:04" /><updated date="2014-10-14 12:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4691 CVE-2013-4347: 4692 1007758: 4693 CVE-2013-4347 python-oauth2: Uses poor PRNG in nonce 4694 The (1) make_nonce, (2) generate_nonce, and (3) generate_verifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack. 4695 4696 CVE-2013-4346: 4697 The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL. 4698 1007746: 4699 CVE-2013-4346 python-oauth2: _check_signature() ignores the nonce value when validating signed urls 4700 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4346" id="CVE-2013-4346" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4347" id="CVE-2013-4347" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python-oauth2" release="7.1.amzn1" version="1.5.211"><filename>Packages/python-oauth2-1.5.211-7.1.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-426</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-426: important priority package update for openssl</title><issued date="2014-10-14 22:32" /><updated date="2014-10-14 23:34" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4701 CVE-2014-3566: 4702 1152789: 4703 CVE-2014-3566 openssl: Padding Oracle On Downgraded Legacy Encryption attack 4704 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566" id="CVE-2014-3566" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="1.79.amzn1" version="1.0.1i"><filename>Packages/openssl-debuginfo-1.0.1i-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="1.79.amzn1" version="1.0.1i"><filename>Packages/openssl-static-1.0.1i-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="1.79.amzn1" version="1.0.1i"><filename>Packages/openssl-perl-1.0.1i-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="1.79.amzn1" version="1.0.1i"><filename>Packages/openssl-devel-1.0.1i-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="1.79.amzn1" version="1.0.1i"><filename>Packages/openssl-1.0.1i-1.79.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="1.79.amzn1" version="1.0.1i"><filename>Packages/openssl-1.0.1i-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="1.79.amzn1" version="1.0.1i"><filename>Packages/openssl-debuginfo-1.0.1i-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="1.79.amzn1" version="1.0.1i"><filename>Packages/openssl-perl-1.0.1i-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="1.79.amzn1" version="1.0.1i"><filename>Packages/openssl-devel-1.0.1i-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="1.79.amzn1" version="1.0.1i"><filename>Packages/openssl-static-1.0.1i-1.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-427</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-427: important priority package update for openssl</title><issued date="2014-10-15 16:14" /><updated date="2014-10-15 18:38" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4705 CVE-2014-3568: 4706 1152967: 4707 CVE-2014-3568 openssl: Build option no-ssl3 is incomplete 4708 4709 CVE-2014-3567: 4710 1152961: 4711 CVE-2014-3567 openssl: Invalid TLS/SSL session tickets could cause memory leak leading to server crash 4712 A memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid session tickets to that server. 4713 4714 CVE-2014-3513: 4715 1152953: 4716 CVE-2014-3513 openssl: SRTP memory leak causes crash when using specially-crafted handshake message 4717 A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure Real-time Transport Protocol (SRTP) extension data. A remote attacker could send multiple specially crafted handshake messages to exhaust all available memory of an SSL/TLS or DTLS server. 4718 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513" id="CVE-2014-3513" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568" id="CVE-2014-3568" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567" id="CVE-2014-3567" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl" release="1.80.amzn1" version="1.0.1j"><filename>Packages/openssl-1.0.1j-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="1.80.amzn1" version="1.0.1j"><filename>Packages/openssl-perl-1.0.1j-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="1.80.amzn1" version="1.0.1j"><filename>Packages/openssl-debuginfo-1.0.1j-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="1.80.amzn1" version="1.0.1j"><filename>Packages/openssl-static-1.0.1j-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="1.80.amzn1" version="1.0.1j"><filename>Packages/openssl-devel-1.0.1j-1.80.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="1.80.amzn1" version="1.0.1j"><filename>Packages/openssl-1.0.1j-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="1.80.amzn1" version="1.0.1j"><filename>Packages/openssl-debuginfo-1.0.1j-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="1.80.amzn1" version="1.0.1j"><filename>Packages/openssl-devel-1.0.1j-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="1.80.amzn1" version="1.0.1j"><filename>Packages/openssl-static-1.0.1j-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="1.80.amzn1" version="1.0.1j"><filename>Packages/openssl-perl-1.0.1j-1.80.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-428</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-428: important priority package update for mysql55</title><issued date="2014-10-16 22:14" /><updated date="2014-10-16 22:20" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4719 CVE-2014-6559: 4720 1153496: 4721 CVE-2014-6559 mysql: unspecified vulnerability related to C API SSL CERTIFICATE HANDLING (CPU October 2014) 4722 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality via vectors related to C API SSL CERTIFICATE HANDLING. 4723 4724 CVE-2014-6500: 4725 1153487: 4726 CVE-2014-6500 mysql: unspecified vulnerability related to SERVER:SSL:yaSSL (CPU October 2014) 4727 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6491. 4728 4729 CVE-2014-6494: 4730 1153484: 4731 CVE-2014-6494 mysql: unspecified vulnerability related to CLIENT:SSL:yaSSL (CPU October 2014) 4732 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6496. 4733 4734 CVE-2014-6491: 4735 1153483: 4736 CVE-2014-6491 mysql: unspecified vulnerability related to SERVER:SSL:yaSSL (CPU October 2014) 4737 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6500. 4738 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6491" id="CVE-2014-6491" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6559" id="CVE-2014-6559" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6500" id="CVE-2014-6500" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6494" id="CVE-2014-6494" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql55-embedded" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-embedded-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-embedded-devel-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-test" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-test-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-server" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-server-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-devel-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-common" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-common-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-debuginfo-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-bench" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-bench-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-libs-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-common" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-common-5.5.40-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-embedded-devel-5.5.40-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-devel-5.5.40-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-debuginfo-5.5.40-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-embedded-5.5.40-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-bench-5.5.40-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-test-5.5.40-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-server-5.5.40-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-libs-5.5.40-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="1.3.amzn1" version="5.5.40"><filename>Packages/mysql55-5.5.40-1.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-429</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-429: important priority package update for nss</title><issued date="2014-10-16 22:14" /><updated date="2014-10-16 22:21" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4739 CVE-2014-3566: 4740 1152789: 4741 CVE-2014-3566 openssl: Padding Oracle On Downgraded Legacy Encryption attack 4742 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566" id="CVE-2014-3566" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss" release="7.57.amzn1" version="3.16.2"><filename>Packages/nss-3.16.2-7.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="7.57.amzn1" version="3.16.2"><filename>Packages/nss-tools-3.16.2-7.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="7.57.amzn1" version="3.16.2"><filename>Packages/nss-debuginfo-3.16.2-7.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="7.57.amzn1" version="3.16.2"><filename>Packages/nss-devel-3.16.2-7.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="7.57.amzn1" version="3.16.2"><filename>Packages/nss-pkcs11-devel-3.16.2-7.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="7.57.amzn1" version="3.16.2"><filename>Packages/nss-sysinit-3.16.2-7.57.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="7.57.amzn1" version="3.16.2"><filename>Packages/nss-3.16.2-7.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="7.57.amzn1" version="3.16.2"><filename>Packages/nss-sysinit-3.16.2-7.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="7.57.amzn1" version="3.16.2"><filename>Packages/nss-devel-3.16.2-7.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="7.57.amzn1" version="3.16.2"><filename>Packages/nss-tools-3.16.2-7.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="7.57.amzn1" version="3.16.2"><filename>Packages/nss-debuginfo-3.16.2-7.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="7.57.amzn1" version="3.16.2"><filename>Packages/nss-pkcs11-devel-3.16.2-7.57.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-430</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-430: important priority package update for java-1.6.0-openjdk</title><issued date="2014-10-16 22:15" /><updated date="2014-10-16 22:22" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4743 CVE-2014-6558: 4744 It was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class. 4745 4746 CVE-2014-6531: 4747 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4748 4749 CVE-2014-6519: 4750 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4751 4752 CVE-2014-6517: 4753 It was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents. 4754 4755 CVE-2014-6512: 4756 It was discovered that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source. 4757 4758 CVE-2014-6511: 4759 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4760 4761 CVE-2014-6506: 4762 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4763 4764 CVE-2014-6504: 4765 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4766 4767 CVE-2014-6502: 4768 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4769 4770 CVE-2014-6457: 4771 It was discovered that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication. 4772 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6502" id="CVE-2014-6502" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6457" id="CVE-2014-6457" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6506" id="CVE-2014-6506" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6504" id="CVE-2014-6504" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6531" id="CVE-2014-6531" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6519" id="CVE-2014-6519" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6558" id="CVE-2014-6558" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6517" id="CVE-2014-6517" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6511" id="CVE-2014-6511" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6512" id="CVE-2014-6512" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1634.html" id="RHSA-2014:1634" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="67.1.13.5.0.67.amzn1" version="1.6.0.33"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="67.1.13.5.0.67.amzn1" version="1.6.0.33"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="67.1.13.5.0.67.amzn1" version="1.6.0.33"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="67.1.13.5.0.67.amzn1" version="1.6.0.33"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="67.1.13.5.0.67.amzn1" version="1.6.0.33"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="67.1.13.5.0.67.amzn1" version="1.6.0.33"><filename>Packages/java-1.6.0-openjdk-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="67.1.13.5.0.67.amzn1" version="1.6.0.33"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="67.1.13.5.0.67.amzn1" version="1.6.0.33"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="67.1.13.5.0.67.amzn1" version="1.6.0.33"><filename>Packages/java-1.6.0-openjdk-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="67.1.13.5.0.67.amzn1" version="1.6.0.33"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="67.1.13.5.0.67.amzn1" version="1.6.0.33"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="67.1.13.5.0.67.amzn1" version="1.6.0.33"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-431</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-431: important priority package update for java-1.7.0-openjdk</title><issued date="2014-10-16 22:16" /><updated date="2014-10-16 22:23" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4773 CVE-2014-6558: 4774 It was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class. 4775 4776 CVE-2014-6531: 4777 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4778 4779 CVE-2014-6519: 4780 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4781 4782 CVE-2014-6517: 4783 It was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents. 4784 4785 CVE-2014-6512: 4786 It was discovered that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source. 4787 4788 CVE-2014-6511: 4789 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4790 4791 CVE-2014-6506: 4792 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4793 4794 CVE-2014-6504: 4795 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4796 4797 CVE-2014-6502: 4798 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4799 4800 CVE-2014-6457: 4801 It was discovered that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication. 4802 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6502" id="CVE-2014-6502" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6457" id="CVE-2014-6457" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6506" id="CVE-2014-6506" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6504" id="CVE-2014-6504" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6531" id="CVE-2014-6531" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6519" id="CVE-2014-6519" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6558" id="CVE-2014-6558" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6517" id="CVE-2014-6517" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6511" id="CVE-2014-6511" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6512" id="CVE-2014-6512" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1620.html" id="RHSA-2014:1620" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.5.3.1.49.amzn1" version="1.7.0.71"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.71-2.5.3.1.49.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.5.3.1.49.amzn1" version="1.7.0.71"><filename>Packages/java-1.7.0-openjdk-1.7.0.71-2.5.3.1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.5.3.1.49.amzn1" version="1.7.0.71"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.71-2.5.3.1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.5.3.1.49.amzn1" version="1.7.0.71"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.71-2.5.3.1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.5.3.1.49.amzn1" version="1.7.0.71"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.5.3.1.49.amzn1" version="1.7.0.71"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.71-2.5.3.1.49.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.5.3.1.49.amzn1" version="1.7.0.71"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.71-2.5.3.1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.5.3.1.49.amzn1" version="1.7.0.71"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.5.3.1.49.amzn1" version="1.7.0.71"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.71-2.5.3.1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.5.3.1.49.amzn1" version="1.7.0.71"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.71-2.5.3.1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.5.3.1.49.amzn1" version="1.7.0.71"><filename>Packages/java-1.7.0-openjdk-1.7.0.71-2.5.3.1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-432</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-432: important priority package update for java-1.8.0-openjdk</title><issued date="2014-10-16 22:16" /><updated date="2014-10-16 22:24" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4803 CVE-2014-6562: 4804 It was discovered that the Libraries component in OpenJDK failed to properly handle ZIP archives that contain entries with a NUL byte used in the file names. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. 4805 4806 CVE-2014-6558: 4807 It was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class. 4808 4809 CVE-2014-6531: 4810 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4811 4812 CVE-2014-6519: 4813 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4814 4815 CVE-2014-6517: 4816 It was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents. 4817 4818 CVE-2014-6512: 4819 It was discovered that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source. 4820 4821 CVE-2014-6511: 4822 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4823 4824 CVE-2014-6506: 4825 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4826 4827 CVE-2014-6504: 4828 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4829 4830 CVE-2014-6502: 4831 Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 4832 4833 CVE-2014-6468: 4834 It was discovered that the Hotspot component in OpenJDK failed to properly handle malformed Shared Archive files. A local attacker able to modify a Shared Archive file used by a virtual machine of a different user could possibly use this flaw to escalate their privileges. 4835 4836 CVE-2014-6457: 4837 It was discovered that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication. 4838 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6502" id="CVE-2014-6502" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6457" id="CVE-2014-6457" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6517" id="CVE-2014-6517" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6506" id="CVE-2014-6506" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6504" id="CVE-2014-6504" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6531" id="CVE-2014-6531" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6468" id="CVE-2014-6468" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6519" id="CVE-2014-6519" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6558" id="CVE-2014-6558" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6562" id="CVE-2014-6562" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6511" id="CVE-2014-6511" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6512" id="CVE-2014-6512" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1636.html" id="RHSA-2014:1636" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="0.b18.4.amzn1" version="1.8.0.25"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.25-0.b18.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="0.b18.4.amzn1" version="1.8.0.25"><filename>Packages/java-1.8.0-openjdk-1.8.0.25-0.b18.4.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="0.b18.4.amzn1" version="1.8.0.25"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.25-0.b18.4.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.b18.4.amzn1" version="1.8.0.25"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.25-0.b18.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="0.b18.4.amzn1" version="1.8.0.25"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.25-0.b18.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="0.b18.4.amzn1" version="1.8.0.25"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.25-0.b18.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="0.b18.4.amzn1" version="1.8.0.25"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.25-0.b18.4.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="0.b18.4.amzn1" version="1.8.0.25"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.25-0.b18.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="0.b18.4.amzn1" version="1.8.0.25"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.25-0.b18.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="0.b18.4.amzn1" version="1.8.0.25"><filename>Packages/java-1.8.0-openjdk-1.8.0.25-0.b18.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.b18.4.amzn1" version="1.8.0.25"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.25-0.b18.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="0.b18.4.amzn1" version="1.8.0.25"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.25-0.b18.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="0.b18.4.amzn1" version="1.8.0.25"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.25-0.b18.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-433</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-433: important priority package update for squid</title><issued date="2014-10-22 20:04" /><updated date="2014-10-22 13:20" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4839 CVE-2014-3609: 4840 A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid. 4841 4842 CVE-2014-0128: 4843 A denial of service flaw was found in the way Squid processed certain HTTPS requests when the SSL Bump feature was enabled. A remote attacker could send specially crafted requests that could cause Squid to crash. 4844 4845 CVE-2013-4115: 4846 A buffer overflow flaw was found in Squid's DNS lookup module. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid. 4847 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4115" id="CVE-2013-4115" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3609" id="CVE-2014-3609" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128" id="CVE-2014-0128" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1148.html" id="RHSA-2014:1148" title="" type="redhat" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0597.html" id="RHSA-2014:0597" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="7" name="squid" release="29.17.amzn1" version="3.1.10"><filename>Packages/squid-3.1.10-29.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="7" name="squid-debuginfo" release="29.17.amzn1" version="3.1.10"><filename>Packages/squid-debuginfo-3.1.10-29.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="7" name="squid" release="29.17.amzn1" version="3.1.10"><filename>Packages/squid-3.1.10-29.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="7" name="squid-debuginfo" release="29.17.amzn1" version="3.1.10"><filename>Packages/squid-debuginfo-3.1.10-29.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-434</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-434: important priority package update for php54</title><issued date="2014-10-28 17:09" /><updated date="2014-11-01 14:04" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4848 CVE-2014-3670: 4849 1154502: 4850 CVE-2014-3670 php: heap corruption issue in exif_thumbnail() 4851 4852 CVE-2014-3669: 4853 1154500: 4854 CVE-2014-3669 php: integer overflow in unserialize() 4855 4856 CVE-2014-3668: 4857 1154503: 4858 CVE-2014-3668 php: xmlrpc ISO8601 date format parsing out-of-bounds read in mkgmtime() 4859 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669" id="CVE-2014-3669" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3668" id="CVE-2014-3668" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670" id="CVE-2014-3670" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-fpm" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-fpm-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-mssql-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-debuginfo-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-gd-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-imap-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-embedded-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-mcrypt-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-pdo-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-pgsql-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-common-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-dba-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-tidy-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-bcmath-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-odbc-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-mysql-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-cli-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-ldap-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-process-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-snmp-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-devel-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-mbstring-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-soap-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-enchant-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-pspell-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-mysqlnd-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-intl-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-xml-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-xmlrpc-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-recode-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-debuginfo-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-mbstring-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-xml-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-devel-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-bcmath-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-odbc-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-snmp-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-gd-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-soap-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-xmlrpc-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-intl-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-fpm-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-pdo-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-mssql-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-imap-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-mysql-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-pgsql-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-embedded-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-pspell-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-enchant-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-common-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-recode-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-dba-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-ldap-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-cli-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-tidy-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-mcrypt-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-mysqlnd-5.4.34-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.62.amzn1" version="5.4.34"><filename>Packages/php54-process-5.4.34-1.62.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-435</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-435: important priority package update for php55</title><issued date="2014-10-28 17:10" /><updated date="2014-11-01 14:04" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4860 CVE-2014-3670: 4861 1154502: 4862 CVE-2014-3670 php: heap corruption issue in exif_thumbnail() 4863 4864 CVE-2014-3669: 4865 1154500: 4866 CVE-2014-3669 php: integer overflow in unserialize() 4867 4868 CVE-2014-3668: 4869 1154503: 4870 CVE-2014-3668 php: xmlrpc ISO8601 date format parsing out-of-bounds read in mkgmtime() 4871 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669" id="CVE-2014-3669" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3668" id="CVE-2014-3668" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670" id="CVE-2014-3670" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-soap-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-enchant-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-pspell-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-ldap-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-debuginfo-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-xml-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-opcache-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-cli-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-mbstring-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-gmp-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-process-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-pgsql-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-intl-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-fpm-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-embedded-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-devel-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-tidy-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-gd-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-recode-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-xmlrpc-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-bcmath-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-dba-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-mysqlnd-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-odbc-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-mssql-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-imap-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-common-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-snmp-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-mcrypt-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-pdo-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-pdo-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-embedded-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-mcrypt-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-ldap-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-common-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-process-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-devel-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-bcmath-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-xmlrpc-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-recode-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-pgsql-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-imap-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-fpm-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-cli-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-mysqlnd-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-gd-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-mssql-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-odbc-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-pspell-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-xml-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-gmp-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-snmp-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-mbstring-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-tidy-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-opcache-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-debuginfo-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-intl-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-soap-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-dba-5.5.18-1.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.92.amzn1" version="5.5.18"><filename>Packages/php55-enchant-5.5.18-1.92.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-436</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-436: medium priority package update for xerces-j2</title><issued date="2014-10-28 17:13" /><updated date="2014-11-01 14:05" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4872 CVE-2013-4002: 4873 A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU. 4874 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002" id="CVE-2013-4002" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1319.html" id="RHSA-2014:1319" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="xerces-j2-javadoc-apis" release="12.7.19.amzn1" version="2.7.1"><filename>Packages/xerces-j2-javadoc-apis-2.7.1-12.7.19.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="xerces-j2-javadoc-xni" release="12.7.19.amzn1" version="2.7.1"><filename>Packages/xerces-j2-javadoc-xni-2.7.1-12.7.19.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="xerces-j2-javadoc-other" release="12.7.19.amzn1" version="2.7.1"><filename>Packages/xerces-j2-javadoc-other-2.7.1-12.7.19.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="xerces-j2-demo" release="12.7.19.amzn1" version="2.7.1"><filename>Packages/xerces-j2-demo-2.7.1-12.7.19.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="xerces-j2" release="12.7.19.amzn1" version="2.7.1"><filename>Packages/xerces-j2-2.7.1-12.7.19.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="xerces-j2-scripts" release="12.7.19.amzn1" version="2.7.1"><filename>Packages/xerces-j2-scripts-2.7.1-12.7.19.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="xerces-j2-javadoc-impl" release="12.7.19.amzn1" version="2.7.1"><filename>Packages/xerces-j2-javadoc-impl-2.7.1-12.7.19.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-437</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-437: medium priority package update for golang</title><issued date="2014-10-28 17:15" /><updated date="2014-11-01 14:06" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4875 CVE-2014-7189: 4876 1147324: 4877 CVE-2014-7189 golang: TLS client authentication issue fixed in version 1.3.2 4878 crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors. 4879 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7189" id="CVE-2014-7189" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="golang-pkg-netbsd-amd64" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-netbsd-amd64-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-linux-amd64" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-linux-amd64-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-freebsd-amd64" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-freebsd-amd64-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-vim" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-vim-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-darwin-amd64" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-darwin-amd64-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-netbsd-386" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-netbsd-386-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-openbsd-amd64" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-openbsd-amd64-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-1.3.3-1.7.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-linux-arm" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-linux-arm-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-openbsd-386" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-openbsd-386-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-plan9-amd64" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-plan9-amd64-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-darwin-386" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-darwin-386-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-plan9-386" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-plan9-386-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-netbsd-arm" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-netbsd-arm-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-windows-amd64" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-windows-amd64-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-golang" release="1.7.amzn1" version="1.3.3"><filename>Packages/emacs-golang-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-freebsd-arm" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-freebsd-arm-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang-pkg-bin-linux-amd64" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-bin-linux-amd64-1.3.3-1.7.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-linux-386" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-linux-386-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-freebsd-386" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-freebsd-386-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-windows-386" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-windows-386-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-src" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-src-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="golang-pkg-bin-linux-386" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-pkg-bin-linux-386-1.3.3-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="golang" release="1.7.amzn1" version="1.3.3"><filename>Packages/golang-1.3.3-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-438</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-438: medium priority package update for cups</title><issued date="2014-10-28 17:17" /><updated date="2014-11-01 14:07" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4880 CVE-2014-5031: 4881 It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. 4882 4883 CVE-2014-5030: 4884 It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. 4885 4886 CVE-2014-5029: 4887 It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. 4888 4889 CVE-2014-3537: 4890 It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. 4891 4892 CVE-2014-2856: 4893 A cross-site scripting (XSS) flaw was found in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface. 4894 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537" id="CVE-2014-3537" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856" id="CVE-2014-2856" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029" id="CVE-2014-5029" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030" id="CVE-2014-5030" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031" id="CVE-2014-5031" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1388.html" id="RHSA-2014:1388" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="cups-lpd" release="67.20.al12" version="1.4.2"><filename>Packages/cups-lpd-1.4.2-67.20.al12.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups-devel" release="67.20.al12" version="1.4.2"><filename>Packages/cups-devel-1.4.2-67.20.al12.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups-libs" release="67.20.al12" version="1.4.2"><filename>Packages/cups-libs-1.4.2-67.20.al12.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups-debuginfo" release="67.20.al12" version="1.4.2"><filename>Packages/cups-debuginfo-1.4.2-67.20.al12.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups" release="67.20.al12" version="1.4.2"><filename>Packages/cups-1.4.2-67.20.al12.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups-php" release="67.20.al12" version="1.4.2"><filename>Packages/cups-php-1.4.2-67.20.al12.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="cups-libs" release="67.20.al12" version="1.4.2"><filename>Packages/cups-libs-1.4.2-67.20.al12.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups-lpd" release="67.20.al12" version="1.4.2"><filename>Packages/cups-lpd-1.4.2-67.20.al12.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups-devel" release="67.20.al12" version="1.4.2"><filename>Packages/cups-devel-1.4.2-67.20.al12.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups-php" release="67.20.al12" version="1.4.2"><filename>Packages/cups-php-1.4.2-67.20.al12.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups" release="67.20.al12" version="1.4.2"><filename>Packages/cups-1.4.2-67.20.al12.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups-debuginfo" release="67.20.al12" version="1.4.2"><filename>Packages/cups-debuginfo-1.4.2-67.20.al12.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-439</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-439: medium priority package update for ruby21</title><issued date="2014-11-05 12:13" /><updated date="2014-11-05 14:38" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4895 CVE-2014-8080: 4896 The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack. 4897 1157709: 4898 CVE-2014-8080 ruby: REXML billion laughs attack via parameter entity expansion 4899 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8080" id="CVE-2014-8080" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ruby21-devel" release="1.14.amzn1" version="2.1.4"><filename>Packages/ruby21-devel-2.1.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21" release="1.14.amzn1" version="2.1.4"><filename>Packages/ruby21-2.1.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-bigdecimal" release="1.14.amzn1" version="1.2.4"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-io-console" release="1.14.amzn1" version="0.4.2"><filename>Packages/rubygem21-io-console-0.4.2-1.14.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems21" release="1.14.amzn1" version="2.2.2"><filename>Packages/rubygems21-2.2.2-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems21-devel" release="1.14.amzn1" version="2.2.2"><filename>Packages/rubygems21-devel-2.2.2-1.14.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-psych" release="1.14.amzn1" version="2.0.5"><filename>Packages/rubygem21-psych-2.0.5-1.14.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby21-irb" release="1.14.amzn1" version="2.1.4"><filename>Packages/ruby21-irb-2.1.4-1.14.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-libs" release="1.14.amzn1" version="2.1.4"><filename>Packages/ruby21-libs-2.1.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-debuginfo" release="1.14.amzn1" version="2.1.4"><filename>Packages/ruby21-debuginfo-2.1.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby21-doc" release="1.14.amzn1" version="2.1.4"><filename>Packages/ruby21-doc-2.1.4-1.14.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-libs" release="1.14.amzn1" version="2.1.4"><filename>Packages/ruby21-libs-2.1.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-bigdecimal" release="1.14.amzn1" version="1.2.4"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-debuginfo" release="1.14.amzn1" version="2.1.4"><filename>Packages/ruby21-debuginfo-2.1.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-io-console" release="1.14.amzn1" version="0.4.2"><filename>Packages/rubygem21-io-console-0.4.2-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-psych" release="1.14.amzn1" version="2.0.5"><filename>Packages/rubygem21-psych-2.0.5-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21" release="1.14.amzn1" version="2.1.4"><filename>Packages/ruby21-2.1.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-devel" release="1.14.amzn1" version="2.1.4"><filename>Packages/ruby21-devel-2.1.4-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-440</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-440: medium priority package update for python27</title><issued date="2014-11-05 12:15" /><updated date="2014-11-11 10:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4900 CVE-2014-7185: 4901 Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function. 4902 1146026: 4903 CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read 4904 4905 CVE-2014-4650: 4906 1113527: 4907 CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs 4908 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7185" id="CVE-2014-7185" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650" id="CVE-2014-4650" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python27-debuginfo" release="6.74.amzn1" version="2.7.8"><filename>Packages/python27-debuginfo-2.7.8-6.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-devel" release="6.74.amzn1" version="2.7.8"><filename>Packages/python27-devel-2.7.8-6.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-test" release="6.74.amzn1" version="2.7.8"><filename>Packages/python27-test-2.7.8-6.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27" release="6.74.amzn1" version="2.7.8"><filename>Packages/python27-2.7.8-6.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libs" release="6.74.amzn1" version="2.7.8"><filename>Packages/python27-libs-2.7.8-6.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-tools" release="6.74.amzn1" version="2.7.8"><filename>Packages/python27-tools-2.7.8-6.74.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python27-tools" release="6.74.amzn1" version="2.7.8"><filename>Packages/python27-tools-2.7.8-6.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-debuginfo" release="6.74.amzn1" version="2.7.8"><filename>Packages/python27-debuginfo-2.7.8-6.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-devel" release="6.74.amzn1" version="2.7.8"><filename>Packages/python27-devel-2.7.8-6.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-test" release="6.74.amzn1" version="2.7.8"><filename>Packages/python27-test-2.7.8-6.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libs" release="6.74.amzn1" version="2.7.8"><filename>Packages/python27-libs-2.7.8-6.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27" release="6.74.amzn1" version="2.7.8"><filename>Packages/python27-2.7.8-6.74.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-441</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-441: medium priority package update for ruby20</title><issued date="2014-11-05 12:16" /><updated date="2014-11-05 14:40" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4909 CVE-2014-8080: 4910 The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack. 4911 1157709: 4912 CVE-2014-8080 ruby: REXML billion laughs attack via parameter entity expansion 4913 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8080" id="CVE-2014-8080" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="rubygems20" release="1.19.amzn1" version="2.0.14"><filename>Packages/rubygems20-2.0.14-1.19.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby20-doc" release="1.19.amzn1" version="2.0.0.594"><filename>Packages/ruby20-doc-2.0.0.594-1.19.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-psych" release="1.19.amzn1" version="2.0.0"><filename>Packages/rubygem20-psych-2.0.0-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-debuginfo" release="1.19.amzn1" version="2.0.0.594"><filename>Packages/ruby20-debuginfo-2.0.0.594-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-libs" release="1.19.amzn1" version="2.0.0.594"><filename>Packages/ruby20-libs-2.0.0.594-1.19.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems20-devel" release="1.19.amzn1" version="2.0.14"><filename>Packages/rubygems20-devel-2.0.14-1.19.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby20-irb" release="1.19.amzn1" version="2.0.0.594"><filename>Packages/ruby20-irb-2.0.0.594-1.19.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-devel" release="1.19.amzn1" version="2.0.0.594"><filename>Packages/ruby20-devel-2.0.0.594-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20" release="1.19.amzn1" version="2.0.0.594"><filename>Packages/ruby20-2.0.0.594-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-io-console" release="1.19.amzn1" version="0.4.2"><filename>Packages/rubygem20-io-console-0.4.2-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-bigdecimal" release="1.19.amzn1" version="1.2.0"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-debuginfo" release="1.19.amzn1" version="2.0.0.594"><filename>Packages/ruby20-debuginfo-2.0.0.594-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20" release="1.19.amzn1" version="2.0.0.594"><filename>Packages/ruby20-2.0.0.594-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-devel" release="1.19.amzn1" version="2.0.0.594"><filename>Packages/ruby20-devel-2.0.0.594-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-bigdecimal" release="1.19.amzn1" version="1.2.0"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-psych" release="1.19.amzn1" version="2.0.0"><filename>Packages/rubygem20-psych-2.0.0-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-libs" release="1.19.amzn1" version="2.0.0.594"><filename>Packages/ruby20-libs-2.0.0.594-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-io-console" release="1.19.amzn1" version="0.4.2"><filename>Packages/rubygem20-io-console-0.4.2-1.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-442</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-442: medium priority package update for wget</title><issued date="2014-11-05 12:19" /><updated date="2014-11-05 14:40" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4914 CVE-2014-4877: 4915 1139181: 4916 CVE-2014-4877 wget: FTP symlink arbitrary filesystem access 4917 Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. 4918 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877" id="CVE-2014-4877" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="wget-debuginfo" release="1.13.amzn1" version="1.16"><filename>Packages/wget-debuginfo-1.16-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wget" release="1.13.amzn1" version="1.16"><filename>Packages/wget-1.16-1.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="wget-debuginfo" release="1.13.amzn1" version="1.16"><filename>Packages/wget-debuginfo-1.16-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wget" release="1.13.amzn1" version="1.16"><filename>Packages/wget-1.16-1.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-443</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-443: medium priority package update for krb5</title><issued date="2014-11-11 10:25" /><updated date="2014-11-11 10:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4919 CVE-2014-4345: 4920 A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database. A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. 4921 4922 CVE-2014-4344: 4923 A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application. 4924 4925 CVE-2014-4343: 4926 A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. 4927 4928 CVE-2014-4342: 4929 Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker who is able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application. 4930 4931 CVE-2014-4341: 4932 Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker who is able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application. 4933 4934 CVE-2013-6800: 4935 It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request. 4936 4937 CVE-2013-1418: 4938 It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request. 4939 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4342" id="CVE-2014-4342" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6800" id="CVE-2013-6800" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4343" id="CVE-2014-4343" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1418" id="CVE-2013-1418" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4341" id="CVE-2014-4341" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4345" id="CVE-2014-4345" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4344" id="CVE-2014-4344" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1389.html" id="RHSA-2014:1389" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="krb5-libs" release="33.28.amzn1" version="1.10.3"><filename>Packages/krb5-libs-1.10.3-33.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server" release="33.28.amzn1" version="1.10.3"><filename>Packages/krb5-server-1.10.3-33.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-debuginfo" release="33.28.amzn1" version="1.10.3"><filename>Packages/krb5-debuginfo-1.10.3-33.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-pkinit-openssl" release="33.28.amzn1" version="1.10.3"><filename>Packages/krb5-pkinit-openssl-1.10.3-33.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-workstation" release="33.28.amzn1" version="1.10.3"><filename>Packages/krb5-workstation-1.10.3-33.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-devel" release="33.28.amzn1" version="1.10.3"><filename>Packages/krb5-devel-1.10.3-33.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server-ldap" release="33.28.amzn1" version="1.10.3"><filename>Packages/krb5-server-ldap-1.10.3-33.28.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server" release="33.28.amzn1" version="1.10.3"><filename>Packages/krb5-server-1.10.3-33.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server-ldap" release="33.28.amzn1" version="1.10.3"><filename>Packages/krb5-server-ldap-1.10.3-33.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-debuginfo" release="33.28.amzn1" version="1.10.3"><filename>Packages/krb5-debuginfo-1.10.3-33.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-devel" release="33.28.amzn1" version="1.10.3"><filename>Packages/krb5-devel-1.10.3-33.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-libs" release="33.28.amzn1" version="1.10.3"><filename>Packages/krb5-libs-1.10.3-33.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-workstation" release="33.28.amzn1" version="1.10.3"><filename>Packages/krb5-workstation-1.10.3-33.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-pkinit-openssl" release="33.28.amzn1" version="1.10.3"><filename>Packages/krb5-pkinit-openssl-1.10.3-33.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-444</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-444: medium priority package update for libxml2</title><issued date="2014-11-11 10:26" /><updated date="2014-11-11 10:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4940 CVE-2014-3660: 4941 A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. 4942 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660" id="CVE-2014-3660" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1655.html" id="RHSA-2014:1655" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libxml2" release="3.1.32.amzn1" version="2.9.1"><filename>Packages/libxml2-2.9.1-3.1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-python" release="3.1.32.amzn1" version="2.9.1"><filename>Packages/libxml2-python-2.9.1-3.1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-devel" release="3.1.32.amzn1" version="2.9.1"><filename>Packages/libxml2-devel-2.9.1-3.1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-static" release="3.1.32.amzn1" version="2.9.1"><filename>Packages/libxml2-static-2.9.1-3.1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-debuginfo" release="3.1.32.amzn1" version="2.9.1"><filename>Packages/libxml2-debuginfo-2.9.1-3.1.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libxml2" release="3.1.32.amzn1" version="2.9.1"><filename>Packages/libxml2-2.9.1-3.1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-python" release="3.1.32.amzn1" version="2.9.1"><filename>Packages/libxml2-python-2.9.1-3.1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-devel" release="3.1.32.amzn1" version="2.9.1"><filename>Packages/libxml2-devel-2.9.1-3.1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-debuginfo" release="3.1.32.amzn1" version="2.9.1"><filename>Packages/libxml2-debuginfo-2.9.1-3.1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-static" release="3.1.32.amzn1" version="2.9.1"><filename>Packages/libxml2-static-2.9.1-3.1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-445</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-445: medium priority package update for rsyslog</title><issued date="2014-11-11 10:26" /><updated date="2014-11-11 10:34" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4943 CVE-2014-3634: 4944 A flaw was found in the way rsyslog handled invalid log message priority values. In certain configurations, a local attacker, or a remote attacker able to connect to the rsyslog port, could use this flaw to crash the rsyslog daemon. 4945 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3634" id="CVE-2014-3634" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1671.html" id="RHSA-2014:1671" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="rsyslog" release="9.26.amzn1" version="5.8.10"><filename>Packages/rsyslog-5.8.10-9.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rsyslog-snmp" release="9.26.amzn1" version="5.8.10"><filename>Packages/rsyslog-snmp-5.8.10-9.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rsyslog-gssapi" release="9.26.amzn1" version="5.8.10"><filename>Packages/rsyslog-gssapi-5.8.10-9.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rsyslog-pgsql" release="9.26.amzn1" version="5.8.10"><filename>Packages/rsyslog-pgsql-5.8.10-9.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rsyslog-mysql" release="9.26.amzn1" version="5.8.10"><filename>Packages/rsyslog-mysql-5.8.10-9.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rsyslog-debuginfo" release="9.26.amzn1" version="5.8.10"><filename>Packages/rsyslog-debuginfo-5.8.10-9.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rsyslog-gnutls" release="9.26.amzn1" version="5.8.10"><filename>Packages/rsyslog-gnutls-5.8.10-9.26.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rsyslog-mysql" release="9.26.amzn1" version="5.8.10"><filename>Packages/rsyslog-mysql-5.8.10-9.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rsyslog-debuginfo" release="9.26.amzn1" version="5.8.10"><filename>Packages/rsyslog-debuginfo-5.8.10-9.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rsyslog-pgsql" release="9.26.amzn1" version="5.8.10"><filename>Packages/rsyslog-pgsql-5.8.10-9.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rsyslog-gnutls" release="9.26.amzn1" version="5.8.10"><filename>Packages/rsyslog-gnutls-5.8.10-9.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rsyslog-gssapi" release="9.26.amzn1" version="5.8.10"><filename>Packages/rsyslog-gssapi-5.8.10-9.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rsyslog" release="9.26.amzn1" version="5.8.10"><filename>Packages/rsyslog-5.8.10-9.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rsyslog-snmp" release="9.26.amzn1" version="5.8.10"><filename>Packages/rsyslog-snmp-5.8.10-9.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-446</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-446: medium priority package update for wireshark</title><issued date="2014-11-11 10:27" /><updated date="2014-11-11 10:34" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4946 CVE-2014-6432: 4947 Multiple flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. 4948 4949 CVE-2014-6431: 4950 Multiple flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. 4951 4952 CVE-2014-6430: 4953 Multiple flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. 4954 4955 CVE-2014-6429: 4956 Multiple flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. 4957 4958 CVE-2014-6428: 4959 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 4960 4961 CVE-2014-6427: 4962 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 4963 4964 CVE-2014-6426: 4965 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 4966 4967 CVE-2014-6425: 4968 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 4969 4970 CVE-2014-6424: 4971 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 4972 4973 CVE-2014-6423: 4974 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 4975 4976 CVE-2014-6422: 4977 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 4978 4979 CVE-2014-6421: 4980 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 4981 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6426" id="CVE-2014-6426" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6427" id="CVE-2014-6427" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6421" id="CVE-2014-6421" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6422" id="CVE-2014-6422" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6423" id="CVE-2014-6423" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6424" id="CVE-2014-6424" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6425" id="CVE-2014-6425" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6431" id="CVE-2014-6431" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6430" id="CVE-2014-6430" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6428" id="CVE-2014-6428" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6429" id="CVE-2014-6429" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6432" id="CVE-2014-6432" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1676.html" id="RHSA-2014:1676" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="wireshark-debuginfo" release="8.14.amzn1" version="1.8.10"><filename>Packages/wireshark-debuginfo-1.8.10-8.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wireshark" release="8.14.amzn1" version="1.8.10"><filename>Packages/wireshark-1.8.10-8.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wireshark-devel" release="8.14.amzn1" version="1.8.10"><filename>Packages/wireshark-devel-1.8.10-8.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="wireshark-debuginfo" release="8.14.amzn1" version="1.8.10"><filename>Packages/wireshark-debuginfo-1.8.10-8.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wireshark" release="8.14.amzn1" version="1.8.10"><filename>Packages/wireshark-1.8.10-8.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wireshark-devel" release="8.14.amzn1" version="1.8.10"><filename>Packages/wireshark-devel-1.8.10-8.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-447</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-447: medium priority package update for ruby19</title><issued date="2014-11-13 17:25" /><updated date="2014-11-16 13:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4982 CVE-2014-8090: 4983 1159927: 4984 CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080 4985 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8090" id="CVE-2014-8090" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="rubygems19" release="32.64.amzn1" version="1.8.23.2"><filename>Packages/rubygems19-1.8.23.2-32.64.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-rdoc" release="32.64.amzn1" version="3.9.5"><filename>Packages/rubygem19-rdoc-3.9.5-32.64.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-debuginfo" release="32.64.amzn1" version="1.9.3.551"><filename>Packages/ruby19-debuginfo-1.9.3.551-32.64.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-minitest" release="32.64.amzn1" version="2.5.1"><filename>Packages/rubygem19-minitest-2.5.1-32.64.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-json" release="32.64.amzn1" version="1.5.5"><filename>Packages/rubygem19-json-1.5.5-32.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-io-console" release="32.64.amzn1" version="0.3"><filename>Packages/rubygem19-io-console-0.3-32.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-libs" release="32.64.amzn1" version="1.9.3.551"><filename>Packages/ruby19-libs-1.9.3.551-32.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-doc" release="32.64.amzn1" version="1.9.3.551"><filename>Packages/ruby19-doc-1.9.3.551-32.64.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems19-devel" release="32.64.amzn1" version="1.8.23.2"><filename>Packages/rubygems19-devel-1.8.23.2-32.64.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-devel" release="32.64.amzn1" version="1.9.3.551"><filename>Packages/ruby19-devel-1.9.3.551-32.64.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-rake" release="32.64.amzn1" version="0.9.2.2"><filename>Packages/rubygem19-rake-0.9.2.2-32.64.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby19-irb" release="32.64.amzn1" version="1.9.3.551"><filename>Packages/ruby19-irb-1.9.3.551-32.64.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-bigdecimal" release="32.64.amzn1" version="1.1.0"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19" release="32.64.amzn1" version="1.9.3.551"><filename>Packages/ruby19-1.9.3.551-32.64.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-debuginfo" release="32.64.amzn1" version="1.9.3.551"><filename>Packages/ruby19-debuginfo-1.9.3.551-32.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-json" release="32.64.amzn1" version="1.5.5"><filename>Packages/rubygem19-json-1.5.5-32.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-bigdecimal" release="32.64.amzn1" version="1.1.0"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-doc" release="32.64.amzn1" version="1.9.3.551"><filename>Packages/ruby19-doc-1.9.3.551-32.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-io-console" release="32.64.amzn1" version="0.3"><filename>Packages/rubygem19-io-console-0.3-32.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-libs" release="32.64.amzn1" version="1.9.3.551"><filename>Packages/ruby19-libs-1.9.3.551-32.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19" release="32.64.amzn1" version="1.9.3.551"><filename>Packages/ruby19-1.9.3.551-32.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-devel" release="32.64.amzn1" version="1.9.3.551"><filename>Packages/ruby19-devel-1.9.3.551-32.64.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-448</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-448: medium priority package update for ruby20</title><issued date="2014-11-13 17:26" /><updated date="2014-11-16 13:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4986 CVE-2014-8090: 4987 1159927: 4988 CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080 4989 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8090" id="CVE-2014-8090" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="rubygem20-bigdecimal" release="1.20.amzn1" version="1.2.0"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-libs" release="1.20.amzn1" version="2.0.0.598"><filename>Packages/ruby20-libs-2.0.0.598-1.20.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems20" release="1.20.amzn1" version="2.0.14"><filename>Packages/rubygems20-2.0.14-1.20.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby20-doc" release="1.20.amzn1" version="2.0.0.598"><filename>Packages/ruby20-doc-2.0.0.598-1.20.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-psych" release="1.20.amzn1" version="2.0.0"><filename>Packages/rubygem20-psych-2.0.0-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-devel" release="1.20.amzn1" version="2.0.0.598"><filename>Packages/ruby20-devel-2.0.0.598-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20" release="1.20.amzn1" version="2.0.0.598"><filename>Packages/ruby20-2.0.0.598-1.20.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby20-irb" release="1.20.amzn1" version="2.0.0.598"><filename>Packages/ruby20-irb-2.0.0.598-1.20.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-debuginfo" release="1.20.amzn1" version="2.0.0.598"><filename>Packages/ruby20-debuginfo-2.0.0.598-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-io-console" release="1.20.amzn1" version="0.4.2"><filename>Packages/rubygem20-io-console-0.4.2-1.20.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems20-devel" release="1.20.amzn1" version="2.0.14"><filename>Packages/rubygems20-devel-2.0.14-1.20.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-libs" release="1.20.amzn1" version="2.0.0.598"><filename>Packages/ruby20-libs-2.0.0.598-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-io-console" release="1.20.amzn1" version="0.4.2"><filename>Packages/rubygem20-io-console-0.4.2-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20" release="1.20.amzn1" version="2.0.0.598"><filename>Packages/ruby20-2.0.0.598-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-psych" release="1.20.amzn1" version="2.0.0"><filename>Packages/rubygem20-psych-2.0.0-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-devel" release="1.20.amzn1" version="2.0.0.598"><filename>Packages/ruby20-devel-2.0.0.598-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-bigdecimal" release="1.20.amzn1" version="1.2.0"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-debuginfo" release="1.20.amzn1" version="2.0.0.598"><filename>Packages/ruby20-debuginfo-2.0.0.598-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-449</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-449: medium priority package update for ruby21</title><issued date="2014-11-13 17:26" /><updated date="2014-11-16 13:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4990 CVE-2014-8090: 4991 1159927: 4992 CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080 4993 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8090" id="CVE-2014-8090" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="ruby21-irb" release="1.15.amzn1" version="2.1.5"><filename>Packages/ruby21-irb-2.1.5-1.15.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-bigdecimal" release="1.15.amzn1" version="1.2.4"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-psych" release="1.15.amzn1" version="2.0.5"><filename>Packages/rubygem21-psych-2.0.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems21-devel" release="1.15.amzn1" version="2.2.2"><filename>Packages/rubygems21-devel-2.2.2-1.15.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-io-console" release="1.15.amzn1" version="0.4.2"><filename>Packages/rubygem21-io-console-0.4.2-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-debuginfo" release="1.15.amzn1" version="2.1.5"><filename>Packages/ruby21-debuginfo-2.1.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21" release="1.15.amzn1" version="2.1.5"><filename>Packages/ruby21-2.1.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby21-doc" release="1.15.amzn1" version="2.1.5"><filename>Packages/ruby21-doc-2.1.5-1.15.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems21" release="1.15.amzn1" version="2.2.2"><filename>Packages/rubygems21-2.2.2-1.15.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-devel" release="1.15.amzn1" version="2.1.5"><filename>Packages/ruby21-devel-2.1.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-libs" release="1.15.amzn1" version="2.1.5"><filename>Packages/ruby21-libs-2.1.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-psych" release="1.15.amzn1" version="2.0.5"><filename>Packages/rubygem21-psych-2.0.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21" release="1.15.amzn1" version="2.1.5"><filename>Packages/ruby21-2.1.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-devel" release="1.15.amzn1" version="2.1.5"><filename>Packages/ruby21-devel-2.1.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-bigdecimal" release="1.15.amzn1" version="1.2.4"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-io-console" release="1.15.amzn1" version="0.4.2"><filename>Packages/rubygem21-io-console-0.4.2-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-debuginfo" release="1.15.amzn1" version="2.1.5"><filename>Packages/ruby21-debuginfo-2.1.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-libs" release="1.15.amzn1" version="2.1.5"><filename>Packages/ruby21-libs-2.1.5-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-450</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-450: medium priority package update for php54</title><issued date="2014-11-22 13:58" /><updated date="2014-11-22 14:02" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4994 CVE-2014-3710: 4995 1155071: 4996 CVE-2014-3710 file: out-of-bounds read in elf note headers 4997 An out-of-bounds read flaw was found in the way the File Information (fileinfo) extension parsed Executable and Linkable Format (ELF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted ELF file. 4998 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710" id="CVE-2014-3710" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-imap" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-imap-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-soap-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-process-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-mysqlnd-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-pspell-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-xml-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-odbc-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-devel-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-debuginfo-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-mcrypt-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-gd-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-dba-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-common-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-intl-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-bcmath-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-enchant-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-ldap-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-pdo-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-cli-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-recode-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-xmlrpc-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-mysql-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-pgsql-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-mbstring-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-fpm-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-snmp-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-mssql-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-embedded-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-tidy-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-recode-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-gd-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-pgsql-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-mysql-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-xml-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-enchant-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-ldap-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-process-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-dba-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-devel-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-imap-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-mysqlnd-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-xmlrpc-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-debuginfo-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-cli-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-pdo-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-pspell-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-mbstring-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-fpm-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-bcmath-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-mcrypt-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-common-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-mssql-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-snmp-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-intl-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-tidy-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-embedded-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-soap-5.4.35-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.63.amzn1" version="5.4.35"><filename>Packages/php54-odbc-5.4.35-1.63.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-451</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-451: medium priority package update for php55</title><issued date="2014-11-22 13:58" /><updated date="2014-11-22 14:02" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 4999 CVE-2014-3710: 5000 1155071: 5001 CVE-2014-3710 file: out-of-bounds read in elf note headers 5002 An out-of-bounds read flaw was found in the way the File Information (fileinfo) extension parsed Executable and Linkable Format (ELF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted ELF file. 5003 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710" id="CVE-2014-3710" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-snmp" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-snmp-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-ldap-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-gmp-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-cli-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-opcache-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-fpm-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-xmlrpc-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-dba-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-xml-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-pdo-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-bcmath-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-gd-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-pspell-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-soap-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-recode-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-imap-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-debuginfo-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-enchant-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-intl-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-mcrypt-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-mssql-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-pgsql-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-devel-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-mbstring-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-tidy-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-mysqlnd-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-process-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-embedded-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-odbc-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-common-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-mssql-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-pgsql-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-gd-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-opcache-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-embedded-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-debuginfo-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-gmp-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-mcrypt-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-devel-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-recode-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-soap-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-tidy-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-enchant-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-bcmath-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-intl-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-mysqlnd-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-pspell-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-snmp-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-process-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-odbc-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-xml-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-xmlrpc-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-pdo-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-dba-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-cli-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-ldap-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-imap-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-fpm-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-common-5.5.19-2.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="2.93.amzn1" version="5.5.19"><filename>Packages/php55-mbstring-5.5.19-2.93.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-452</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-452: medium priority package update for libX11 libXcursor libXfixes libXi libXrandr libXrender libXres libXt libXv libXvMC libXxf86dga libXxf86vm libdmx xorg-x11-proto-devel</title><issued date="2014-11-22 14:00" /><updated date="2014-11-24 15:22" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5004 CVE-2013-2066: 5005 Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. 5006 5007 CVE-2013-2064: 5008 960367: 5009 CVE-2013-2064 libxcb: Integer overflow leading to heap-based buffer overlow 5010 Integer overflow in X.org libxcb 1.9 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the read_packet function. 5011 5012 CVE-2013-2062: 5013 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system. 5014 5015 CVE-2013-2005: 5016 A flaw was found in the way the X.Org X11 libXt runtime library used uninitialized pointers. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. 5017 5018 CVE-2013-2004: 5019 Two stack-based buffer overflow flaws were found in the way libX11, the Core X11 protocol client library, processed certain user-specified files. A malicious X11 server could possibly use this flaw to crash an X11 client via a specially crafted file. 5020 5021 CVE-2013-2003: 5022 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system. 5023 5024 CVE-2013-2002: 5025 Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. 5026 5027 CVE-2013-2001: 5028 Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. 5029 5030 CVE-2013-2000: 5031 Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. 5032 5033 CVE-2013-1999: 5034 Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. 5035 5036 CVE-2013-1998: 5037 Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. 5038 5039 CVE-2013-1997: 5040 Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. 5041 5042 CVE-2013-1995: 5043 A buffer overflow flaw was found in the way the XListInputDevices() function of X.Org X11's libXi runtime library handled signed numbers. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client. 5044 5045 CVE-2013-1991: 5046 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system. 5047 5048 CVE-2013-1990: 5049 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system. 5050 5051 CVE-2013-1989: 5052 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system. 5053 5054 CVE-2013-1988: 5055 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system. 5056 5057 CVE-2013-1987: 5058 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system. 5059 5060 CVE-2013-1986: 5061 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system. 5062 5063 CVE-2013-1985: 5064 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system. 5065 5066 CVE-2013-1984: 5067 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system. 5068 5069 CVE-2013-1983: 5070 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system. 5071 5072 CVE-2013-1982: 5073 Multiple integer overflows in X.org libXext 1.3.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XcupGetReservedColormapEntries, (2) XcupStoreColors, (3) XdbeGetVisualInfo, (4) XeviGetVisualInfo, (5) XShapeGetRectangles, and (6) XSyncListSystemCounters functions. 5074 959046: 5075 CVE-2013-1982 libXext: Multiple integer overflows leading to heap-based buffer-overflows 5076 5077 CVE-2013-1981: 5078 Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system. 5079 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2062" id="CVE-2013-2062" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2064" id="CVE-2013-2064" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2066" id="CVE-2013-2066" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2003" id="CVE-2013-2003" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2002" id="CVE-2013-2002" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2001" id="CVE-2013-2001" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2000" id="CVE-2013-2000" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2005" id="CVE-2013-2005" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2004" id="CVE-2013-2004" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1990" id="CVE-2013-1990" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1991" id="CVE-2013-1991" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1995" id="CVE-2013-1995" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1998" id="CVE-2013-1998" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1999" id="CVE-2013-1999" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1989" id="CVE-2013-1989" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1988" id="CVE-2013-1988" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1987" id="CVE-2013-1987" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1986" id="CVE-2013-1986" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1985" id="CVE-2013-1985" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1984" id="CVE-2013-1984" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1983" id="CVE-2013-1983" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1982" id="CVE-2013-1982" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1981" id="CVE-2013-1981" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1997" id="CVE-2013-1997" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1436.html" id="RHSA-2014:1436" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libX11" release="2.2.12.amzn1" version="1.6.0"><filename>Packages/libX11-1.6.0-2.2.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libX11-devel" release="2.2.12.amzn1" version="1.6.0"><filename>Packages/libX11-devel-1.6.0-2.2.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libX11-common" release="2.2.12.amzn1" version="1.6.0"><filename>Packages/libX11-common-1.6.0-2.2.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libX11-debuginfo" release="2.2.12.amzn1" version="1.6.0"><filename>Packages/libX11-debuginfo-1.6.0-2.2.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libX11-debuginfo" release="2.2.12.amzn1" version="1.6.0"><filename>Packages/libX11-debuginfo-1.6.0-2.2.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libX11" release="2.2.12.amzn1" version="1.6.0"><filename>Packages/libX11-1.6.0-2.2.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libX11-common" release="2.2.12.amzn1" version="1.6.0"><filename>Packages/libX11-common-1.6.0-2.2.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libX11-devel" release="2.2.12.amzn1" version="1.6.0"><filename>Packages/libX11-devel-1.6.0-2.2.12.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libXcursor-debuginfo" release="2.1.9.amzn1" version="1.1.14"><filename>Packages/libXcursor-debuginfo-1.1.14-2.1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXcursor-devel" release="2.1.9.amzn1" version="1.1.14"><filename>Packages/libXcursor-devel-1.1.14-2.1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXcursor" release="2.1.9.amzn1" version="1.1.14"><filename>Packages/libXcursor-1.1.14-2.1.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXcursor-debuginfo" release="2.1.9.amzn1" version="1.1.14"><filename>Packages/libXcursor-debuginfo-1.1.14-2.1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXcursor" release="2.1.9.amzn1" version="1.1.14"><filename>Packages/libXcursor-1.1.14-2.1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXcursor-devel" release="2.1.9.amzn1" version="1.1.14"><filename>Packages/libXcursor-devel-1.1.14-2.1.9.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libXfixes-devel" release="2.1.8.amzn1" version="5.0.1"><filename>Packages/libXfixes-devel-5.0.1-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXfixes-debuginfo" release="2.1.8.amzn1" version="5.0.1"><filename>Packages/libXfixes-debuginfo-5.0.1-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXfixes" release="2.1.8.amzn1" version="5.0.1"><filename>Packages/libXfixes-5.0.1-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXfixes" release="2.1.8.amzn1" version="5.0.1"><filename>Packages/libXfixes-5.0.1-2.1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXfixes-debuginfo" release="2.1.8.amzn1" version="5.0.1"><filename>Packages/libXfixes-debuginfo-5.0.1-2.1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXfixes-devel" release="2.1.8.amzn1" version="5.0.1"><filename>Packages/libXfixes-devel-5.0.1-2.1.8.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libXrandr-devel" release="2.1.8.amzn1" version="1.4.1"><filename>Packages/libXrandr-devel-1.4.1-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXrandr-debuginfo" release="2.1.8.amzn1" version="1.4.1"><filename>Packages/libXrandr-debuginfo-1.4.1-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXrandr" release="2.1.8.amzn1" version="1.4.1"><filename>Packages/libXrandr-1.4.1-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXrandr-debuginfo" release="2.1.8.amzn1" version="1.4.1"><filename>Packages/libXrandr-debuginfo-1.4.1-2.1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXrandr" release="2.1.8.amzn1" version="1.4.1"><filename>Packages/libXrandr-1.4.1-2.1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXrandr-devel" release="2.1.8.amzn1" version="1.4.1"><filename>Packages/libXrandr-devel-1.4.1-2.1.8.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="xorg-x11-proto-devel" release="9.10.amzn1" version="7.7"><filename>Packages/xorg-x11-proto-devel-7.7-9.10.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="libXrender-devel" release="2.1.9.amzn1" version="0.9.8"><filename>Packages/libXrender-devel-0.9.8-2.1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXrender" release="2.1.9.amzn1" version="0.9.8"><filename>Packages/libXrender-0.9.8-2.1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXrender-debuginfo" release="2.1.9.amzn1" version="0.9.8"><filename>Packages/libXrender-debuginfo-0.9.8-2.1.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXrender" release="2.1.9.amzn1" version="0.9.8"><filename>Packages/libXrender-0.9.8-2.1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXrender-debuginfo" release="2.1.9.amzn1" version="0.9.8"><filename>Packages/libXrender-debuginfo-0.9.8-2.1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXrender-devel" release="2.1.9.amzn1" version="0.9.8"><filename>Packages/libXrender-devel-0.9.8-2.1.9.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libXres-devel" release="2.1.8.amzn1" version="1.0.7"><filename>Packages/libXres-devel-1.0.7-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXres-debuginfo" release="2.1.8.amzn1" version="1.0.7"><filename>Packages/libXres-debuginfo-1.0.7-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXres" release="2.1.8.amzn1" version="1.0.7"><filename>Packages/libXres-1.0.7-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXres-debuginfo" release="2.1.8.amzn1" version="1.0.7"><filename>Packages/libXres-debuginfo-1.0.7-2.1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXres" release="2.1.8.amzn1" version="1.0.7"><filename>Packages/libXres-1.0.7-2.1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXres-devel" release="2.1.8.amzn1" version="1.0.7"><filename>Packages/libXres-devel-1.0.7-2.1.8.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libXt-devel" release="6.1.9.amzn1" version="1.1.4"><filename>Packages/libXt-devel-1.1.4-6.1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXt" release="6.1.9.amzn1" version="1.1.4"><filename>Packages/libXt-1.1.4-6.1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXt-debuginfo" release="6.1.9.amzn1" version="1.1.4"><filename>Packages/libXt-debuginfo-1.1.4-6.1.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXt-devel" release="6.1.9.amzn1" version="1.1.4"><filename>Packages/libXt-devel-1.1.4-6.1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXt-debuginfo" release="6.1.9.amzn1" version="1.1.4"><filename>Packages/libXt-debuginfo-1.1.4-6.1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXt" release="6.1.9.amzn1" version="1.1.4"><filename>Packages/libXt-1.1.4-6.1.9.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libXv-devel" release="2.1.8.amzn1" version="1.0.9"><filename>Packages/libXv-devel-1.0.9-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXv" release="2.1.8.amzn1" version="1.0.9"><filename>Packages/libXv-1.0.9-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXv-debuginfo" release="2.1.8.amzn1" version="1.0.9"><filename>Packages/libXv-debuginfo-1.0.9-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXv-devel" release="2.1.8.amzn1" version="1.0.9"><filename>Packages/libXv-devel-1.0.9-2.1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXv-debuginfo" release="2.1.8.amzn1" version="1.0.9"><filename>Packages/libXv-debuginfo-1.0.9-2.1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXv" release="2.1.8.amzn1" version="1.0.9"><filename>Packages/libXv-1.0.9-2.1.8.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libXvMC" release="2.1.8.amzn1" version="1.0.8"><filename>Packages/libXvMC-1.0.8-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXvMC-debuginfo" release="2.1.8.amzn1" version="1.0.8"><filename>Packages/libXvMC-debuginfo-1.0.8-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXvMC-devel" release="2.1.8.amzn1" version="1.0.8"><filename>Packages/libXvMC-devel-1.0.8-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXvMC" release="2.1.8.amzn1" version="1.0.8"><filename>Packages/libXvMC-1.0.8-2.1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXvMC-debuginfo" release="2.1.8.amzn1" version="1.0.8"><filename>Packages/libXvMC-debuginfo-1.0.8-2.1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXvMC-devel" release="2.1.8.amzn1" version="1.0.8"><filename>Packages/libXvMC-devel-1.0.8-2.1.8.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libXi-debuginfo" release="2.2.9.amzn1" version="1.7.2"><filename>Packages/libXi-debuginfo-1.7.2-2.2.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXi" release="2.2.9.amzn1" version="1.7.2"><filename>Packages/libXi-1.7.2-2.2.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXi-devel" release="2.2.9.amzn1" version="1.7.2"><filename>Packages/libXi-devel-1.7.2-2.2.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXi" release="2.2.9.amzn1" version="1.7.2"><filename>Packages/libXi-1.7.2-2.2.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXi-devel" release="2.2.9.amzn1" version="1.7.2"><filename>Packages/libXi-devel-1.7.2-2.2.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXi-debuginfo" release="2.2.9.amzn1" version="1.7.2"><filename>Packages/libXi-debuginfo-1.7.2-2.2.9.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libXxf86dga-debuginfo" release="2.1.8.amzn1" version="1.1.4"><filename>Packages/libXxf86dga-debuginfo-1.1.4-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXxf86dga-devel" release="2.1.8.amzn1" version="1.1.4"><filename>Packages/libXxf86dga-devel-1.1.4-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXxf86dga" release="2.1.8.amzn1" version="1.1.4"><filename>Packages/libXxf86dga-1.1.4-2.1.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXxf86dga" release="2.1.8.amzn1" version="1.1.4"><filename>Packages/libXxf86dga-1.1.4-2.1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXxf86dga-debuginfo" release="2.1.8.amzn1" version="1.1.4"><filename>Packages/libXxf86dga-debuginfo-1.1.4-2.1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXxf86dga-devel" release="2.1.8.amzn1" version="1.1.4"><filename>Packages/libXxf86dga-devel-1.1.4-2.1.8.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libXxf86vm-debuginfo" release="2.1.9.amzn1" version="1.1.3"><filename>Packages/libXxf86vm-debuginfo-1.1.3-2.1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXxf86vm-devel" release="2.1.9.amzn1" version="1.1.3"><filename>Packages/libXxf86vm-devel-1.1.3-2.1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXxf86vm" release="2.1.9.amzn1" version="1.1.3"><filename>Packages/libXxf86vm-1.1.3-2.1.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXxf86vm-devel" release="2.1.9.amzn1" version="1.1.3"><filename>Packages/libXxf86vm-devel-1.1.3-2.1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXxf86vm-debuginfo" release="2.1.9.amzn1" version="1.1.3"><filename>Packages/libXxf86vm-debuginfo-1.1.3-2.1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXxf86vm" release="2.1.9.amzn1" version="1.1.3"><filename>Packages/libXxf86vm-1.1.3-2.1.9.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libdmx-debuginfo" release="3.7.amzn1" version="1.1.3"><filename>Packages/libdmx-debuginfo-1.1.3-3.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libdmx" release="3.7.amzn1" version="1.1.3"><filename>Packages/libdmx-1.1.3-3.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libdmx-devel" release="3.7.amzn1" version="1.1.3"><filename>Packages/libdmx-devel-1.1.3-3.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libdmx-debuginfo" release="3.7.amzn1" version="1.1.3"><filename>Packages/libdmx-debuginfo-1.1.3-3.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libdmx" release="3.7.amzn1" version="1.1.3"><filename>Packages/libdmx-1.1.3-3.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libdmx-devel" release="3.7.amzn1" version="1.1.3"><filename>Packages/libdmx-devel-1.1.3-3.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-453</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-453: medium priority package update for file</title><issued date="2014-11-22 14:34" /><updated date="2014-11-24 12:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5080 CVE-2014-3710: 5081 1155071: 5082 CVE-2014-3710 file: out-of-bounds read in elf note headers 5083 An out-of-bounds read flaw was found in the way the File Information (fileinfo) extension parsed Executable and Linkable Format (ELF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted ELF file. 5084 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710" id="CVE-2014-3710" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="file-debuginfo" release="7.24.amzn1" version="5.19"><filename>Packages/file-debuginfo-5.19-7.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-devel" release="7.24.amzn1" version="5.19"><filename>Packages/file-devel-5.19-7.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-static" release="7.24.amzn1" version="5.19"><filename>Packages/file-static-5.19-7.24.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="python-magic" release="7.24.amzn1" version="5.19"><filename>Packages/python-magic-5.19-7.24.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="file-libs" release="7.24.amzn1" version="5.19"><filename>Packages/file-libs-5.19-7.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file" release="7.24.amzn1" version="5.19"><filename>Packages/file-5.19-7.24.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="file-debuginfo" release="7.24.amzn1" version="5.19"><filename>Packages/file-debuginfo-5.19-7.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file" release="7.24.amzn1" version="5.19"><filename>Packages/file-5.19-7.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-static" release="7.24.amzn1" version="5.19"><filename>Packages/file-static-5.19-7.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-libs" release="7.24.amzn1" version="5.19"><filename>Packages/file-libs-5.19-7.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-devel" release="7.24.amzn1" version="5.19"><filename>Packages/file-devel-5.19-7.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-454</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-454: critical priority package update for docker</title><issued date="2014-11-25 12:22" /><updated date="2014-11-25 12:30" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5085 CVE-2014-6408: 5086 1167506: 5087 CVE-2014-6408 docker: potential container escalation 5088 5089 CVE-2014-6407: 5090 1167505: 5091 CVE-2014-6407 docker: symbolic and hardlink issues leading to privilege escalation 5092 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6408" id="CVE-2014-6408" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6407" id="CVE-2014-6407" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="docker" release="1.0.amzn1" version="1.3.2"><filename>Packages/docker-1.3.2-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="docker-pkg-devel" release="1.0.amzn1" version="1.3.2"><filename>Packages/docker-pkg-devel-1.3.2-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="docker-devel" release="1.0.amzn1" version="1.3.2"><filename>Packages/docker-devel-1.3.2-1.0.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-455</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-455: medium priority package update for kernel</title><issued date="2014-12-03 22:27" /><updated date="2014-12-18 14:55" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5093 CVE-2014-9322: 5094 1172806: 5095 CVE-2014-9322 kernel: x86: local privesc due to bad_iret and paranoid entry incompatibility 5096 A flaw was found in the way the Linux kernel handled GS segment register base switching when recovering from a #SS (stack segment) fault on an erroneous return to user space. A local, unprivileged user could use this flaw to escalate their privileges on the system. 5097 5098 CVE-2014-9090: 5099 1170691: 5100 CVE-2014-9090 kernel: espfix64: local DoS via do_double_fault() due to improper handling of faults associated with SS segment register 5101 The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel through 3.17.4 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite. 5102 5103 CVE-2014-7970: 5104 The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call. 5105 1151095: 5106 CVE-2014-7970 Kernel: fs: VFS denial of service 5107 5108 CVE-2014-7841: 5109 1163087: 5110 CVE-2014-7841 kernel: net: sctp: NULL pointer dereference in af-&gt;from_addr_param on malformed packet 5111 The sctp_process_param function in net/sctp/sm_make_chunk.c in the SCTP implementation in the Linux kernel before 3.17.4, when ASCONF is used, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a malformed INIT chunk. 5112 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7841" id="CVE-2014-7841" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7970" id="CVE-2014-7970" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9322" id="CVE-2014-9322" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9090" id="CVE-2014-9090" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-headers" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-headers-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-devel-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-tools-debuginfo-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-tools-devel-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-tools-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="24.46.amzn1" version="3.14.26"><filename>Packages/perf-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-debuginfo-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="24.46.amzn1" version="3.14.26"><filename>Packages/perf-debuginfo-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-3.14.26-24.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-debuginfo-3.14.26-24.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="24.46.amzn1" version="3.14.26"><filename>Packages/perf-debuginfo-3.14.26-24.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-devel-3.14.26-24.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-tools-devel-3.14.26-24.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-debuginfo-common-i686-3.14.26-24.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-tools-3.14.26-24.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="24.46.amzn1" version="3.14.26"><filename>Packages/perf-3.14.26-24.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-headers-3.14.26-24.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-tools-debuginfo-3.14.26-24.46.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="24.46.amzn1" version="3.14.26"><filename>Packages/kernel-doc-3.14.26-24.46.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-456</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-456: medium priority package update for facter</title><issued date="2014-12-08 13:12" /><updated date="2014-12-08 13:15" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5113 CVE-2014-3248: 5114 Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine. 5115 1101346: 5116 CVE-2014-3248 puppet: Ruby modules could be loaded from the current working directory 5117 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3248" id="CVE-2014-3248" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="facter" release="7.25.amzn1" version="1.6.18"><filename>Packages/facter-1.6.18-7.25.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-457</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-457: low priority package update for clamav</title><issued date="2014-12-08 13:12" /><updated date="2014-12-08 13:16" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5118 CVE-2013-6497: 5119 1138101: 5120 CVE-2013-6497 ClamAV: -a segmentation fault when processing files 5121 clamscan in ClamAV before 0.98.5, when using -a option, allows remote attackers to cause a denial of service (crash) as demonstrated by the jwplayer.js file. 5122 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6497" id="CVE-2013-6497" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="clamd" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamd-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-data-empty" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-data-empty-0.98.5-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-scanner-sysvinit" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-scanner-sysvinit-0.98.5-1.10.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-server" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-server-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-update" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-update-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-data" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-data-0.98.5-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-scanner" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-scanner-0.98.5-1.10.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-lib" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-lib-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-devel" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-devel-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-debuginfo" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-debuginfo-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-db" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-db-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-filesystem" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-filesystem-0.98.5-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-server-sysvinit" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-server-sysvinit-0.98.5-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-milter-sysvinit" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-milter-sysvinit-0.98.5-1.10.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-milter" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-milter-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="clamav-server" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-server-0.98.5-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-milter" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-milter-0.98.5-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamd" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamd-0.98.5-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-update" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-update-0.98.5-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-0.98.5-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-db" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-db-0.98.5-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-debuginfo" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-debuginfo-0.98.5-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-lib" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-lib-0.98.5-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-devel" release="1.10.amzn1" version="0.98.5"><filename>Packages/clamav-devel-0.98.5-1.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-458</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-458: important priority package update for rpm</title><issued date="2014-12-09 07:34" /><updated date="2014-12-10 13:48" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5123 CVE-2014-8118: 5124 1168715: 5125 CVE-2014-8118 rpm: integer overflow and stack overflow in CPIO header parsing 5126 It was found that RPM could encounter an integer overflow, leading to a stack-based overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. 5127 5128 CVE-2013-6435: 5129 1039811: 5130 CVE-2013-6435 rpm: race condition during the installation process 5131 It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. 5132 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8118" id="CVE-2014-8118" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6435" id="CVE-2013-6435" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="rpm-devel" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-devel-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-sign" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-sign-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-build-libs" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-build-libs-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-python" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-python-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rpm-cron" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-cron-4.11.2-2.58.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-libs" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-libs-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rpm-apidocs" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-apidocs-4.11.2-2.58.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-debuginfo" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-debuginfo-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpm-build" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-build-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rpm" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-4.11.2-2.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-sign" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-sign-4.11.2-2.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-build-libs" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-build-libs-4.11.2-2.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-devel" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-devel-4.11.2-2.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-python" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-python-4.11.2-2.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-debuginfo" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-debuginfo-4.11.2-2.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-build" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-build-4.11.2-2.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpm-libs" release="2.58.amzn1" version="4.11.2"><filename>Packages/rpm-libs-4.11.2-2.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-459</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-459: medium priority package update for openvpn</title><issued date="2014-12-10 13:25" /><updated date="2014-12-10 13:27" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5133 CVE-2014-8104: 5134 1166910: 5135 CVE-2014-8104 openvpn: authenticated user can DoS OpenVPN by sending a too-short control channel packet to server 5136 OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet. 5137 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8104" id="CVE-2014-8104" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openvpn-debuginfo" release="1.12.amzn1" version="2.3.6"><filename>Packages/openvpn-debuginfo-2.3.6-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openvpn" release="1.12.amzn1" version="2.3.6"><filename>Packages/openvpn-2.3.6-1.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openvpn-debuginfo" release="1.12.amzn1" version="2.3.6"><filename>Packages/openvpn-debuginfo-2.3.6-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openvpn" release="1.12.amzn1" version="2.3.6"><filename>Packages/openvpn-2.3.6-1.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-460</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-460: medium priority package update for php-ZendFramework</title><issued date="2014-12-11 14:23" /><updated date="2014-12-11 14:34" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5138 CVE-2014-8089: 5139 1151277: 5140 CVE-2014-8089 php-ZendFramework: SQL injection issue when using the sqlsrv PHP extension (ZF2014-06) 5141 5142 CVE-2014-8088: 5143 1151276: 5144 CVE-2014-8088 php-ZendFramework: null byte issue, connect to LDAP without knowing the password (ZF2014-05) 5145 The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind. 5146 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088" id="CVE-2014-8088" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089" id="CVE-2014-8089" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="php-ZendFramework-full" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-full-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Serializer-Adapter-Igbinary" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Serializer-Adapter-Igbinary-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Pgsql" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Mssql" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-extras" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-extras-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Memcached" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Cache-Backend-Memcached-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Search-Lucene" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Search-Lucene-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Libmemcached" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Cache-Backend-Libmemcached-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Auth-Adapter-Ldap" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Auth-Adapter-Ldap-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Mysql" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Apc" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Cache-Backend-Apc-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Feed" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Feed-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Mysqli" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Db-Adapter-Mysqli-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Soap" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Soap-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Services" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Services-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Ldap" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Ldap-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Dojo" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Dojo-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-demos" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-demos-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Captcha" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Captcha-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Pdf" release="1.10.amzn1" version="1.12.9"><filename>Packages/php-ZendFramework-Pdf-1.12.9-1.10.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-461</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-461: critical priority package update for docker</title><issued date="2014-12-11 16:40" /><updated date="2014-12-11 16:50" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5147 CVE-2014-9358: 5148 1172787: 5149 CVE-2014-9358 docker: Path traversal and spoofing opportunities presented through image identifiers 5150 5151 CVE-2014-9357: 5152 1172782: 5153 CVE-2014-9357 docker: Escalation of privileges during decompression of LZMA archives 5154 5155 CVE-2014-9356: 5156 1172761: 5157 CVE-2014-9356 docker: Path traversal during processing of absolute symlinks 5158 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9357" id="CVE-2014-9357" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9356" id="CVE-2014-9356" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9358" id="CVE-2014-9358" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="docker-devel" release="1.0.amzn1" version="1.3.3"><filename>Packages/docker-devel-1.3.3-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="docker-pkg-devel" release="1.0.amzn1" version="1.3.3"><filename>Packages/docker-pkg-devel-1.3.3-1.0.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="docker" release="1.0.amzn1" version="1.3.3"><filename>Packages/docker-1.3.3-1.0.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2014-462</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-462: important priority package update for ntp</title><issued date="2014-12-19 14:00" /><updated date="2014-12-19 14:09" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5159 CVE-2014-9296: 5160 1176040: 5161 CVE-2014-9296 ntp: receive() missing return on error 5162 A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism. 5163 5164 CVE-2014-9295: 5165 Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. 5166 1176037: 5167 CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets 5168 5169 CVE-2014-9294: 5170 1176035: 5171 CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys 5172 It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note: it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). 5173 5174 CVE-2014-9293: 5175 It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. 5176 1176032: 5177 CVE-2014-9293 ntp: automatic generation of weak default key in config_auth() 5178 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296" id="CVE-2014-9296" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294" id="CVE-2014-9294" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295" id="CVE-2014-9295" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293" id="CVE-2014-9293" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ntp" release="2.22.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-2.22.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-doc" release="2.22.amzn1" version="4.2.6p5"><filename>Packages/ntp-doc-4.2.6p5-2.22.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp-perl" release="2.22.amzn1" version="4.2.6p5"><filename>Packages/ntp-perl-4.2.6p5-2.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntpdate" release="2.22.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-2.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp-debuginfo" release="2.22.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-2.22.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ntp-perl" release="2.22.amzn1" version="4.2.6p5"><filename>Packages/ntp-perl-4.2.6p5-2.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp-debuginfo" release="2.22.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-2.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp" release="2.22.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-2.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntpdate" release="2.22.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-2.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-463</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-463: medium priority package update for php54</title><issued date="2015-01-08 11:35" /><updated date="2015-01-08 11:43" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5179 CVE-2014-8142: 5180 Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019. 5181 1175718: 5182 CVE-2014-8142 php: use after free vulnerability in unserialize() 5183 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142" id="CVE-2014-8142" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-enchant" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-enchant-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-common-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-embedded-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-debuginfo-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-xmlrpc-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-process-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-gd-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-xml-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-pdo-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-intl-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-cli-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-odbc-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-mbstring-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-imap-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-mysql-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-snmp-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-pgsql-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-mcrypt-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-soap-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-mysqlnd-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-devel-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-tidy-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-pspell-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-mssql-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-bcmath-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-recode-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-fpm-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-ldap-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-dba-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-bcmath-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-odbc-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-pdo-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-mcrypt-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-pspell-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-snmp-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-xmlrpc-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-debuginfo-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-common-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-devel-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-mssql-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-embedded-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-mbstring-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-cli-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-soap-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-process-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-mysql-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-ldap-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-mysqlnd-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-tidy-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-gd-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-xml-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-pgsql-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-recode-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-intl-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-dba-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-enchant-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-imap-5.4.36-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.64.amzn1" version="5.4.36"><filename>Packages/php54-fpm-5.4.36-1.64.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-464</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-464: medium priority package update for php55</title><issued date="2015-01-08 11:35" /><updated date="2015-01-08 11:43" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5184 CVE-2014-8142: 5185 Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019. 5186 1175718: 5187 CVE-2014-8142 php: use after free vulnerability in unserialize() 5188 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142" id="CVE-2014-8142" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-process" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-process-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-enchant-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-xmlrpc-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-pspell-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-pdo-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-pgsql-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-fpm-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-xml-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-odbc-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-cli-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-tidy-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-soap-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-opcache-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-snmp-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-mysqlnd-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-gd-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-bcmath-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-common-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-devel-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-recode-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-mbstring-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-gmp-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-mcrypt-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-intl-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-dba-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-ldap-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-imap-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-debuginfo-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-embedded-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-mssql-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-xmlrpc-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-embedded-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-dba-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-pgsql-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-gmp-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-enchant-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-soap-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-mbstring-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-ldap-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-common-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-intl-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-imap-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-pdo-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-mysqlnd-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-debuginfo-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-pspell-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-opcache-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-gd-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-recode-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-process-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-cli-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-devel-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-xml-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-tidy-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-mcrypt-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-snmp-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-mssql-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-fpm-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-odbc-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-bcmath-5.5.20-2.94.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="2.94.amzn1" version="5.5.20"><filename>Packages/php55-5.5.20-2.94.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-465</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-465: important priority package update for bind</title><issued date="2015-01-08 11:36" /><updated date="2015-01-08 11:44" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5189 CVE-2014-8500: 5190 A denial of service flaw was found in the way BIND followed DNS delegations. A remote attacker could use a specially crafted zone containing a large number of referrals which, when looked up and processed, would cause named to use excessive amounts of memory or crash. 5191 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500" id="CVE-2014-8500" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1984.html" id="RHSA-2014:1984" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-devel" release="0.30.rc1.35.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.30.rc1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.30.rc1.35.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.30.rc1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.30.rc1.35.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.30.rc1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.30.rc1.35.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.30.rc1.35.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.30.rc1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.30.rc1.35.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.30.rc1.35.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.35.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.30.rc1.35.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.30.rc1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.30.rc1.35.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.30.rc1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.30.rc1.35.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.30.rc1.35.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.30.rc1.35.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.30.rc1.35.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.30.rc1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.30.rc1.35.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.30.rc1.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-466</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-466: important priority package update for jasper</title><issued date="2015-01-08 11:36" /><updated date="2015-01-08 11:43" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5192 CVE-2014-9029: 5193 Multiple off-by-one flaws, leading to heap-based buffer overflows, were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 5194 5195 CVE-2014-8138: 5196 A heap-based buffer overflow flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 5197 5198 CVE-2014-8137: 5199 A double free flaw was found in the way JasPer parsed ICC color profiles in JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 5200 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138" id="CVE-2014-8138" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029" id="CVE-2014-9029" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137" id="CVE-2014-8137" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:2021.html" id="RHSA-2014:2021" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="jasper-libs" release="16.7.amzn1" version="1.900.1"><filename>Packages/jasper-libs-1.900.1-16.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper" release="16.7.amzn1" version="1.900.1"><filename>Packages/jasper-1.900.1-16.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper-debuginfo" release="16.7.amzn1" version="1.900.1"><filename>Packages/jasper-debuginfo-1.900.1-16.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper-devel" release="16.7.amzn1" version="1.900.1"><filename>Packages/jasper-devel-1.900.1-16.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper-utils" release="16.7.amzn1" version="1.900.1"><filename>Packages/jasper-utils-1.900.1-16.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="jasper-utils" release="16.7.amzn1" version="1.900.1"><filename>Packages/jasper-utils-1.900.1-16.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper-libs" release="16.7.amzn1" version="1.900.1"><filename>Packages/jasper-libs-1.900.1-16.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper-devel" release="16.7.amzn1" version="1.900.1"><filename>Packages/jasper-devel-1.900.1-16.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper-debuginfo" release="16.7.amzn1" version="1.900.1"><filename>Packages/jasper-debuginfo-1.900.1-16.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper" release="16.7.amzn1" version="1.900.1"><filename>Packages/jasper-1.900.1-16.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-467</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-467: medium priority package update for mailx</title><issued date="2015-01-08 11:37" /><updated date="2015-01-08 11:44" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5201 CVE-2014-7844: 5202 A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality. 5203 5204 CVE-2004-2771: 5205 A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality. 5206 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2771" id="CVE-2004-2771" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7844" id="CVE-2014-7844" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1999.html" id="RHSA-2014:1999" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mailx-debuginfo" release="8.8.amzn1" version="12.4"><filename>Packages/mailx-debuginfo-12.4-8.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mailx" release="8.8.amzn1" version="12.4"><filename>Packages/mailx-12.4-8.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mailx" release="8.8.amzn1" version="12.4"><filename>Packages/mailx-12.4-8.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mailx-debuginfo" release="8.8.amzn1" version="12.4"><filename>Packages/mailx-debuginfo-12.4-8.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-468</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-468: medium priority package update for glibc</title><issued date="2015-01-08 12:38" /><updated date="2015-01-08 12:40" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5207 CVE-2014-7817: 5208 It was found that the wordexp() function would perform command substitution even when the WRDE_NOCMD flag was specified. An attacker able to provide specially crafted input to an application using the wordexp() function, and not sanitizing the input correctly, could potentially use this flaw to execute arbitrary commands with the credentials of the user running that application. 5209 5210 CVE-2014-6040: 5211 An out-of-bounds read flaw was found in the way glibc's iconv() function converted certain encoded data to UTF-8. An attacker able to make an application call the iconv() function with a specially crafted argument could use this flaw to crash that application. 5212 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7817" id="CVE-2014-7817" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6040" id="CVE-2014-6040" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0016.html" id="RHSA-2015:0016" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glibc" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-2.17-55.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-55.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="55.92.amzn1" version="2.17"><filename>Packages/nscd-2.17-55.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-55.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-55.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-55.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-55.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-55.92.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-55.92.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-55.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-55.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-55.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-55.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-55.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="55.92.amzn1" version="2.17"><filename>Packages/nscd-2.17-55.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-55.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-55.92.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="55.92.amzn1" version="2.17"><filename>Packages/glibc-2.17-55.92.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-469</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-469: medium priority package update for openssl</title><issued date="2015-01-11 12:36" /><updated date="2015-01-11 12:38" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5213 CVE-2015-0206: 5214 1180235: 5215 CVE-2015-0206 openssl: DTLS memory leak in dtls1_buffer_record 5216 Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection. 5217 5218 CVE-2015-0205: 5219 1180239: 5220 CVE-2015-0205 openssl: DH client certificates accepted without verification 5221 The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support. 5222 5223 CVE-2015-0204: 5224 1180184: 5225 CVE-2015-0204 openssl: Only allow ephemeral RSA keys in export ciphersuites 5226 The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role. 5227 5228 CVE-2014-8275: 5229 1180187: 5230 CVE-2014-8275 openssl: Fix various certificate fingerprint issues 5231 OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c. 5232 5233 CVE-2014-3572: 5234 1180185: 5235 CVE-2014-3572 openssl: ECDH downgrade bug fix 5236 The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message. 5237 5238 CVE-2014-3571: 5239 OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c. 5240 1180234: 5241 CVE-2014-3571 openssl: DTLS segmentation fault in dtls1_get_record 5242 5243 CVE-2014-3570: 5244 1180240: 5245 CVE-2014-3570 openssl: Bignum squaring may produce incorrect results 5246 The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c. 5247 5248 CVE-2014-3569: 5249 1177249: 5250 CVE-2014-3569 openssl: denial of service in ssl23_get_client_hello function 5251 The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix. 5252 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571" id="CVE-2014-3571" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570" id="CVE-2014-3570" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572" id="CVE-2014-3572" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569" id="CVE-2014-3569" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275" id="CVE-2014-8275" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205" id="CVE-2015-0205" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204" id="CVE-2015-0204" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206" id="CVE-2015-0206" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-devel" release="1.82.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="1.82.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="1.82.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="1.82.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="1.82.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-1.82.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="1.82.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="1.82.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="1.82.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="1.82.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="1.82.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-1.82.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-470</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-470: important priority package update for xorg-x11-server</title><issued date="2015-01-15 14:49" /><updated date="2015-01-15 14:55" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5253 CVE-2014-8103: 5254 Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server. 5255 5256 CVE-2014-8102: 5257 Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server. 5258 5259 CVE-2014-8101: 5260 Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server. 5261 5262 CVE-2014-8100: 5263 Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server. 5264 5265 CVE-2014-8099: 5266 Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server. 5267 5268 CVE-2014-8098: 5269 Multiple integer overflow flaws and out-of-bounds write flaws were found in the way the X.Org server calculated memory requirements for certain X11 core protocol and GLX extension requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges. 5270 5271 CVE-2014-8097: 5272 Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server, or leak memory contents to the client. 5273 5274 CVE-2014-8096: 5275 Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server. 5276 5277 CVE-2014-8095: 5278 Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server. 5279 5280 CVE-2014-8094: 5281 An integer overflow flaw was found in the way the X.Org server calculated memory requirements for certain DRI2 extension requests. A malicious, authenticated client could use this flaw to crash the X.Org server. 5282 5283 CVE-2014-8093: 5284 Multiple integer overflow flaws and out-of-bounds write flaws were found in the way the X.Org server calculated memory requirements for certain X11 core protocol and GLX extension requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges. 5285 5286 CVE-2014-8092: 5287 Multiple integer overflow flaws and out-of-bounds write flaws were found in the way the X.Org server calculated memory requirements for certain X11 core protocol and GLX extension requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges. 5288 5289 CVE-2014-8091: 5290 It was found that the X.Org server did not properly handle SUN-DES-1 (Secure RPC) authentication credentials. A malicious, unauthenticated client could use this flaw to crash the X.Org server by submitting a specially crafted authentication request. 5291 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8099" id="CVE-2014-8099" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8098" id="CVE-2014-8098" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8097" id="CVE-2014-8097" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8096" id="CVE-2014-8096" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095" id="CVE-2014-8095" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8094" id="CVE-2014-8094" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8093" id="CVE-2014-8093" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8092" id="CVE-2014-8092" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8091" id="CVE-2014-8091" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8101" id="CVE-2014-8101" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8100" id="CVE-2014-8100" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8103" id="CVE-2014-8103" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102" id="CVE-2014-8102" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1983.html" id="RHSA-2014:1983" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="xorg-x11-server-Xorg" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xorg-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-devel" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-devel-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="xorg-x11-server-source" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-source-1.15.0-25.40.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xnest" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xnest-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xvfb" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xvfb-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-debuginfo" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-debuginfo-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xdmx" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xdmx-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-common" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-common-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xephyr" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xephyr-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-common" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-common-1.15.0-25.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xnest" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xnest-1.15.0-25.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-devel" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-devel-1.15.0-25.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xorg" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xorg-1.15.0-25.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xephyr" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xephyr-1.15.0-25.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xvfb" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xvfb-1.15.0-25.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xdmx" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xdmx-1.15.0-25.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-debuginfo" release="25.40.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-debuginfo-1.15.0-25.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-471</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-471: critical priority package update for java-1.7.0-openjdk</title><issued date="2015-01-22 14:18" /><updated date="2015-01-22 16:46" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5292 CVE-2015-0412: 5293 Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 5294 5295 CVE-2015-0410: 5296 A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. 5297 5298 CVE-2015-0408: 5299 Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 5300 5301 CVE-2015-0407: 5302 An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 5303 5304 CVE-2015-0395: 5305 A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. 5306 5307 CVE-2015-0383: 5308 Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. 5309 5310 CVE-2014-6601: 5311 A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. 5312 5313 CVE-2014-6593: 5314 It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. 5315 5316 CVE-2014-6591: 5317 Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. 5318 5319 CVE-2014-6587: 5320 A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. 5321 5322 CVE-2014-6585: 5323 Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. 5324 5325 CVE-2014-3566: 5326 A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM) attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. 5327 1152789: 5328 CVE-2014-3566 openssl: Padding Oracle On Downgraded Legacy Encryption attack 5329 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566" id="CVE-2014-3566" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0408" id="CVE-2015-0408" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0407" id="CVE-2015-0407" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6601" id="CVE-2014-6601" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0395" id="CVE-2015-0395" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0383" id="CVE-2015-0383" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410" id="CVE-2015-0410" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591" id="CVE-2014-6591" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593" id="CVE-2014-6593" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6587" id="CVE-2014-6587" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0412" id="CVE-2015-0412" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585" id="CVE-2014-6585" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0067.html" id="RHSA-2015:0067" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.5.4.0.53.amzn1" version="1.7.0.75"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.5.4.0.53.amzn1" version="1.7.0.75"><filename>Packages/java-1.7.0-openjdk-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.5.4.0.53.amzn1" version="1.7.0.75"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.5.4.0.53.amzn1" version="1.7.0.75"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.5.4.0.53.amzn1" version="1.7.0.75"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.5.4.0.53.amzn1" version="1.7.0.75"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.53.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.5.4.0.53.amzn1" version="1.7.0.75"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.5.4.0.53.amzn1" version="1.7.0.75"><filename>Packages/java-1.7.0-openjdk-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.5.4.0.53.amzn1" version="1.7.0.75"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.5.4.0.53.amzn1" version="1.7.0.75"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.5.4.0.53.amzn1" version="1.7.0.75"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-472</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-472: important priority package update for java-1.8.0-openjdk</title><issued date="2015-01-22 14:20" /><updated date="2015-01-22 16:48" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5330 CVE-2015-0437: 5331 Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. 5332 5333 CVE-2015-0412: 5334 Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 5335 5336 CVE-2015-0410: 5337 A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. 5338 5339 CVE-2015-0408: 5340 Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 5341 5342 CVE-2015-0407: 5343 An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 5344 5345 CVE-2015-0395: 5346 A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. 5347 5348 CVE-2015-0383: 5349 Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. 5350 5351 CVE-2014-6601: 5352 Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. 5353 5354 CVE-2014-6593: 5355 It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. 5356 5357 CVE-2014-6591: 5358 Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. 5359 5360 CVE-2014-6587: 5361 A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. 5362 5363 CVE-2014-6585: 5364 Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. 5365 5366 CVE-2014-6549: 5367 Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 5368 5369 CVE-2014-3566: 5370 A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM) attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. 5371 1152789: 5372 CVE-2014-3566 openssl: Padding Oracle On Downgraded Legacy Encryption attack 5373 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566" id="CVE-2014-3566" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0408" id="CVE-2015-0408" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0407" id="CVE-2015-0407" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6601" id="CVE-2014-6601" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0395" id="CVE-2015-0395" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0383" id="CVE-2015-0383" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585" id="CVE-2014-6585" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410" id="CVE-2015-0410" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0437" id="CVE-2015-0437" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593" id="CVE-2014-6593" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6587" id="CVE-2014-6587" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0412" id="CVE-2015-0412" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6549" id="CVE-2014-6549" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591" id="CVE-2014-6591" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0069.html" id="RHSA-2015:0069" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="2.b13.5.amzn1" version="1.8.0.31"><filename>Packages/java-1.8.0-openjdk-1.8.0.31-2.b13.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="2.b13.5.amzn1" version="1.8.0.31"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.31-2.b13.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="2.b13.5.amzn1" version="1.8.0.31"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.31-2.b13.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="2.b13.5.amzn1" version="1.8.0.31"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.31-2.b13.5.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="2.b13.5.amzn1" version="1.8.0.31"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.31-2.b13.5.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="2.b13.5.amzn1" version="1.8.0.31"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.31-2.b13.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="2.b13.5.amzn1" version="1.8.0.31"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.31-2.b13.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="2.b13.5.amzn1" version="1.8.0.31"><filename>Packages/java-1.8.0-openjdk-1.8.0.31-2.b13.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="2.b13.5.amzn1" version="1.8.0.31"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.31-2.b13.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="2.b13.5.amzn1" version="1.8.0.31"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.31-2.b13.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="2.b13.5.amzn1" version="1.8.0.31"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.31-2.b13.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="2.b13.5.amzn1" version="1.8.0.31"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.31-2.b13.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="2.b13.5.amzn1" version="1.8.0.31"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.31-2.b13.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-473</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-473: critical priority package update for glibc</title><issued date="2015-01-27 11:41" /><updated date="2015-01-28 19:57" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5374 CVE-2015-0235: 5375 1183461: 5376 CVE-2015-0235 glibc: __nss_hostname_digits_dots() heap-based buffer overflow 5377 A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. 5378 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235" id="CVE-2015-0235" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glibc-utils" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-55.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="55.93.amzn1" version="2.17"><filename>Packages/nscd-2.17-55.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-55.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-55.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-55.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-55.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-55.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-2.17-55.93.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-55.93.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-55.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-55.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="55.93.amzn1" version="2.17"><filename>Packages/nscd-2.17-55.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-55.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-2.17-55.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-55.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-55.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-55.93.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="55.93.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-55.93.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-474</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-474: medium priority package update for php55</title><issued date="2015-02-11 19:33" /><updated date="2015-02-11 19:46" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5379 CVE-2015-0232: 5380 The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image. 5381 1185472: 5382 CVE-2015-0232 php: Free called on unitialized pointer in exif.c 5383 5384 CVE-2015-0231: 5385 1185397: 5386 CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142) 5387 Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142. 5388 5389 CVE-2014-9427: 5390 sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping. 5391 1178736: 5392 CVE-2014-9427 php: out of bounds read when parsing a crafted .php file 5393 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231" id="CVE-2015-0231" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427" id="CVE-2014-9427" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0232" id="CVE-2015-0232" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-pgsql-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-enchant-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-gd-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-pspell-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-xmlrpc-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-common-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-mysqlnd-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-bcmath-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-ldap-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-xml-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-intl-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-soap-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-debuginfo-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-opcache-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-pdo-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-mcrypt-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-fpm-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-mssql-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-gmp-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-cli-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-odbc-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-imap-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-process-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-mbstring-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-dba-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-devel-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-snmp-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-recode-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-embedded-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-tidy-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-embedded-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-pspell-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-mysqlnd-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-imap-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-dba-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-xmlrpc-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-xml-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-odbc-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-mbstring-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-snmp-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-tidy-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-recode-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-common-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-opcache-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-mcrypt-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-debuginfo-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-gmp-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-fpm-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-pdo-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-bcmath-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-ldap-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-process-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-mssql-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-enchant-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-gd-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-devel-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-pgsql-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-soap-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-intl-5.5.21-1.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.96.amzn1" version="5.5.21"><filename>Packages/php55-cli-5.5.21-1.96.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-475</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-475: medium priority package update for php54</title><issued date="2015-02-11 19:34" /><updated date="2015-02-11 19:46" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5394 CVE-2015-0232: 5395 The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image. 5396 1185472: 5397 CVE-2015-0232 php: Free called on unitialized pointer in exif.c 5398 5399 CVE-2015-0231: 5400 1185397: 5401 CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142) 5402 Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142. 5403 5404 CVE-2014-9427: 5405 sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping. 5406 1178736: 5407 CVE-2014-9427 php: out of bounds read when parsing a crafted .php file 5408 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231" id="CVE-2015-0231" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427" id="CVE-2014-9427" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0232" id="CVE-2015-0232" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-tidy-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-intl-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-pgsql-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-mcrypt-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-soap-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-gd-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-dba-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-bcmath-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-ldap-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-mbstring-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-devel-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-snmp-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-mysqlnd-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-debuginfo-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-enchant-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-imap-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-recode-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-common-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-mssql-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-odbc-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-mysql-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-pspell-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-pdo-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-xmlrpc-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-cli-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-xml-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-embedded-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-process-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-fpm-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-snmp-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-debuginfo-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-pdo-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-bcmath-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-mbstring-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-ldap-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-pspell-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-dba-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-intl-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-fpm-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-process-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-common-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-mssql-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-pgsql-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-tidy-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-recode-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-odbc-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-imap-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-xml-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-embedded-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-enchant-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-gd-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-xmlrpc-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-cli-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-mysqlnd-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-devel-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-mysql-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-soap-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-5.4.37-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.65.amzn1" version="5.4.37"><filename>Packages/php54-mcrypt-5.4.37-1.65.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-476</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-476: medium priority package update for kernel</title><issued date="2015-02-11 19:34" /><updated date="2015-02-11 19:48" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5409 CVE-2014-8989: 5410 The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a "negative groups" issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c. 5411 1170684: 5412 CVE-2014-8989 kernel: Linux user namespaces can bypass group-based restrictions 5413 5414 CVE-2014-7822: 5415 1163792: 5416 CVE-2014-7822 kernel: splice: lack of generic write checks 5417 A flaw was found in the way the Linux kernel's splice() system call validated its parameters. On certain file systems, a local, unprivileged user could use this flaw to write past the maximum file size, and thus crash the system. 5418 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8989" id="CVE-2014-8989" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7822" id="CVE-2014-7822" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-devel" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-devel-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-tools-devel-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="26.47.amzn1" version="3.14.33"><filename>Packages/perf-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-tools-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-headers-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="26.47.amzn1" version="3.14.33"><filename>Packages/perf-debuginfo-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-tools-debuginfo-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-debuginfo-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="26.47.amzn1" version="3.14.33"><filename>Packages/perf-debuginfo-3.14.33-26.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="26.47.amzn1" version="3.14.33"><filename>Packages/perf-3.14.33-26.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-tools-debuginfo-3.14.33-26.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-tools-devel-3.14.33-26.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-debuginfo-3.14.33-26.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-debuginfo-common-i686-3.14.33-26.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-devel-3.14.33-26.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-headers-3.14.33-26.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-3.14.33-26.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-tools-3.14.33-26.47.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="26.47.amzn1" version="3.14.33"><filename>Packages/kernel-doc-3.14.33-26.47.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-477</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-477: medium priority package update for curl</title><issued date="2015-02-11 19:36" /><updated date="2015-02-11 19:48" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5419 CVE-2014-8150: 5420 1178692: 5421 CVE-2014-8150 curl: URL request injection vulnerability in parseurlandfillconn() 5422 CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL. 5423 5424 CVE-2014-3707: 5425 The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information. 5426 1154941: 5427 CVE-2014-3707 curl: incorrect handle duplication after COPYPOSTFIELDS 5428 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3707" id="CVE-2014-3707" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8150" id="CVE-2014-8150" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="curl" release="1.49.amzn1" version="7.40.0"><filename>Packages/curl-7.40.0-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="1.49.amzn1" version="7.40.0"><filename>Packages/curl-debuginfo-7.40.0-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="1.49.amzn1" version="7.40.0"><filename>Packages/libcurl-devel-7.40.0-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="1.49.amzn1" version="7.40.0"><filename>Packages/libcurl-7.40.0-1.49.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="1.49.amzn1" version="7.40.0"><filename>Packages/curl-7.40.0-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="1.49.amzn1" version="7.40.0"><filename>Packages/libcurl-devel-7.40.0-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="1.49.amzn1" version="7.40.0"><filename>Packages/curl-debuginfo-7.40.0-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="1.49.amzn1" version="7.40.0"><filename>Packages/libcurl-7.40.0-1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-478</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-478: medium priority package update for e2fsprogs</title><issued date="2015-02-11 19:36" /><updated date="2015-02-11 19:49" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5429 CVE-2015-0247: 5430 A heap-based buffer overflow flaw was found in e2fsprogs. A specially crafted Ext2/3/4 file system could cause an application using the ext2fs library (for example, fsck) to crash or, possibly, execute arbitrary code. 5431 1187032: 5432 CVE-2015-0247 e2fsprogs: ext2fs_open2() missing first_meta_bg boundary check leading to heap buffer overflow (oCERT-015-002) 5433 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0247" id="CVE-2015-0247" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="e2fsprogs-libs" release="1.34.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-libs-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcom_err" release="1.34.amzn1" version="1.42.12"><filename>Packages/libcom_err-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="e2fsprogs-static" release="1.34.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-static-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libss-devel" release="1.34.amzn1" version="1.42.12"><filename>Packages/libss-devel-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libss" release="1.34.amzn1" version="1.42.12"><filename>Packages/libss-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="e2fsprogs" release="1.34.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="e2fsprogs-debuginfo" release="1.34.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-debuginfo-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="e2fsprogs-devel" release="1.34.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-devel-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcom_err-devel" release="1.34.amzn1" version="1.42.12"><filename>Packages/libcom_err-devel-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libss" release="1.34.amzn1" version="1.42.12"><filename>Packages/libss-1.42.12-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="e2fsprogs-libs" release="1.34.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-libs-1.42.12-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="e2fsprogs-static" release="1.34.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-static-1.42.12-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="e2fsprogs-devel" release="1.34.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-devel-1.42.12-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="e2fsprogs" release="1.34.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-1.42.12-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="e2fsprogs-debuginfo" release="1.34.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-debuginfo-1.42.12-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcom_err-devel" release="1.34.amzn1" version="1.42.12"><filename>Packages/libcom_err-devel-1.42.12-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcom_err" release="1.34.amzn1" version="1.42.12"><filename>Packages/libcom_err-1.42.12-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libss-devel" release="1.34.amzn1" version="1.42.12"><filename>Packages/libss-devel-1.42.12-1.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-479</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-479: important priority package update for jasper</title><issued date="2015-02-11 19:37" /><updated date="2015-02-11 19:49" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5434 CVE-2014-8158: 5435 An unrestricted stack memory use flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 5436 5437 CVE-2014-8157: 5438 An off-by-one flaw, leading to a heap-based buffer overflow, was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 5439 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8157" id="CVE-2014-8157" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8158" id="CVE-2014-8158" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0074.html" id="RHSA-2015:0074" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="jasper" release="16.9.amzn1" version="1.900.1"><filename>Packages/jasper-1.900.1-16.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper-debuginfo" release="16.9.amzn1" version="1.900.1"><filename>Packages/jasper-debuginfo-1.900.1-16.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper-devel" release="16.9.amzn1" version="1.900.1"><filename>Packages/jasper-devel-1.900.1-16.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper-utils" release="16.9.amzn1" version="1.900.1"><filename>Packages/jasper-utils-1.900.1-16.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper-libs" release="16.9.amzn1" version="1.900.1"><filename>Packages/jasper-libs-1.900.1-16.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="jasper-libs" release="16.9.amzn1" version="1.900.1"><filename>Packages/jasper-libs-1.900.1-16.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper-debuginfo" release="16.9.amzn1" version="1.900.1"><filename>Packages/jasper-debuginfo-1.900.1-16.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper-utils" release="16.9.amzn1" version="1.900.1"><filename>Packages/jasper-utils-1.900.1-16.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper-devel" release="16.9.amzn1" version="1.900.1"><filename>Packages/jasper-devel-1.900.1-16.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper" release="16.9.amzn1" version="1.900.1"><filename>Packages/jasper-1.900.1-16.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-480</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-480: important priority package update for java-1.6.0-openjdk</title><issued date="2015-02-11 19:38" /><updated date="2015-02-11 19:50" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5440 CVE-2015-0412: 5441 Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 5442 5443 CVE-2015-0410: 5444 A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. 5445 5446 CVE-2015-0408: 5447 Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 5448 5449 CVE-2015-0407: 5450 An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 5451 5452 CVE-2015-0395: 5453 A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. 5454 5455 CVE-2015-0383: 5456 Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. 5457 5458 CVE-2014-6601: 5459 A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. 5460 5461 CVE-2014-6593: 5462 It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. 5463 5464 CVE-2014-6591: 5465 Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. 5466 5467 CVE-2014-6587: 5468 A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. 5469 5470 CVE-2014-6585: 5471 Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. 5472 5473 CVE-2014-3566: 5474 A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. 5475 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566" id="CVE-2014-3566" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0408" id="CVE-2015-0408" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0407" id="CVE-2015-0407" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6601" id="CVE-2014-6601" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0395" id="CVE-2015-0395" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0383" id="CVE-2015-0383" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410" id="CVE-2015-0410" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591" id="CVE-2014-6591" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593" id="CVE-2014-6593" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6587" id="CVE-2014-6587" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0412" id="CVE-2015-0412" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585" id="CVE-2014-6585" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0085.html" id="RHSA-2015:0085" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="67.1.13.6.0.69.amzn1" version="1.6.0.34"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="67.1.13.6.0.69.amzn1" version="1.6.0.34"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="67.1.13.6.0.69.amzn1" version="1.6.0.34"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="67.1.13.6.0.69.amzn1" version="1.6.0.34"><filename>Packages/java-1.6.0-openjdk-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="67.1.13.6.0.69.amzn1" version="1.6.0.34"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="67.1.13.6.0.69.amzn1" version="1.6.0.34"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="67.1.13.6.0.69.amzn1" version="1.6.0.34"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="67.1.13.6.0.69.amzn1" version="1.6.0.34"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="67.1.13.6.0.69.amzn1" version="1.6.0.34"><filename>Packages/java-1.6.0-openjdk-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="67.1.13.6.0.69.amzn1" version="1.6.0.34"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="67.1.13.6.0.69.amzn1" version="1.6.0.34"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="67.1.13.6.0.69.amzn1" version="1.6.0.34"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-481</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-481: medium priority package update for libyaml</title><issued date="2015-02-11 19:38" /><updated date="2015-02-11 19:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5476 CVE-2014-9130: 5477 An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash. 5478 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130" id="CVE-2014-9130" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0100.html" id="RHSA-2015:0100" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libyaml" release="6.7.amzn1" version="0.1.6"><filename>Packages/libyaml-0.1.6-6.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libyaml-devel" release="6.7.amzn1" version="0.1.6"><filename>Packages/libyaml-devel-0.1.6-6.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libyaml-debuginfo" release="6.7.amzn1" version="0.1.6"><filename>Packages/libyaml-debuginfo-0.1.6-6.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libyaml-devel" release="6.7.amzn1" version="0.1.6"><filename>Packages/libyaml-devel-0.1.6-6.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libyaml-debuginfo" release="6.7.amzn1" version="0.1.6"><filename>Packages/libyaml-debuginfo-0.1.6-6.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libyaml" release="6.7.amzn1" version="0.1.6"><filename>Packages/libyaml-0.1.6-6.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-482</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-482: medium priority package update for perl-YAML-LibYAML</title><issued date="2015-02-11 19:39" /><updated date="2015-02-11 19:54" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5479 CVE-2014-9130: 5480 1169369: 5481 CVE-2014-9130 libyaml: assert failure when processing wrapped strings 5482 An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash. 5483 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130" id="CVE-2014-9130" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perl-YAML-LibYAML-debuginfo" release="1.16.amzn1" version="0.59"><filename>Packages/perl-YAML-LibYAML-debuginfo-0.59-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-YAML-LibYAML" release="1.16.amzn1" version="0.59"><filename>Packages/perl-YAML-LibYAML-0.59-1.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perl-YAML-LibYAML" release="1.16.amzn1" version="0.59"><filename>Packages/perl-YAML-LibYAML-0.59-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-YAML-LibYAML-debuginfo" release="1.16.amzn1" version="0.59"><filename>Packages/perl-YAML-LibYAML-debuginfo-0.59-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-483</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-483: low priority package update for httpd24</title><issued date="2015-02-12 10:57" /><updated date="2015-02-12 11:32" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5484 CVE-2014-8109: 5485 1174077: 5486 CVE-2014-8109 httpd: LuaAuthzProvider argument handling issue 5487 mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory. 5488 5489 CVE-2014-3583: 5490 1163555: 5491 CVE-2014-3583 httpd: mod_proxy_fcgi handle_headers() buffer over read 5492 The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers. 5493 5494 CVE-2014-3581: 5495 1149709: 5496 CVE-2014-3581 httpd: NULL pointer dereference in mod_cache if Content-Type has empty value 5497 A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled. 5498 5499 CVE-2013-5704: 5500 The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such." 5501 1082903: 5502 CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests 5503 A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers. 5504 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8109" id="CVE-2014-8109" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704" id="CVE-2013-5704" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581" id="CVE-2014-3581" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3583" id="CVE-2014-3583" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="httpd24-manual" release="15.58.amzn1" version="2.4.10"><filename>Packages/httpd24-manual-2.4.10-15.58.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="15.58.amzn1" version="2.4.10"><filename>Packages/mod24_session-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-tools" release="15.58.amzn1" version="2.4.10"><filename>Packages/httpd24-tools-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_ldap" release="15.58.amzn1" version="2.4.10"><filename>Packages/mod24_ldap-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="15.58.amzn1" version="2.4.10"><filename>Packages/httpd24-debuginfo-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_ssl" release="15.58.amzn1" version="2.4.10"><filename>Packages/mod24_ssl-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="15.58.amzn1" version="2.4.10"><filename>Packages/mod24_proxy_html-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-devel" release="15.58.amzn1" version="2.4.10"><filename>Packages/httpd24-devel-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24" release="15.58.amzn1" version="2.4.10"><filename>Packages/httpd24-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="15.58.amzn1" version="2.4.10"><filename>Packages/mod24_proxy_html-2.4.10-15.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="15.58.amzn1" version="2.4.10"><filename>Packages/httpd24-tools-2.4.10-15.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="15.58.amzn1" version="2.4.10"><filename>Packages/httpd24-devel-2.4.10-15.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="15.58.amzn1" version="2.4.10"><filename>Packages/mod24_ssl-2.4.10-15.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="15.58.amzn1" version="2.4.10"><filename>Packages/mod24_ldap-2.4.10-15.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="15.58.amzn1" version="2.4.10"><filename>Packages/mod24_session-2.4.10-15.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="15.58.amzn1" version="2.4.10"><filename>Packages/httpd24-2.4.10-15.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="15.58.amzn1" version="2.4.10"><filename>Packages/httpd24-debuginfo-2.4.10-15.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-484</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-484: medium priority package update for puppet</title><issued date="2015-02-12 15:13" /><updated date="2015-02-12 15:16" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5505 CVE-2014-3248: 5506 Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine. 5507 1101346: 5508 CVE-2014-3248 puppet: Ruby modules could be loaded from the current working directory 5509 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3248" id="CVE-2014-3248" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="puppet-server" release="1.4.amzn1" version="2.7.25"><filename>Packages/puppet-server-2.7.25-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="puppet" release="1.4.amzn1" version="2.7.25"><filename>Packages/puppet-2.7.25-1.4.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-485</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-485: medium priority package update for postgresql93</title><issued date="2015-02-25 20:34" /><updated date="2015-02-25 20:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5510 CVE-2015-0244: 5511 1188694: 5512 CVE-2015-0244 postgresql: loss of frontend/backend protocol synchronization after an error 5513 A flaw was found in way PostgreSQL handled certain errors during that were generated during protocol synchronization. An authenticated database user could use this flaw to inject queries into an existing connection. 5514 5515 CVE-2015-0243: 5516 A stack-buffer overflow flaw was found in PostgreSQL's pgcrypto module. An authenticated database user could use this flaw to cause PostgreSQL to crash or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. 5517 1188689: 5518 CVE-2015-0243 postgresql: buffer overflow flaws in contrib/pgcrypto 5519 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244" id="CVE-2015-0244" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243" id="CVE-2015-0243" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql93-docs" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-docs-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-server" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-server-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-pltcl" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-pltcl-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-contrib" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-contrib-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plperl" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-plperl-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-plpython-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-test" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-test-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-libs" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-libs-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-debuginfo" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-debuginfo-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-devel" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-devel-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-libs" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-libs-9.3.6-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-server" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-server-9.3.6-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plperl" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-plperl-9.3.6-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-plpython-9.3.6-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-test" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-test-9.3.6-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-devel" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-devel-9.3.6-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-pltcl" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-pltcl-9.3.6-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-9.3.6-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-debuginfo" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-debuginfo-9.3.6-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-docs" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-docs-9.3.6-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-contrib" release="1.56.amzn1" version="9.3.6"><filename>Packages/postgresql93-contrib-9.3.6-1.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-486</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-486: medium priority package update for clamav</title><issued date="2015-03-04 15:52" /><updated date="2015-03-04 16:11" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5520 CVE-2014-9328: 5521 1187050: 5522 CVE-2014-9328 clamav: heap out of bounds condition with crafted upack packer files 5523 ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted upack packer file, related to a "heap out of bounds condition." 5524 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9328" id="CVE-2014-9328" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="clamav-lib" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-lib-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-server" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-server-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-debuginfo" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-debuginfo-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-scanner" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-scanner-0.98.6-1.11.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-milter" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-milter-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-update" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-update-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-milter-sysvinit" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-milter-sysvinit-0.98.6-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-data" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-data-0.98.6-1.11.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-db" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-db-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamd" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamd-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-devel" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-devel-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-scanner-sysvinit" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-scanner-sysvinit-0.98.6-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-filesystem" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-filesystem-0.98.6-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-data-empty" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-data-empty-0.98.6-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-server-sysvinit" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-server-sysvinit-0.98.6-1.11.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="clamav-update" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-update-0.98.6-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-db" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-db-0.98.6-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-server" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-server-0.98.6-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-debuginfo" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-debuginfo-0.98.6-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-lib" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-lib-0.98.6-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamd" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamd-0.98.6-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-0.98.6-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-devel" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-devel-0.98.6-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-milter" release="1.11.amzn1" version="0.98.6"><filename>Packages/clamav-milter-0.98.6-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-487</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-487: medium priority package update for graphviz</title><issued date="2015-03-04 15:53" /><updated date="2015-03-04 16:12" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5525 CVE-2014-9157: 5526 1167866: 5527 CVE-2014-9157 graphviz: format string vulnerability 5528 Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, which are not properly handled in an error string. 5529 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9157" id="CVE-2014-9157" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="graphviz-debuginfo" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-debuginfo-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-gd" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-gd-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-doc" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-doc-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-R" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-R-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-guile" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-guile-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-lua" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-lua-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-java" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-java-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-ruby" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-ruby-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-graphs" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-graphs-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-devel" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-devel-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-perl" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-perl-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-tcl" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-tcl-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-python" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-python-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-php54" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-php54-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-python" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-python-2.38.0-18.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-php54" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-php54-2.38.0-18.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-perl" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-perl-2.38.0-18.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-ruby" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-ruby-2.38.0-18.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-guile" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-guile-2.38.0-18.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-R" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-R-2.38.0-18.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-devel" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-devel-2.38.0-18.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-debuginfo" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-debuginfo-2.38.0-18.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-graphs" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-graphs-2.38.0-18.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-tcl" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-tcl-2.38.0-18.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-2.38.0-18.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-java" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-java-2.38.0-18.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-doc" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-doc-2.38.0-18.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-lua" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-lua-2.38.0-18.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-gd" release="18.44.amzn1" version="2.38.0"><filename>Packages/graphviz-gd-2.38.0-18.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-488</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-488: medium priority package update for graphviz-php</title><issued date="2015-03-04 15:53" /><updated date="2015-03-04 16:12" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5530 CVE-2014-9157: 5531 1167866: 5532 CVE-2014-9157 graphviz: format string vulnerability 5533 Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, which are not properly handled in an error string. 5534 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9157" id="CVE-2014-9157" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="graphviz-php" release="18.40.amzn1" version="2.38.0"><filename>Packages/graphviz-php-2.38.0-18.40.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-php" release="18.40.amzn1" version="2.38.0"><filename>Packages/graphviz-php-2.38.0-18.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-489</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-489: medium priority package update for kernel</title><issued date="2015-03-05 09:31" /><updated date="2015-03-05 09:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5535 CVE-2015-0274: 5536 1195248: 5537 CVE-2015-0274 kernel: xfs: replacing remote attributes memory corruption 5538 A flaw was found in the way the Linux kernel's XFS file system handled replacing of remote attributes under certain conditions. A local user with access to XFS file system mount could potentially use this flaw to escalate their privileges on the system. 5539 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0274" id="CVE-2015-0274" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-tools-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-headers-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-tools-devel-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-debuginfo-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="27.48.amzn1" version="3.14.34"><filename>Packages/perf-debuginfo-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-devel-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-tools-debuginfo-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="27.48.amzn1" version="3.14.34"><filename>Packages/perf-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-headers-3.14.34-27.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-devel-3.14.34-27.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-tools-devel-3.14.34-27.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-debuginfo-3.14.34-27.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-3.14.34-27.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-debuginfo-common-i686-3.14.34-27.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-tools-debuginfo-3.14.34-27.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-tools-3.14.34-27.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="27.48.amzn1" version="3.14.34"><filename>Packages/perf-3.14.34-27.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="27.48.amzn1" version="3.14.34"><filename>Packages/perf-debuginfo-3.14.34-27.48.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="27.48.amzn1" version="3.14.34"><filename>Packages/kernel-doc-3.14.34-27.48.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-490</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-490: medium priority package update for bind</title><issued date="2015-03-13 02:33" /><updated date="2015-03-13 02:47" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5540 CVE-2015-1349: 5541 A flaw was found in the way BIND handled trust anchor management. A remote attacker could use this flaw to cause the BIND daemon (named) to crash under certain conditions. 5542 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1349" id="CVE-2015-1349" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0672.html" id="RHSA-2015:0672" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-devel" release="0.30.rc1.36.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.30.rc1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.30.rc1.36.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.30.rc1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.30.rc1.36.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.30.rc1.36.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.30.rc1.36.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.30.rc1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.30.rc1.36.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.30.rc1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.30.rc1.36.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.36.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.30.rc1.36.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.30.rc1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.30.rc1.36.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.30.rc1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.30.rc1.36.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.30.rc1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.30.rc1.36.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.30.rc1.36.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.30.rc1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.30.rc1.36.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.30.rc1.36.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-491</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-491: low priority package update for kernel</title><issued date="2015-03-13 02:34" /><updated date="2015-03-13 02:47" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5543 CVE-2015-1593: 5544 1192519: 5545 CVE-2015-1593 kernel: Linux stack ASLR implementation Integer overflow 5546 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1593" id="CVE-2015-1593" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-tools-devel-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-devel-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="28.38.amzn1" version="3.14.35"><filename>Packages/perf-debuginfo-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-debuginfo-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-headers-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-tools-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-tools-debuginfo-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="28.38.amzn1" version="3.14.35"><filename>Packages/perf-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-headers-3.14.35-28.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-tools-debuginfo-3.14.35-28.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="28.38.amzn1" version="3.14.35"><filename>Packages/perf-debuginfo-3.14.35-28.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-debuginfo-3.14.35-28.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-debuginfo-common-i686-3.14.35-28.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-tools-devel-3.14.35-28.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-3.14.35-28.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-tools-3.14.35-28.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-devel-3.14.35-28.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="28.38.amzn1" version="3.14.35"><filename>Packages/perf-3.14.35-28.38.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="28.38.amzn1" version="3.14.35"><filename>Packages/kernel-doc-3.14.35-28.38.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-492</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-492: medium priority package update for postgresql92</title><issued date="2015-03-13 02:37" /><updated date="2015-03-13 02:49" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5547 CVE-2015-0244: 5548 1188694: 5549 CVE-2015-0244 postgresql: loss of frontend/backend protocol synchronization after an error 5550 A flaw was found in way PostgreSQL handled certain errors during that were generated during protocol synchronization. An authenticated database user could use this flaw to inject queries into an existing connection. 5551 5552 CVE-2015-0243: 5553 A stack-buffer overflow flaw was found in PostgreSQL's pgcrypto module. An authenticated database user could use this flaw to cause PostgreSQL to crash or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. 5554 1188689: 5555 CVE-2015-0243 postgresql: buffer overflow flaws in contrib/pgcrypto 5556 5557 CVE-2015-0242: 5558 1188688: 5559 CVE-2015-0242 postgresql: buffer overflow flaws in replacement *printf() functions 5560 A buffer overflow flaw was found in the PostgreSQL's internal printf() implementation. An authenticated database user could use a specially crafted string in an SQL query to cause PostgreSQL to crash or, potentially, lead to privilege escalation. 5561 5562 CVE-2015-0241: 5563 1188684: 5564 CVE-2015-0241 postgresql: buffer overflow in the to_char() function 5565 A buffer overflow flaw was found in the way PostgreSQL handled certain numeric formatting. An authenticated database user could use a specially crafted timestamp formatting template to cause PostgreSQL to crash or, under certain conditions, execute arbitrary code with the permissions of the user running PostgreSQL. 5566 5567 CVE-2014-8161: 5568 An information leak flaw was found in the way certain the PostgreSQL database server handled certain error messages. An authenticated database user could possibly obtain the results of a query they did not have privileges to execute by observing the constraint violation error messages produced when the query was executed. 5569 1182043: 5570 CVE-2014-8161 postgresql: information leak through constraint violation errors 5571 5572 CVE-2014-0067: 5573 1065863: 5574 CVE-2014-0067 postgresql: Vulnerability during "make check" 5575 The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster. 5576 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244" id="CVE-2015-0244" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8161" id="CVE-2014-8161" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0241" id="CVE-2015-0241" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243" id="CVE-2015-0243" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0242" id="CVE-2015-0242" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0067" id="CVE-2014-0067" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql92-server-compat" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-server-compat-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-test" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-test-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-devel" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-devel-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-docs" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-docs-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-pltcl" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-pltcl-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-contrib" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-contrib-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-debuginfo" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-debuginfo-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-libs" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-libs-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-server-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-plpython-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plperl" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-plperl-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-test" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-test-9.2.10-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-libs" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-libs-9.2.10-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-docs" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-docs-9.2.10-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plperl" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-plperl-9.2.10-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-debuginfo" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-debuginfo-9.2.10-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-plpython-9.2.10-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-devel" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-devel-9.2.10-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-server-9.2.10-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-pltcl" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-pltcl-9.2.10-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-contrib" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-contrib-9.2.10-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server-compat" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-server-compat-9.2.10-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92" release="1.49.amzn1" version="9.2.10"><filename>Packages/postgresql92-9.2.10-1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-493</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-493: critical priority package update for php54</title><issued date="2015-03-13 10:00" /><updated date="2015-03-13 10:03" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5577 CVE-2015-0273: 5578 1194730: 5579 CVE-2015-0273 php: use after free vulnerability in unserialize() with DateTimeZone 5580 5581 CVE-2015-0235: 5582 1183461: 5583 CVE-2015-0235 glibc: __nss_hostname_digits_dots() heap-based buffer overflow 5584 A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. 5585 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235" id="CVE-2015-0235" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0273" id="CVE-2015-0273" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-ldap" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-ldap-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-dba-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-pspell-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-common-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-devel-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-pdo-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-mcrypt-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-mysql-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-recode-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-enchant-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-mssql-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-intl-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-odbc-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-bcmath-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-imap-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-snmp-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-debuginfo-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-gd-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-tidy-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-fpm-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-xmlrpc-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-embedded-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-process-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-cli-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-pgsql-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-mysqlnd-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-soap-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-xml-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-mbstring-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-pspell-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-mcrypt-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-debuginfo-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-common-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-mysql-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-soap-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-mssql-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-mbstring-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-tidy-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-enchant-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-mysqlnd-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-xml-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-pgsql-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-fpm-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-cli-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-imap-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-intl-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-process-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-snmp-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-devel-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-bcmath-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-recode-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-dba-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-ldap-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-embedded-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-gd-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-pdo-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-xmlrpc-5.4.38-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.66.amzn1" version="5.4.38"><filename>Packages/php54-odbc-5.4.38-1.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-494</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-494: critical priority package update for php55</title><issued date="2015-03-23 08:29" /><updated date="2015-03-23 08:54" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5586 CVE-2015-0273: 5587 1194730: 5588 CVE-2015-0273 php: use after free vulnerability in unserialize() with DateTimeZone 5589 A use-after-free flaw was found in the unserialize() function of PHP's DateTimeZone implementation. A malicious script author could possibly use this flaw to disclose certain portions of server memory. 5590 5591 CVE-2015-0235: 5592 1183461: 5593 CVE-2015-0235 glibc: __nss_hostname_digits_dots() heap-based buffer overflow 5594 A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. 5595 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235" id="CVE-2015-0235" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0273" id="CVE-2015-0273" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-pspell" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-pspell-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-dba-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-snmp-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-odbc-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-xml-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-mssql-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-debuginfo-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-tidy-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-opcache-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-recode-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-process-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-xmlrpc-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-mysqlnd-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-embedded-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-imap-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-gmp-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-ldap-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-bcmath-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-soap-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-pgsql-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-enchant-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-gd-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-cli-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-fpm-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-common-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-pdo-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-mbstring-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-mcrypt-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-devel-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-intl-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-gd-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-process-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-soap-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-pgsql-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-cli-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-odbc-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-imap-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-mssql-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-opcache-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-devel-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-bcmath-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-dba-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-mysqlnd-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-xml-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-mcrypt-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-recode-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-common-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-tidy-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-enchant-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-fpm-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-ldap-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-snmp-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-intl-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-pspell-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-pdo-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-xmlrpc-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-mbstring-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-embedded-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-debuginfo-5.5.22-1.98.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.98.amzn1" version="5.5.22"><filename>Packages/php55-gmp-5.5.22-1.98.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-495</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-495: medium priority package update for glibc</title><issued date="2015-03-23 08:30" /><updated date="2015-03-23 08:55" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5596 CVE-2014-8121: 5597 1165192: 5598 CVE-2014-8121 glibc: Unexpected closing of nss_files databases after lookups causes denial of service 5599 It was found that the files back end of Name Service Switch (NSS) did not isolate iteration over an entire database from key-based look-up API calls. An application performing look-ups on a database while iterating over it could enter an infinite loop, leading to a denial of service. 5600 5601 CVE-2014-6040: 5602 1135841: 5603 CVE-2014-6040 glibc: crash in code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364) 5604 An out-of-bounds read flaw was found in the way glibc's iconv() function converted certain encoded data to UTF-8. An attacker able to make an application call the iconv() function with a specially crafted argument could use this flaw to crash that application. 5605 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6040" id="CVE-2014-6040" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8121" id="CVE-2014-8121" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-55.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-55.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-55.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="55.139.amzn1" version="2.17"><filename>Packages/nscd-2.17-55.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-55.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-2.17-55.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-55.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-55.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-55.139.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-2.17-55.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-55.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-55.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-55.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-55.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-55.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-55.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="55.139.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-55.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="55.139.amzn1" version="2.17"><filename>Packages/nscd-2.17-55.139.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-496</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-496: medium priority package update for ntp</title><issued date="2015-03-23 08:31" /><updated date="2015-03-23 08:57" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5606 CVE-2014-9298: 5607 1184572: 5608 CVE-2014-9298 ntp: drop packets with source address ::1 5609 5610 CVE-2014-9297: 5611 1184573: 5612 CVE-2014-9297 ntp: vallen in extension fields are not validated 5613 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297" id="CVE-2014-9297" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298" id="CVE-2014-9298" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="ntp-perl" release="27.23.amzn1" version="4.2.6p5"><filename>Packages/ntp-perl-4.2.6p5-27.23.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-doc" release="27.23.amzn1" version="4.2.6p5"><filename>Packages/ntp-doc-4.2.6p5-27.23.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntpdate" release="27.23.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-27.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp" release="27.23.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-27.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp-debuginfo" release="27.23.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-27.23.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ntp-debuginfo" release="27.23.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-27.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp" release="27.23.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-27.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntpdate" release="27.23.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-27.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-497</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-497: medium priority package update for file</title><issued date="2015-03-23 08:32" /><updated date="2015-03-23 09:02" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5614 CVE-2014-9653: 5615 1190116: 5616 CVE-2014-9653 file: malformed elf file causes access to uninitialized memory 5617 5618 CVE-2014-9621: 5619 The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string. 5620 1180642: 5621 CVE-2014-9621 file: limit string printing to 100 chars 5622 5623 CVE-2014-9620: 5624 1180639: 5625 CVE-2014-9620 file: limit the number of ELF notes processed 5626 The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes. 5627 5628 CVE-2014-8117: 5629 softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. 5630 1174606: 5631 CVE-2014-8117 file: denial of service issue (resource consumption) 5632 5633 CVE-2014-8116: 5634 The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. 5635 1171580: 5636 CVE-2014-8116 file: multiple denial of service issues (resource consumption) 5637 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9620" id="CVE-2014-9620" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116" id="CVE-2014-8116" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9653" id="CVE-2014-9653" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9621" id="CVE-2014-9621" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8117" id="CVE-2014-8117" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="file-devel" release="2.29.amzn1" version="5.22"><filename>Packages/file-devel-5.22-2.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="python26-magic" release="2.29.amzn1" version="5.22"><filename>Packages/python26-magic-5.22-2.29.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="file-debuginfo" release="2.29.amzn1" version="5.22"><filename>Packages/file-debuginfo-5.22-2.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="python27-magic" release="2.29.amzn1" version="5.22"><filename>Packages/python27-magic-5.22-2.29.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="file" release="2.29.amzn1" version="5.22"><filename>Packages/file-5.22-2.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-libs" release="2.29.amzn1" version="5.22"><filename>Packages/file-libs-5.22-2.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-static" release="2.29.amzn1" version="5.22"><filename>Packages/file-static-5.22-2.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="file-debuginfo" release="2.29.amzn1" version="5.22"><filename>Packages/file-debuginfo-5.22-2.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-devel" release="2.29.amzn1" version="5.22"><filename>Packages/file-devel-5.22-2.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-libs" release="2.29.amzn1" version="5.22"><filename>Packages/file-libs-5.22-2.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-static" release="2.29.amzn1" version="5.22"><filename>Packages/file-static-5.22-2.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file" release="2.29.amzn1" version="5.22"><filename>Packages/file-5.22-2.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-498</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-498: medium priority package update for openssl</title><issued date="2015-03-23 13:42" /><updated date="2015-03-23 13:53" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5638 CVE-2015-0293: 5639 A denial of service flaw was found in the way OpenSSL handled certain SSLv2 messages. A malicious client could send a specially crafted SSLv2 CLIENT-MASTER-KEY message that would cause an OpenSSL server that both supports SSLv2 and enables EXPORT-grade cipher suites to crash. 5640 1202404: 5641 CVE-2015-0293 openssl: assertion failure in SSLv2 servers 5642 5643 CVE-2015-0289: 5644 1202384: 5645 CVE-2015-0289 openssl: PKCS7 NULL pointer dereference 5646 A null-pointer dereference was found in the way OpenSSL handled certain PKCS#7 blobs. An attacker could cause OpenSSL to crash, when applications verify, decrypt or parsed these ASN.1 encoded PKCS#7 blobs. OpenSSL clients and servers are not affected. 5647 5648 CVE-2015-0288: 5649 A NULL pointer dereference flaw was found in OpenSSL's x509 certificate handling implementation. A remote attacker could use this flaw to crash an OpenSSL server using an invalid certificate key. 5650 1202418: 5651 CVE-2015-0288 openssl: X509_to_X509_REQ NULL pointer dereference 5652 5653 CVE-2015-0287: 5654 1202380: 5655 CVE-2015-0287 openssl: ASN.1 structure reuse memory corruption 5656 An out-of-bounds write flaw was found in the way OpenSSL reused certain ASN.1 structures. A remote attacker could use a specially crafted ASN.1 structure that, when parsed by an application, would cause that application to crash. 5657 5658 CVE-2015-0286: 5659 1202366: 5660 CVE-2015-0286 openssl: invalid pointer use in ASN1_TYPE_cmp() 5661 A flaw was found in the the ASN (Abstract Syntax Notation) parsing code of OpenSSL. An attacker could present a specially crafted certificate, which when verified by an OpenSSL client or server could cause it to crash. 5662 5663 CVE-2015-0209: 5664 A use-after-free flaw was found in the way OpenSSL importrf certain Elliptic Curve private keys. An attacker could use this flaw to crash OpenSSL, if a specially-crafted certificate was imported. 5665 1196737: 5666 CVE-2015-0209 openssl: use-after-free on invalid EC private key import 5667 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209" id="CVE-2015-0209" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293" id="CVE-2015-0293" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287" id="CVE-2015-0287" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286" id="CVE-2015-0286" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289" id="CVE-2015-0289" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288" id="CVE-2015-0288" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-static" release="1.84.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-1.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="1.84.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-1.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="1.84.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-1.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="1.84.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-1.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="1.84.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-1.84.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="1.84.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-1.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="1.84.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-1.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="1.84.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-1.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="1.84.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-1.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="1.84.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-1.84.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-499</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-499: low priority package update for pigz</title><issued date="2015-04-01 13:32" /><updated date="2015-04-01 17:01" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5668 CVE-2015-1191: 5669 1181045: 5670 CVE-2015-1191 pigz: directory traversal vulnerability 5671 Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive. 5672 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1191" id="CVE-2015-1191" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="pigz" release="1.6.amzn1" version="2.3.3"><filename>Packages/pigz-2.3.3-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pigz-debuginfo" release="1.6.amzn1" version="2.3.3"><filename>Packages/pigz-debuginfo-2.3.3-1.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="pigz" release="1.6.amzn1" version="2.3.3"><filename>Packages/pigz-2.3.3-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pigz-debuginfo" release="1.6.amzn1" version="2.3.3"><filename>Packages/pigz-debuginfo-2.3.3-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-500</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-500: low priority package update for gpgme</title><issued date="2015-04-01 13:32" /><updated date="2015-04-01 17:02" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5673 CVE-2014-3564: 5674 1113267: 5675 CVE-2014-3564 gpgme: heap-based buffer overflow in gpgsm status handler 5676 Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to "different line lengths in a specific order." 5677 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3564" id="CVE-2014-3564" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gpgme-devel" release="5.15.amzn1" version="1.4.3"><filename>Packages/gpgme-devel-1.4.3-5.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gpgme-debuginfo" release="5.15.amzn1" version="1.4.3"><filename>Packages/gpgme-debuginfo-1.4.3-5.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gpgme" release="5.15.amzn1" version="1.4.3"><filename>Packages/gpgme-1.4.3-5.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gpgme-devel" release="5.15.amzn1" version="1.4.3"><filename>Packages/gpgme-devel-1.4.3-5.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gpgme" release="5.15.amzn1" version="1.4.3"><filename>Packages/gpgme-1.4.3-5.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gpgme-debuginfo" release="5.15.amzn1" version="1.4.3"><filename>Packages/gpgme-debuginfo-1.4.3-5.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-501</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-501: important priority package update for 389-ds-base</title><issued date="2015-04-01 13:49" /><updated date="2015-04-01 17:03" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5678 CVE-2014-8112: 5679 1172729: 5680 CVE-2014-8112 389-ds-base: password hashing bypassed when "nsslapd-unhashed-pw-switch" is set to off 5681 It was found that when the nsslapd-unhashed-pw-switch 389 Directory Server configuration option was set to "off", it did not prevent the writing of unhashed passwords into the Changelog. This could potentially allow an authenticated user able to access the Changelog to read sensitive information. 5682 5683 CVE-2014-8105: 5684 An information disclosure flaw was found in the way the 389 Directory Server stored information in the Changelog that is exposed via the 'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain cases use this flaw to read data from the Changelog, which could include sensitive information such as plain-text passwords. 5685 1167858: 5686 CVE-2014-8105 389-ds-base: information disclosure through 'cn=changelog' subtree 5687 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8112" id="CVE-2014-8112" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8105" id="CVE-2014-8105" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="1.27.amzn1" version="1.3.2.27"><filename>Packages/389-ds-base-devel-1.3.2.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base" release="1.27.amzn1" version="1.3.2.27"><filename>Packages/389-ds-base-1.3.2.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="1.27.amzn1" version="1.3.2.27"><filename>Packages/389-ds-base-debuginfo-1.3.2.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="1.27.amzn1" version="1.3.2.27"><filename>Packages/389-ds-base-libs-1.3.2.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="1.27.amzn1" version="1.3.2.27"><filename>Packages/389-ds-base-debuginfo-1.3.2.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="1.27.amzn1" version="1.3.2.27"><filename>Packages/389-ds-base-devel-1.3.2.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="1.27.amzn1" version="1.3.2.27"><filename>Packages/389-ds-base-libs-1.3.2.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="1.27.amzn1" version="1.3.2.27"><filename>Packages/389-ds-base-1.3.2.27-1.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-502</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-502: important priority package update for freetype</title><issued date="2015-04-01 13:56" /><updated date="2015-04-01 17:05" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5688 CVE-2014-9675: 5689 Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory. 5690 5691 CVE-2014-9674: 5692 Multiple integer overflow flaws and an integer signedness flaw, leading to heap-based buffer overflows, were found in the way FreeType handled Mac fonts. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 5693 5694 CVE-2014-9673: 5695 Multiple integer overflow flaws and an integer signedness flaw, leading to heap-based buffer overflows, were found in the way FreeType handled Mac fonts. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. 5696 5697 CVE-2014-9671: 5698 Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory. 5699 5700 CVE-2014-9670: 5701 Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory. 5702 5703 CVE-2014-9669: 5704 Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory. 5705 5706 CVE-2014-9667: 5707 Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory. 5708 5709 CVE-2014-9664: 5710 Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory. 5711 5712 CVE-2014-9663: 5713 Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory. 5714 5715 CVE-2014-9661: 5716 Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory. 5717 5718 CVE-2014-9660: 5719 Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory. 5720 5721 CVE-2014-9658: 5722 Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory. 5723 5724 CVE-2014-9657: 5725 Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory. 5726 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9663" id="CVE-2014-9663" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9657" id="CVE-2014-9657" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9661" id="CVE-2014-9661" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9660" id="CVE-2014-9660" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9667" id="CVE-2014-9667" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9664" id="CVE-2014-9664" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9669" id="CVE-2014-9669" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9658" id="CVE-2014-9658" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9674" id="CVE-2014-9674" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9675" id="CVE-2014-9675" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9670" id="CVE-2014-9670" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9671" id="CVE-2014-9671" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9673" id="CVE-2014-9673" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0696.html" id="RHSA-2015:0696" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="freetype-debuginfo" release="15.14.amzn1" version="2.3.11"><filename>Packages/freetype-debuginfo-2.3.11-15.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype-demos" release="15.14.amzn1" version="2.3.11"><filename>Packages/freetype-demos-2.3.11-15.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype-devel" release="15.14.amzn1" version="2.3.11"><filename>Packages/freetype-devel-2.3.11-15.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freetype" release="15.14.amzn1" version="2.3.11"><filename>Packages/freetype-2.3.11-15.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="freetype-debuginfo" release="15.14.amzn1" version="2.3.11"><filename>Packages/freetype-debuginfo-2.3.11-15.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype-demos" release="15.14.amzn1" version="2.3.11"><filename>Packages/freetype-demos-2.3.11-15.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype" release="15.14.amzn1" version="2.3.11"><filename>Packages/freetype-2.3.11-15.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freetype-devel" release="15.14.amzn1" version="2.3.11"><filename>Packages/freetype-devel-2.3.11-15.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-503</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-503: medium priority package update for postgresql8</title><issued date="2015-04-15 21:47" /><updated date="2015-04-15 22:15" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5727 CVE-2015-0244: 5728 A flaw was found in the way PostgreSQL handled certain errors that were generated during protocol synchronization. An authenticated database user could use this flaw to inject queries into an existing connection. 5729 5730 CVE-2015-0243: 5731 A stack-buffer overflow flaw was found in PostgreSQL's pgcrypto module. An authenticated database user could use this flaw to cause PostgreSQL to crash or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL. 5732 5733 CVE-2015-0241: 5734 A buffer overflow flaw was found in the way PostgreSQL handled certain numeric formatting. An authenticated database user could use a specially crafted timestamp formatting template to cause PostgreSQL to crash or, under certain conditions, execute arbitrary code with the permissions of the user running PostgreSQL. 5735 5736 CVE-2014-8161: 5737 An information leak flaw was found in the way the PostgreSQL database server handled certain error messages. An authenticated database user could possibly obtain the results of a query they did not have privileges to execute by observing the constraint violation error messages produced when the query was executed. 5738 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244" id="CVE-2015-0244" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8161" id="CVE-2014-8161" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0241" id="CVE-2015-0241" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243" id="CVE-2015-0243" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0750.html" id="RHSA-2015:0750" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql8-debuginfo" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-debuginfo-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-pltcl" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-pltcl-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-devel" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-devel-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plpython" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-plpython-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-contrib" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-contrib-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plperl" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-plperl-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-test" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-test-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-docs" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-docs-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-libs" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-libs-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-server" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-server-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plpython" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-plpython-8.4.20-2.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plperl" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-plperl-8.4.20-2.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-docs" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-docs-8.4.20-2.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-libs" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-libs-8.4.20-2.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-8.4.20-2.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-debuginfo" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-debuginfo-8.4.20-2.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-server" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-server-8.4.20-2.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-contrib" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-contrib-8.4.20-2.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-pltcl" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-pltcl-8.4.20-2.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-test" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-test-8.4.20-2.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-devel" release="2.48.amzn1" version="8.4.20"><filename>Packages/postgresql8-devel-8.4.20-2.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-504</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-504: medium priority package update for unzip</title><issued date="2015-04-15 21:48" /><updated date="2015-04-15 22:15" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5739 CVE-2014-9636: 5740 A buffer overflow was found in the way unzip uncompressed certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash or, possibly, execute arbitrary code when the archive was tested with unzip's '-t' option. 5741 5742 CVE-2014-8141: 5743 A buffer overflow flaw was found in the way unzip handled Zip64 files. A specially crafted Zip archive could possibly cause unzip to crash when the archive was uncompressed. 5744 5745 CVE-2014-8140: 5746 An integer underflow flaw, leading to a buffer overflow, was found in the way unzip uncompressed certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash when the archive was tested with unzip's '-t' option. 5747 5748 CVE-2014-8139: 5749 A buffer overflow flaw was found in the way unzip computed the CRC32 checksum of certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash when the archive was tested with unzip's '-t' option. 5750 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8139" id="CVE-2014-8139" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8141" id="CVE-2014-8141" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8140" id="CVE-2014-8140" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9636" id="CVE-2014-9636" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0700.html" id="RHSA-2015:0700" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="unzip-debuginfo" release="2.9.amzn1" version="6.0"><filename>Packages/unzip-debuginfo-6.0-2.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="unzip" release="2.9.amzn1" version="6.0"><filename>Packages/unzip-6.0-2.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="unzip-debuginfo" release="2.9.amzn1" version="6.0"><filename>Packages/unzip-debuginfo-6.0-2.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="unzip" release="2.9.amzn1" version="6.0"><filename>Packages/unzip-6.0-2.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-505</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-505: important priority package update for flac</title><issued date="2015-04-15 21:48" /><updated date="2015-04-15 22:16" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5751 CVE-2014-9028: 5752 A buffer overflow flaw was found in the way flac decoded FLAC audio files. An attacker could create a specially crafted FLAC audio file that could cause an application using the flac library to crash or execute arbitrary code when the file was read. 5753 5754 CVE-2014-8962: 5755 A buffer over-read flaw was found in the way flac processed certain ID3v2 metadata. An attacker could create a specially crafted FLAC audio file that could cause an application using the flac library to crash when the file was read. 5756 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8962" id="CVE-2014-8962" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9028" id="CVE-2014-9028" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0767.html" id="RHSA-2015:0767" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="flac-devel" release="7.7.amzn1" version="1.2.1"><filename>Packages/flac-devel-1.2.1-7.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="flac" release="7.7.amzn1" version="1.2.1"><filename>Packages/flac-1.2.1-7.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="flac-debuginfo" release="7.7.amzn1" version="1.2.1"><filename>Packages/flac-debuginfo-1.2.1-7.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="flac" release="7.7.amzn1" version="1.2.1"><filename>Packages/flac-1.2.1-7.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="flac-devel" release="7.7.amzn1" version="1.2.1"><filename>Packages/flac-devel-1.2.1-7.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="flac-debuginfo" release="7.7.amzn1" version="1.2.1"><filename>Packages/flac-debuginfo-1.2.1-7.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-506</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-506: important priority package update for php54</title><issued date="2015-04-15 21:49" /><updated date="2015-04-15 22:21" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5757 CVE-2015-2331: 5758 An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is also embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code. 5759 1204676: 5760 CVE-2015-2331 libzip: integer overflow when processing ZIP archives 5761 5762 CVE-2015-2305: 5763 Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. 5764 1191049: 5765 CVE-2015-2305 regex: heap overflow in regcomp() on 32-bit architectures 5766 5767 CVE-2015-0231: 5768 1185397: 5769 CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142) 5770 A use-after-free flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass crafted input to PHP's unserialize() function, they could cause the PHP interpreter to crash or, possibly, execute arbitrary code. 5771 Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142. 5772 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231" id="CVE-2015-0231" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331" id="CVE-2015-2331" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305" id="CVE-2015-2305" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-mssql" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-mssql-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-mysqlnd-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-dba-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-odbc-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-imap-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-pspell-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-embedded-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-xmlrpc-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-debuginfo-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-fpm-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-tidy-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-recode-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-cli-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-ldap-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-xml-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-process-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-common-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-bcmath-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-snmp-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-gd-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-devel-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-mysql-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-mcrypt-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-pdo-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-enchant-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-soap-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-pgsql-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-intl-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-mbstring-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-xmlrpc-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-devel-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-pdo-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-mcrypt-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-fpm-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-pgsql-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-odbc-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-ldap-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-cli-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-mssql-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-debuginfo-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-process-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-intl-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-snmp-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-dba-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-mysqlnd-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-tidy-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-gd-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-embedded-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-pspell-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-recode-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-xml-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-mysql-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-imap-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-bcmath-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-common-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-mbstring-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-soap-5.4.39-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.67.amzn1" version="5.4.39"><filename>Packages/php54-enchant-5.4.39-1.67.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-507</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-507: important priority package update for php55</title><issued date="2015-04-15 21:49" /><updated date="2015-04-15 22:21" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5773 CVE-2015-2331: 5774 An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is also embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code. 5775 1204676: 5776 CVE-2015-2331 libzip: integer overflow when processing ZIP archives 5777 5778 CVE-2015-2305: 5779 Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. 5780 1191049: 5781 CVE-2015-2305 regex: heap overflow in regcomp() on 32-bit architectures 5782 5783 CVE-2015-0231: 5784 1185397: 5785 CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142) 5786 A use-after-free flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass crafted input to PHP's unserialize() function, they could cause the PHP interpreter to crash or, possibly, execute arbitrary code. 5787 Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142. 5788 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231" id="CVE-2015-0231" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331" id="CVE-2015-2331" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305" id="CVE-2015-2305" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-gd" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-gd-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-cli-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-mssql-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-common-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-gmp-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-process-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-ldap-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-pdo-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-mcrypt-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-embedded-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-enchant-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-mbstring-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-soap-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-pspell-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-recode-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-mysqlnd-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-imap-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-opcache-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-xml-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-intl-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-snmp-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-devel-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-pgsql-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-fpm-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-tidy-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-dba-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-debuginfo-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-xmlrpc-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-bcmath-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-odbc-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-embedded-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-mysqlnd-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-common-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-devel-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-pgsql-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-recode-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-intl-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-cli-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-gd-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-bcmath-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-ldap-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-mcrypt-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-xmlrpc-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-process-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-gmp-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-snmp-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-mssql-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-tidy-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-imap-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-opcache-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-pspell-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-xml-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-debuginfo-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-fpm-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-pdo-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-soap-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-odbc-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-mbstring-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-enchant-5.5.23-1.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.99.amzn1" version="5.5.23"><filename>Packages/php55-dba-5.5.23-1.99.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-508</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-508: important priority package update for php56</title><issued date="2015-04-15 21:50" /><updated date="2015-04-15 22:21" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5789 CVE-2015-2331: 5790 An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is also embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code. 5791 1204676: 5792 CVE-2015-2331 libzip: integer overflow when processing ZIP archives 5793 5794 CVE-2015-2305: 5795 Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. 5796 1191049: 5797 CVE-2015-2305 regex: heap overflow in regcomp() on 32-bit architectures 5798 5799 CVE-2015-0231: 5800 1185397: 5801 CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142) 5802 A use-after-free flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass crafted input to PHP's unserialize() function, they could cause the PHP interpreter to crash or, possibly, execute arbitrary code. 5803 Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142. 5804 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231" id="CVE-2015-0231" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331" id="CVE-2015-2331" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305" id="CVE-2015-2305" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-pgsql-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-fpm-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-common-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-mbstring-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-cli-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-bcmath-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-recode-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-process-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-ldap-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-snmp-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-xmlrpc-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-mcrypt-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-intl-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-pdo-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-mssql-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-imap-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-devel-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-soap-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-mysqlnd-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-enchant-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-pspell-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-tidy-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-embedded-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-dbg-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-dba-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-gd-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-gmp-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-opcache-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-debuginfo-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-odbc-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-xml-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-gd-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-bcmath-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-mysqlnd-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-gmp-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-imap-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-devel-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-soap-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-ldap-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-dbg-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-pdo-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-common-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-embedded-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-enchant-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-xmlrpc-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-mssql-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-odbc-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-xml-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-fpm-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-intl-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-mcrypt-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-pspell-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-snmp-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-dba-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-pgsql-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-opcache-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-recode-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-process-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-debuginfo-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-cli-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-tidy-5.6.7-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.110.amzn1" version="5.6.7"><filename>Packages/php56-mbstring-5.6.7-1.110.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-509</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-509: important priority package update for php54</title><issued date="2015-04-17 12:04" /><updated date="2015-06-15 14:29" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5805 CVE-2015-3329: 5806 A buffer overflow flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. 5807 1213449: 5808 CVE-2015-3329 php: buffer overflow in phar_set_inode() 5809 5810 CVE-2015-2783: 5811 5812 5813 CVE-2015-2301: 5814 1194747: 5815 CVE-2015-2301 php: use after free in phar_object.c 5816 A use-after-free flaw was found in PHP's phar (PHP Archive) paths implementation. A malicious script author could possibly use this flaw to disclose certain portions of server memory. 5817 5818 CVE-2015-1352: 5819 1185904: 5820 CVE-2015-1352 php: NULL pointer dereference in pgsql extension 5821 A NULL pointer dereference flaw was found in PHP's pgsql extension. A specially crafted table name passed to function as pg_insert() or pg_select() could cause a PHP application to crash. 5822 5823 CVE-2014-9709: 5824 1188639: 5825 CVE-2014-9709 gd: buffer read overflow in gd_gif_in.c 5826 A buffer over-read flaw was found in the GD library. A specially crafted GIF file could cause an application using the gdImageCreateFromGif() function to crash. 5827 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2783" id="CVE-2015-2783" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3329" id="CVE-2015-3329" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2301" id="CVE-2015-2301" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352" id="CVE-2015-1352" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9709" id="CVE-2014-9709" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-mbstring-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-dba-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-soap-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-pgsql-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-xml-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-devel-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-tidy-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-enchant-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-common-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-mysqlnd-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-gd-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-snmp-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-odbc-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-intl-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-debuginfo-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-pdo-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-process-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-bcmath-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-pspell-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-xmlrpc-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-fpm-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-embedded-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-recode-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-mssql-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-mcrypt-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-ldap-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-cli-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-mysql-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-imap-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-mysqlnd-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-xmlrpc-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-devel-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-pgsql-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-enchant-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-cli-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-soap-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-dba-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-mysql-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-ldap-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-pdo-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-recode-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-tidy-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-common-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-process-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-intl-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-fpm-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-snmp-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-debuginfo-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-odbc-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-embedded-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-xml-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-gd-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-mcrypt-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-mssql-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-mbstring-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-imap-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-pspell-5.4.40-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.68.amzn1" version="5.4.40"><filename>Packages/php54-bcmath-5.4.40-1.68.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-510</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-510: low priority package update for php55</title><issued date="2015-04-17 12:04" /><updated date="2015-06-15 14:29" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5828 CVE-2015-3329: 5829 A buffer overflow flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. 5830 1213449: 5831 CVE-2015-3329 php: buffer overflow in phar_set_inode() 5832 5833 CVE-2015-1352: 5834 1185904: 5835 CVE-2015-1352 php: NULL pointer dereference in pgsql extension 5836 A NULL pointer dereference flaw was found in PHP's pgsql extension. A specially crafted table name passed to function as pg_insert() or pg_select() could cause a PHP application to crash. 5837 5838 CVE-2015-1351: 5839 1185900: 5840 CVE-2015-1351 php: use after free in opcache extension 5841 A use-after-free flaw was found in PHP's OPcache extension. This flaw could possibly lead to a disclosure of portion of server memory. 5842 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3329" id="CVE-2015-3329" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351" id="CVE-2015-1351" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352" id="CVE-2015-1352" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-dba" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-dba-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-mysqlnd-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-process-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-cli-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-imap-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-mcrypt-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-embedded-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-snmp-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-intl-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-common-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-gmp-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-ldap-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-pdo-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-fpm-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-bcmath-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-tidy-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-opcache-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-enchant-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-mbstring-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-devel-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-gd-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-debuginfo-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-soap-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-xmlrpc-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-pgsql-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-pspell-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-xml-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-mssql-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-recode-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-odbc-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-tidy-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-process-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-snmp-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-enchant-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-opcache-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-mssql-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-pgsql-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-gmp-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-xml-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-ldap-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-debuginfo-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-mysqlnd-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-dba-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-odbc-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-devel-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-common-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-imap-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-recode-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-mbstring-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-pdo-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-pspell-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-gd-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-bcmath-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-xmlrpc-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-intl-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-embedded-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-mcrypt-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-soap-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-cli-5.5.24-1.100.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.100.amzn1" version="5.5.24"><filename>Packages/php55-fpm-5.5.24-1.100.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-511</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-511: low priority package update for php56</title><issued date="2015-04-17 12:04" /><updated date="2015-06-15 14:29" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5843 CVE-2015-3329: 5844 A buffer overflow flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. 5845 1213449: 5846 CVE-2015-3329 php: buffer overflow in phar_set_inode() 5847 5848 CVE-2015-1352: 5849 1185904: 5850 CVE-2015-1352 php: NULL pointer dereference in pgsql extension 5851 A NULL pointer dereference flaw was found in PHP's pgsql extension. A specially crafted table name passed to function as pg_insert() or pg_select() could cause a PHP application to crash. 5852 5853 CVE-2015-1351: 5854 1185900: 5855 CVE-2015-1351 php: use after free in opcache extension 5856 A use-after-free flaw was found in PHP's OPcache extension. This flaw could possibly lead to a disclosure of portion of server memory. 5857 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3329" id="CVE-2015-3329" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351" id="CVE-2015-1351" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352" id="CVE-2015-1352" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-mbstring-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-debuginfo-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-ldap-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-bcmath-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-pdo-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-snmp-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-mssql-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-tidy-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-pgsql-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-mysqlnd-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-cli-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-mcrypt-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-dbg-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-xml-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-process-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-intl-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-odbc-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-enchant-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-gmp-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-xmlrpc-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-embedded-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-dba-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-gd-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-imap-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-devel-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-recode-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-opcache-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-soap-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-common-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-fpm-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-pspell-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-recode-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-process-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-opcache-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-odbc-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-common-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-xmlrpc-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-enchant-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-intl-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-bcmath-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-mysqlnd-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-ldap-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-fpm-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-cli-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-devel-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-soap-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-gmp-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-debuginfo-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-tidy-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-mssql-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-imap-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-mcrypt-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-pdo-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-dba-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-snmp-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-dbg-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-mbstring-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-pgsql-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-xml-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-gd-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-embedded-5.6.8-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.111.amzn1" version="5.6.8"><filename>Packages/php56-pspell-5.6.8-1.111.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-512</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-512: medium priority package update for python-botocore</title><issued date="2015-04-17 15:25" /><updated date="2015-04-17 15:26" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5858 CVE-2015-2296: 5859 A flaw was found in the way python-requests set the domain cookie parameter for certain HTTP responses. A remote attacker could use this flaw to modify a cookie to be sent to an arbitrary URL. 5860 1202904: 5861 CVE-2015-2296 python-requests: session fixation and cookie stealing vulnerability 5862 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2296" id="CVE-2015-2296" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python26-botocore" release="1.7.amzn1" version="0.103.0"><filename>Packages/python26-botocore-0.103.0-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="python27-botocore" release="1.7.amzn1" version="0.103.0"><filename>Packages/python27-botocore-0.103.0-1.7.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-513</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-513: medium priority package update for glibc</title><issued date="2015-04-22 16:12" /><updated date="2015-04-23 21:02" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5863 CVE-2015-1781: 5864 A buffer overflow flaw was found in the way glibc's gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application or, potentially, execute arbitrary code with the permissions of the user running the application. 5865 5866 CVE-2013-7423: 5867 It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data. 5868 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1781" id="CVE-2015-1781" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7423" id="CVE-2013-7423" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0863.html" id="RHSA-2015:0863" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nscd" release="55.142.amzn1" version="2.17"><filename>Packages/nscd-2.17-55.142.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-55.142.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-2.17-55.142.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-55.142.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-55.142.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-55.142.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-55.142.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-55.142.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-55.142.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-55.142.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-55.142.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-2.17-55.142.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-55.142.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="55.142.amzn1" version="2.17"><filename>Packages/nscd-2.17-55.142.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-55.142.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-55.142.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-55.142.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="55.142.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-55.142.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-514</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-514: medium priority package update for curl</title><issued date="2015-04-22 16:14" /><updated date="2015-04-23 21:05" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5869 CVE-2015-3148: 5870 1213351: 5871 CVE-2015-3148 curl: "Negotiate" not treated as connection-oriented 5872 5873 CVE-2015-3145: 5874 1213347: 5875 CVE-2015-3145 curl: cookie parser out of boundary memory access 5876 5877 CVE-2015-3144: 5878 1213335: 5879 CVE-2015-3144 curl: host name out of boundary memory access 5880 5881 CVE-2015-3143: 5882 1213306: 5883 CVE-2015-3143 curl: re-using authenticated connection when unauthenticated 5884 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3143" id="CVE-2015-3143" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3148" id="CVE-2015-3148" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3145" id="CVE-2015-3145" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3144" id="CVE-2015-3144" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="curl" release="3.50.amzn1" version="7.40.0"><filename>Packages/curl-7.40.0-3.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="3.50.amzn1" version="7.40.0"><filename>Packages/libcurl-7.40.0-3.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="3.50.amzn1" version="7.40.0"><filename>Packages/curl-debuginfo-7.40.0-3.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="3.50.amzn1" version="7.40.0"><filename>Packages/libcurl-devel-7.40.0-3.50.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="3.50.amzn1" version="7.40.0"><filename>Packages/curl-7.40.0-3.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="3.50.amzn1" version="7.40.0"><filename>Packages/curl-debuginfo-7.40.0-3.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="3.50.amzn1" version="7.40.0"><filename>Packages/libcurl-devel-7.40.0-3.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="3.50.amzn1" version="7.40.0"><filename>Packages/libcurl-7.40.0-3.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-515</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-515: important priority package update for java-1.6.0-openjdk</title><issued date="2015-04-23 00:44" /><updated date="2015-04-23 21:03" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5885 CVE-2015-0488: 5886 A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. 5887 5888 CVE-2015-0480: 5889 A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. 5890 5891 CVE-2015-0478: 5892 It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. 5893 5894 CVE-2015-0477: 5895 A flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 5896 5897 CVE-2015-0469: 5898 An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. 5899 5900 CVE-2015-0460: 5901 A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. 5902 5903 CVE-2005-1080: 5904 A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. 5905 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469" id="CVE-2015-0469" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478" id="CVE-2015-0478" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480" id="CVE-2015-0480" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477" id="CVE-2015-0477" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488" id="CVE-2015-0488" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080" id="CVE-2005-1080" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460" id="CVE-2015-0460" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0808.html" id="RHSA-2015:0808" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="1.13.7.1.70.amzn1" version="1.6.0.35"><filename>Packages/java-1.6.0-openjdk-1.6.0.35-1.13.7.1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="1.13.7.1.70.amzn1" version="1.6.0.35"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="1.13.7.1.70.amzn1" version="1.6.0.35"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="1.13.7.1.70.amzn1" version="1.6.0.35"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="1.13.7.1.70.amzn1" version="1.6.0.35"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="1.13.7.1.70.amzn1" version="1.6.0.35"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.70.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="1.13.7.1.70.amzn1" version="1.6.0.35"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="1.13.7.1.70.amzn1" version="1.6.0.35"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="1.13.7.1.70.amzn1" version="1.6.0.35"><filename>Packages/java-1.6.0-openjdk-1.6.0.35-1.13.7.1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="1.13.7.1.70.amzn1" version="1.6.0.35"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="1.13.7.1.70.amzn1" version="1.6.0.35"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="1.13.7.1.70.amzn1" version="1.6.0.35"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.70.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-516</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-516: important priority package update for java-1.7.0-openjdk</title><issued date="2015-04-23 00:44" /><updated date="2015-04-23 21:04" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5906 CVE-2015-0488: 5907 A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. 5908 5909 CVE-2015-0480: 5910 A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. 5911 5912 CVE-2015-0478: 5913 It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. 5914 5915 CVE-2015-0477: 5916 A flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 5917 5918 CVE-2015-0469: 5919 An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. 5920 5921 CVE-2015-0460: 5922 A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. 5923 5924 CVE-2005-1080: 5925 A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. 5926 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469" id="CVE-2015-0469" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478" id="CVE-2015-0478" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480" id="CVE-2015-0480" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477" id="CVE-2015-0477" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488" id="CVE-2015-0488" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080" id="CVE-2005-1080" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460" id="CVE-2015-0460" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0806.html" id="RHSA-2015:0806" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.5.5.1.59.amzn1" version="1.7.0.79"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.1.59.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.5.5.1.59.amzn1" version="1.7.0.79"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.5.5.1.59.amzn1" version="1.7.0.79"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.5.5.1.59.amzn1" version="1.7.0.79"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.5.5.1.59.amzn1" version="1.7.0.79"><filename>Packages/java-1.7.0-openjdk-1.7.0.79-2.5.5.1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.5.5.1.59.amzn1" version="1.7.0.79"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.59.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.5.5.1.59.amzn1" version="1.7.0.79"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.5.5.1.59.amzn1" version="1.7.0.79"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.5.5.1.59.amzn1" version="1.7.0.79"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.5.5.1.59.amzn1" version="1.7.0.79"><filename>Packages/java-1.7.0-openjdk-1.7.0.79-2.5.5.1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.5.5.1.59.amzn1" version="1.7.0.79"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-517</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-517: important priority package update for java-1.8.0-openjdk</title><issued date="2015-05-05 15:44" /><updated date="2015-05-05 16:13" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5927 CVE-2015-0488: 5928 A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. 5929 5930 CVE-2015-0480: 5931 A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. 5932 5933 CVE-2015-0478: 5934 It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures. 5935 5936 CVE-2015-0477: 5937 Multiple flaws were discovered in the Beans and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 5938 5939 CVE-2015-0470: 5940 Multiple flaws were discovered in the Beans and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 5941 5942 CVE-2015-0469: 5943 An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. 5944 5945 CVE-2015-0460: 5946 A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. 5947 5948 CVE-2005-1080: 5949 A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. 5950 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080" id="CVE-2005-1080" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469" id="CVE-2015-0469" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478" id="CVE-2015-0478" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480" id="CVE-2015-0480" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477" id="CVE-2015-0477" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460" id="CVE-2015-0460" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0470" id="CVE-2015-0470" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488" id="CVE-2015-0488" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0809.html" id="RHSA-2015:0809" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="30.b13.5.amzn1" version="1.8.0.45"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.45-30.b13.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="30.b13.5.amzn1" version="1.8.0.45"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.45-30.b13.5.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="30.b13.5.amzn1" version="1.8.0.45"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.45-30.b13.5.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="30.b13.5.amzn1" version="1.8.0.45"><filename>Packages/java-1.8.0-openjdk-1.8.0.45-30.b13.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="30.b13.5.amzn1" version="1.8.0.45"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="30.b13.5.amzn1" version="1.8.0.45"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.45-30.b13.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="30.b13.5.amzn1" version="1.8.0.45"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.45-30.b13.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="30.b13.5.amzn1" version="1.8.0.45"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="30.b13.5.amzn1" version="1.8.0.45"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.45-30.b13.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="30.b13.5.amzn1" version="1.8.0.45"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.45-30.b13.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="30.b13.5.amzn1" version="1.8.0.45"><filename>Packages/java-1.8.0-openjdk-1.8.0.45-30.b13.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="30.b13.5.amzn1" version="1.8.0.45"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.45-30.b13.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="30.b13.5.amzn1" version="1.8.0.45"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.45-30.b13.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-518</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-518: medium priority package update for krb5</title><issued date="2015-05-05 15:44" /><updated date="2015-05-05 16:14" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5951 CVE-2014-9422: 5952 It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as "kad/x") could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. 5953 5954 CVE-2014-9421: 5955 A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, via specially crafted XDR packets. 5956 5957 CVE-2014-5355: 5958 It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. 5959 5960 CVE-2014-5353: 5961 If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal. 5962 5963 CVE-2014-5352: 5964 A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application. 5965 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5353" id="CVE-2014-5353" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352" id="CVE-2014-5352" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421" id="CVE-2014-9421" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5355" id="CVE-2014-5355" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422" id="CVE-2014-9422" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0794.html" id="RHSA-2015:0794" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="krb5-devel" release="37.29.amzn1" version="1.10.3"><filename>Packages/krb5-devel-1.10.3-37.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server" release="37.29.amzn1" version="1.10.3"><filename>Packages/krb5-server-1.10.3-37.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-debuginfo" release="37.29.amzn1" version="1.10.3"><filename>Packages/krb5-debuginfo-1.10.3-37.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server-ldap" release="37.29.amzn1" version="1.10.3"><filename>Packages/krb5-server-ldap-1.10.3-37.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-workstation" release="37.29.amzn1" version="1.10.3"><filename>Packages/krb5-workstation-1.10.3-37.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-libs" release="37.29.amzn1" version="1.10.3"><filename>Packages/krb5-libs-1.10.3-37.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-pkinit-openssl" release="37.29.amzn1" version="1.10.3"><filename>Packages/krb5-pkinit-openssl-1.10.3-37.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="krb5-devel" release="37.29.amzn1" version="1.10.3"><filename>Packages/krb5-devel-1.10.3-37.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-pkinit-openssl" release="37.29.amzn1" version="1.10.3"><filename>Packages/krb5-pkinit-openssl-1.10.3-37.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server-ldap" release="37.29.amzn1" version="1.10.3"><filename>Packages/krb5-server-ldap-1.10.3-37.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-debuginfo" release="37.29.amzn1" version="1.10.3"><filename>Packages/krb5-debuginfo-1.10.3-37.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-libs" release="37.29.amzn1" version="1.10.3"><filename>Packages/krb5-libs-1.10.3-37.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-workstation" release="37.29.amzn1" version="1.10.3"><filename>Packages/krb5-workstation-1.10.3-37.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server" release="37.29.amzn1" version="1.10.3"><filename>Packages/krb5-server-1.10.3-37.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-519</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-519: medium priority package update for xorg-x11-server</title><issued date="2015-05-05 15:55" /><updated date="2015-05-05 16:15" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5966 CVE-2015-0255: 5967 A buffer over-read flaw was found in the way the X.Org server handled XkbGetGeometry requests. A malicious, authorized client could use this flaw to disclose portions of the X.Org server memory, or cause the X.Org server to crash using a specially crafted XkbGetGeometry request. 5968 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0255" id="CVE-2015-0255" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0797.html" id="RHSA-2015:0797" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="xorg-x11-server-Xorg" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xorg-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xvfb" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xvfb-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xdmx" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xdmx-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-debuginfo" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-debuginfo-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-devel" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-devel-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="xorg-x11-server-source" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-source-1.15.0-26.41.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xephyr" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xephyr-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-common" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-common-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xorg-x11-server-Xnest" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xnest-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xnest" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xnest-1.15.0-26.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xorg" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xorg-1.15.0-26.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-devel" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-devel-1.15.0-26.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xephyr" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xephyr-1.15.0-26.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xvfb" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xvfb-1.15.0-26.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-Xdmx" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-Xdmx-1.15.0-26.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-common" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-common-1.15.0-26.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xorg-x11-server-debuginfo" release="26.41.amzn1" version="1.15.0"><filename>Packages/xorg-x11-server-debuginfo-1.15.0-26.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-520</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-520: important priority package update for ntp</title><issued date="2015-05-05 15:56" /><updated date="2015-05-24 14:16" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5969 CVE-2015-1799: 5970 1199435: 5971 CVE-2015-1799 ntp: authentication doesn't protect symmetric associations against DoS attacks 5972 The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer. 5973 5974 CVE-2015-1798: 5975 1199430: 5976 CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto 5977 The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC. 5978 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798" id="CVE-2015-1798" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799" id="CVE-2015-1799" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ntp" release="30.24.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-30.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntpdate" release="30.24.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-30.24.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-doc" release="30.24.amzn1" version="4.2.6p5"><filename>Packages/ntp-doc-4.2.6p5-30.24.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp-debuginfo" release="30.24.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-30.24.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-perl" release="30.24.amzn1" version="4.2.6p5"><filename>Packages/ntp-perl-4.2.6p5-30.24.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ntp-debuginfo" release="30.24.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-30.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp" release="30.24.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-30.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntpdate" release="30.24.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-30.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-521</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-521: low priority package update for python-tornado</title><issued date="2015-05-05 21:31" /><updated date="2015-05-06 15:14" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5979 CVE-2013-2099: 5980 A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU. 5981 963260: 5982 CVE-2013-2099 python: ssl.match_hostname() DoS via certificates with specially crafted hostname wildcard patterns 5983 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2099" id="CVE-2013-2099" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python27-tornado" release="7.7.amzn1" version="2.2.1"><filename>Packages/python27-tornado-2.2.1-7.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="python26-tornado" release="7.7.amzn1" version="2.2.1"><filename>Packages/python26-tornado-2.2.1-7.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="python27-tornado-doc" release="7.7.amzn1" version="2.2.1"><filename>Packages/python27-tornado-doc-2.2.1-7.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="python26-tornado-doc" release="7.7.amzn1" version="2.2.1"><filename>Packages/python26-tornado-doc-2.2.1-7.7.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-522</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-522: critical priority package update for docker</title><issued date="2015-05-07 13:37" /><updated date="2015-05-06 13:37" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5984 CVE-2015-3631: 5985 reserved 5986 5987 CVE-2015-3630: 5988 reserved 5989 5990 CVE-2015-3629: 5991 reserved 5992 5993 CVE-2015-3627: 5994 reserved 5995 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3631" id="CVE-2015-3631" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3630" id="CVE-2015-3630" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3629" id="CVE-2015-3629" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3627" id="CVE-2015-3627" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="docker" release="1.3.amzn1" version="1.6.0"><filename>Packages/docker-1.6.0-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="docker-pkg-devel" release="1.3.amzn1" version="1.6.0"><filename>Packages/docker-pkg-devel-1.6.0-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="docker-devel" release="1.3.amzn1" version="1.6.0"><filename>Packages/docker-devel-1.6.0-1.3.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-523</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-523: medium priority package update for kernel</title><issued date="2015-05-14 14:27" /><updated date="2015-05-14 23:48" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 5996 CVE-2015-3636: 5997 1218074: 5998 CVE-2015-3636 kernel: ping sockets: use-after-free leading to local privilege escalation 5999 It was found that the Linux kernel's ping socket implementation did not properly handle socket unhashing during spurious disconnects, which could lead to a use-after-free flaw. On x86-64 architecture systems, a local user able to create ping sockets could use this flaw to crash the system. On non-x86-64 architecture systems, a local user able to create ping sockets could use this flaw to escalate their privileges on the system. 6000 6001 CVE-2015-3331: 6002 It was found that the Linux kernel did not correctly decrypt fragmented network packets when using the Intel AES-NI instructions for the AES algorithm. A remote attacker could use this flaw to crash a system by sending specially crafted AES-encrypted packets to that system. 6003 A buffer overflow flaw was found in the way the Linux kernel's Intel AES-NI instructions optimized version of the RFC4106 GCM mode decryption functionality handled fragmented packets. A remote attacker could use this flaw to crash, or potentially escalate their privileges on, a system over a connection with an active AEC-GCM mode IPSec security association. 6004 1213322: 6005 CVE-2015-3331 Kernel: crypto: buffer overruns in RFC4106 implementation using AESNI 6006 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3331" id="CVE-2015-3331" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3636" id="CVE-2015-3636" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-debuginfo-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="31.38.amzn1" version="3.14.42"><filename>Packages/perf-debuginfo-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-tools-debuginfo-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-devel-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-headers-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-tools-devel-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-tools-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="31.38.amzn1" version="3.14.42"><filename>Packages/perf-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-3.14.42-31.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="31.38.amzn1" version="3.14.42"><filename>Packages/perf-debuginfo-3.14.42-31.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-tools-devel-3.14.42-31.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-tools-debuginfo-3.14.42-31.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-tools-3.14.42-31.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="31.38.amzn1" version="3.14.42"><filename>Packages/perf-3.14.42-31.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-debuginfo-3.14.42-31.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-debuginfo-common-i686-3.14.42-31.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-headers-3.14.42-31.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-devel-3.14.42-31.38.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="31.38.amzn1" version="3.14.42"><filename>Packages/kernel-doc-3.14.42-31.38.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-524</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-524: medium priority package update for php</title><issued date="2015-05-14 14:31" /><updated date="2015-05-14 23:48" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6007 CVE-2015-2305: 6008 Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. 6009 1191049: 6010 CVE-2015-2305 regex: heap overflow in regcomp() on 32-bit architectures 6011 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305" id="CVE-2015-2305" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php-common" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-common-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysqlnd" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-mysqlnd-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-gd" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-gd-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xml" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-xml-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-devel" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-devel-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pspell" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-pspell-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-debuginfo" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-debuginfo-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pdo" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-pdo-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-enchant" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-enchant-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-odbc" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-odbc-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-fpm" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-fpm-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-snmp" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-snmp-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mcrypt" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-mcrypt-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-intl" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-intl-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-pgsql" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-pgsql-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mysql" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-mysql-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-dba" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-dba-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mbstring" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-mbstring-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-cli" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-cli-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-recode" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-recode-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-soap" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-soap-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-embedded" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-embedded-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-process" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-process-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-bcmath" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-bcmath-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-mssql" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-mssql-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-tidy" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-tidy-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-imap" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-imap-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-xmlrpc" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-xmlrpc-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php-ldap" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-ldap-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php-gd" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-gd-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-soap" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-soap-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xmlrpc" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-xmlrpc-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-debuginfo" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-debuginfo-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-devel" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-devel-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-cli" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-cli-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mcrypt" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-mcrypt-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-dba" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-dba-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mssql" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-mssql-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-bcmath" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-bcmath-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mbstring" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-mbstring-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-snmp" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-snmp-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pdo" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-pdo-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-intl" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-intl-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-imap" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-imap-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-common" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-common-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-tidy" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-tidy-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-fpm" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-fpm-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-ldap" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-ldap-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-recode" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-recode-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-xml" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-xml-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysqlnd" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-mysqlnd-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-process" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-process-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-odbc" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-odbc-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pgsql" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-pgsql-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-pspell" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-pspell-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-mysql" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-mysql-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-embedded" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-embedded-5.3.29-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php-enchant" release="1.8.amzn1" version="5.3.29"><filename>Packages/php-enchant-5.3.29-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-525</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-525: medium priority package update for tomcat6</title><issued date="2015-05-14 14:33" /><updated date="2015-05-14 23:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6012 CVE-2014-0227: 6013 It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make Tomcat process part of the request body as new request, or cause a denial of service. 6014 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227" id="CVE-2014-0227" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0991.html" id="RHSA-2015:0991" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat6-docs-webapp" release="1.2.amzn1" version="6.0.43"><filename>Packages/tomcat6-docs-webapp-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-admin-webapps" release="1.2.amzn1" version="6.0.43"><filename>Packages/tomcat6-admin-webapps-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6" release="1.2.amzn1" version="6.0.43"><filename>Packages/tomcat6-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-jsp-2.1-api" release="1.2.amzn1" version="6.0.43"><filename>Packages/tomcat6-jsp-2.1-api-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-webapps" release="1.2.amzn1" version="6.0.43"><filename>Packages/tomcat6-webapps-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-javadoc" release="1.2.amzn1" version="6.0.43"><filename>Packages/tomcat6-javadoc-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-lib" release="1.2.amzn1" version="6.0.43"><filename>Packages/tomcat6-lib-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-el-2.1-api" release="1.2.amzn1" version="6.0.43"><filename>Packages/tomcat6-el-2.1-api-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-servlet-2.5-api" release="1.2.amzn1" version="6.0.43"><filename>Packages/tomcat6-servlet-2.5-api-6.0.43-1.2.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-526</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-526: medium priority package update for tomcat7</title><issued date="2015-05-14 14:38" /><updated date="2015-05-14 23:52" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6015 CVE-2014-0227: 6016 1109196: 6017 CVE-2014-0227 Tomcat/JBossWeb: request smuggling and limited DoS in ChunkedInputFilter 6018 It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make Tomcat process part of the request body as new request, or cause a denial of service. 6019 6020 CVE-2014-0099: 6021 1102030: 6022 CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header 6023 It was found that JBoss Web / Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a JBoss Web / Apache Tomcat server located behind a reverse proxy that processed the content length header correctly. 6024 6025 CVE-2014-0096: 6026 1088342: 6027 CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs 6028 It was found that the org.apache.catalina.servlets.DefaultServlet implementation in JBoss Web / Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information. 6029 6030 CVE-2014-0075: 6031 1072776: 6032 CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter 6033 It was discovered that JBoss Web / Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against JBoss Web / Apache Tomcat by streaming an unlimited quantity of data, leading to excessive consumption of server resources. 6034 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0075" id="CVE-2014-0075" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0096" id="CVE-2014-0096" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0099" id="CVE-2014-0099" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227" id="CVE-2014-0227" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.8.amzn1" version="7.0.59"><filename>Packages/tomcat7-admin-webapps-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.8.amzn1" version="7.0.59"><filename>Packages/tomcat7-el-2.2-api-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.8.amzn1" version="7.0.59"><filename>Packages/tomcat7-webapps-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.8.amzn1" version="7.0.59"><filename>Packages/tomcat7-log4j-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.8.amzn1" version="7.0.59"><filename>Packages/tomcat7-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.8.amzn1" version="7.0.59"><filename>Packages/tomcat7-jsp-2.2-api-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.8.amzn1" version="7.0.59"><filename>Packages/tomcat7-docs-webapp-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.8.amzn1" version="7.0.59"><filename>Packages/tomcat7-servlet-3.0-api-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.8.amzn1" version="7.0.59"><filename>Packages/tomcat7-javadoc-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.8.amzn1" version="7.0.59"><filename>Packages/tomcat7-lib-7.0.59-1.8.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-527</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-527: medium priority package update for tomcat8</title><issued date="2015-05-14 14:40" /><updated date="2015-05-14 23:52" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6035 CVE-2014-0227: 6036 1109196: 6037 CVE-2014-0227 Tomcat/JBossWeb: request smuggling and limited DoS in ChunkedInputFilter 6038 It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make Tomcat process part of the request body as new request, or cause a denial of service. 6039 6040 CVE-2014-0099: 6041 1102030: 6042 CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header 6043 It was found that JBoss Web / Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a JBoss Web / Apache Tomcat server located behind a reverse proxy that processed the content length header correctly. 6044 6045 CVE-2014-0096: 6046 1088342: 6047 CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs 6048 It was found that the org.apache.catalina.servlets.DefaultServlet implementation in JBoss Web / Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information. 6049 6050 CVE-2014-0075: 6051 1072776: 6052 CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter 6053 It was discovered that JBoss Web / Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against JBoss Web / Apache Tomcat by streaming an unlimited quantity of data, leading to excessive consumption of server resources. 6054 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0075" id="CVE-2014-0075" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0096" id="CVE-2014-0096" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0099" id="CVE-2014-0099" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227" id="CVE-2014-0227" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.53.amzn1" version="8.0.20"><filename>Packages/tomcat8-admin-webapps-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.53.amzn1" version="8.0.20"><filename>Packages/tomcat8-servlet-3.1-api-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.53.amzn1" version="8.0.20"><filename>Packages/tomcat8-docs-webapp-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.53.amzn1" version="8.0.20"><filename>Packages/tomcat8-jsp-2.3-api-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.53.amzn1" version="8.0.20"><filename>Packages/tomcat8-webapps-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.53.amzn1" version="8.0.20"><filename>Packages/tomcat8-log4j-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.53.amzn1" version="8.0.20"><filename>Packages/tomcat8-javadoc-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.53.amzn1" version="8.0.20"><filename>Packages/tomcat8-lib-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.53.amzn1" version="8.0.20"><filename>Packages/tomcat8-el-3.0-api-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8" release="1.53.amzn1" version="8.0.20"><filename>Packages/tomcat8-8.0.20-1.53.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-528</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-528: low priority package update for pcre</title><issued date="2015-05-27 14:03" /><updated date="2015-05-27 15:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6055 CVE-2014-8964: 6056 A flaw was found in the way PCRE handled certain malformed regular expressions. This issue could cause an application (for example, Konqueror) linked against PCRE to crash while parsing malicious regular expressions. 6057 1166147: 6058 CVE-2014-8964 pcre: incorrect handling of zero-repeat assertion conditions 6059 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8964" id="CVE-2014-8964" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="pcre-static" release="7.7.amzn1" version="8.21"><filename>Packages/pcre-static-8.21-7.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pcre" release="7.7.amzn1" version="8.21"><filename>Packages/pcre-8.21-7.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pcre-debuginfo" release="7.7.amzn1" version="8.21"><filename>Packages/pcre-debuginfo-8.21-7.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pcre-devel" release="7.7.amzn1" version="8.21"><filename>Packages/pcre-devel-8.21-7.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pcre-tools" release="7.7.amzn1" version="8.21"><filename>Packages/pcre-tools-8.21-7.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="pcre-devel" release="7.7.amzn1" version="8.21"><filename>Packages/pcre-devel-8.21-7.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pcre-debuginfo" release="7.7.amzn1" version="8.21"><filename>Packages/pcre-debuginfo-8.21-7.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pcre-static" release="7.7.amzn1" version="8.21"><filename>Packages/pcre-static-8.21-7.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pcre-tools" release="7.7.amzn1" version="8.21"><filename>Packages/pcre-tools-8.21-7.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pcre" release="7.7.amzn1" version="8.21"><filename>Packages/pcre-8.21-7.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-529</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-529: medium priority package update for ruby18</title><issued date="2015-05-27 14:05" /><updated date="2015-05-27 15:22" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6060 CVE-2015-1855: 6061 1209981: 6062 CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125 6063 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1855" id="CVE-2015-1855" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ruby18-debuginfo" release="2.42.4.amzn1" version="1.8.7.374"><filename>Packages/ruby18-debuginfo-1.8.7.374-2.42.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby18-static" release="2.42.4.amzn1" version="1.8.7.374"><filename>Packages/ruby18-static-1.8.7.374-2.42.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby18" release="2.42.4.amzn1" version="1.8.7.374"><filename>Packages/ruby18-1.8.7.374-2.42.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby18-devel" release="2.42.4.amzn1" version="1.8.7.374"><filename>Packages/ruby18-devel-1.8.7.374-2.42.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby18-libs" release="2.42.4.amzn1" version="1.8.7.374"><filename>Packages/ruby18-libs-1.8.7.374-2.42.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby18-ri" release="2.42.4.amzn1" version="1.8.7.374"><filename>Packages/ruby18-ri-1.8.7.374-2.42.4.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby18-irb" release="2.42.4.amzn1" version="0.9.5"><filename>Packages/ruby18-irb-0.9.5-2.42.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby18-rdoc" release="2.42.4.amzn1" version="1.0.1"><filename>Packages/ruby18-rdoc-1.0.1-2.42.4.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ruby18-static" release="2.42.4.amzn1" version="1.8.7.374"><filename>Packages/ruby18-static-1.8.7.374-2.42.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby18-libs" release="2.42.4.amzn1" version="1.8.7.374"><filename>Packages/ruby18-libs-1.8.7.374-2.42.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby18-ri" release="2.42.4.amzn1" version="1.8.7.374"><filename>Packages/ruby18-ri-1.8.7.374-2.42.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby18-debuginfo" release="2.42.4.amzn1" version="1.8.7.374"><filename>Packages/ruby18-debuginfo-1.8.7.374-2.42.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby18-devel" release="2.42.4.amzn1" version="1.8.7.374"><filename>Packages/ruby18-devel-1.8.7.374-2.42.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby18" release="2.42.4.amzn1" version="1.8.7.374"><filename>Packages/ruby18-1.8.7.374-2.42.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-530</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-530: medium priority package update for ruby19</title><issued date="2015-05-27 14:05" /><updated date="2015-05-27 15:22" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6064 CVE-2015-1855: 6065 1209981: 6066 CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125 6067 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1855" id="CVE-2015-1855" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="rubygems19-devel" release="32.66.amzn1" version="1.8.23.2"><filename>Packages/rubygems19-devel-1.8.23.2-32.66.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19" release="32.66.amzn1" version="1.9.3.551"><filename>Packages/ruby19-1.9.3.551-32.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-debuginfo" release="32.66.amzn1" version="1.9.3.551"><filename>Packages/ruby19-debuginfo-1.9.3.551-32.66.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby19-irb" release="32.66.amzn1" version="1.9.3.551"><filename>Packages/ruby19-irb-1.9.3.551-32.66.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-doc" release="32.66.amzn1" version="1.9.3.551"><filename>Packages/ruby19-doc-1.9.3.551-32.66.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems19" release="32.66.amzn1" version="1.8.23.2"><filename>Packages/rubygems19-1.8.23.2-32.66.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-devel" release="32.66.amzn1" version="1.9.3.551"><filename>Packages/ruby19-devel-1.9.3.551-32.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-io-console" release="32.66.amzn1" version="0.3"><filename>Packages/rubygem19-io-console-0.3-32.66.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-rdoc" release="32.66.amzn1" version="3.9.5"><filename>Packages/rubygem19-rdoc-3.9.5-32.66.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-bigdecimal" release="32.66.amzn1" version="1.1.0"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.66.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-minitest" release="32.66.amzn1" version="2.5.1"><filename>Packages/rubygem19-minitest-2.5.1-32.66.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-rake" release="32.66.amzn1" version="0.9.2.2"><filename>Packages/rubygem19-rake-0.9.2.2-32.66.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-libs" release="32.66.amzn1" version="1.9.3.551"><filename>Packages/ruby19-libs-1.9.3.551-32.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-json" release="32.66.amzn1" version="1.5.5"><filename>Packages/rubygem19-json-1.5.5-32.66.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-json" release="32.66.amzn1" version="1.5.5"><filename>Packages/rubygem19-json-1.5.5-32.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-debuginfo" release="32.66.amzn1" version="1.9.3.551"><filename>Packages/ruby19-debuginfo-1.9.3.551-32.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-libs" release="32.66.amzn1" version="1.9.3.551"><filename>Packages/ruby19-libs-1.9.3.551-32.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-bigdecimal" release="32.66.amzn1" version="1.1.0"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19" release="32.66.amzn1" version="1.9.3.551"><filename>Packages/ruby19-1.9.3.551-32.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-doc" release="32.66.amzn1" version="1.9.3.551"><filename>Packages/ruby19-doc-1.9.3.551-32.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-io-console" release="32.66.amzn1" version="0.3"><filename>Packages/rubygem19-io-console-0.3-32.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-devel" release="32.66.amzn1" version="1.9.3.551"><filename>Packages/ruby19-devel-1.9.3.551-32.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-531</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-531: medium priority package update for ruby20</title><issued date="2015-05-27 14:05" /><updated date="2015-05-27 15:23" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6068 CVE-2015-1855: 6069 1209981: 6070 CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125 6071 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1855" id="CVE-2015-1855" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ruby20-debuginfo" release="1.25.amzn1" version="2.0.0.645"><filename>Packages/ruby20-debuginfo-2.0.0.645-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-io-console" release="1.25.amzn1" version="0.4.2"><filename>Packages/rubygem20-io-console-0.4.2-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20" release="1.25.amzn1" version="2.0.0.645"><filename>Packages/ruby20-2.0.0.645-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-bigdecimal" release="1.25.amzn1" version="1.2.0"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.25.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby20-doc" release="1.25.amzn1" version="2.0.0.645"><filename>Packages/ruby20-doc-2.0.0.645-1.25.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby20-irb" release="1.25.amzn1" version="2.0.0.645"><filename>Packages/ruby20-irb-2.0.0.645-1.25.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-devel" release="1.25.amzn1" version="2.0.0.645"><filename>Packages/ruby20-devel-2.0.0.645-1.25.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems20" release="1.25.amzn1" version="2.0.14"><filename>Packages/rubygems20-2.0.14-1.25.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-libs" release="1.25.amzn1" version="2.0.0.645"><filename>Packages/ruby20-libs-2.0.0.645-1.25.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems20-devel" release="1.25.amzn1" version="2.0.14"><filename>Packages/rubygems20-devel-2.0.14-1.25.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-psych" release="1.25.amzn1" version="2.0.0"><filename>Packages/rubygem20-psych-2.0.0-1.25.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-bigdecimal" release="1.25.amzn1" version="1.2.0"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-psych" release="1.25.amzn1" version="2.0.0"><filename>Packages/rubygem20-psych-2.0.0-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-debuginfo" release="1.25.amzn1" version="2.0.0.645"><filename>Packages/ruby20-debuginfo-2.0.0.645-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-libs" release="1.25.amzn1" version="2.0.0.645"><filename>Packages/ruby20-libs-2.0.0.645-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-devel" release="1.25.amzn1" version="2.0.0.645"><filename>Packages/ruby20-devel-2.0.0.645-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-io-console" release="1.25.amzn1" version="0.4.2"><filename>Packages/rubygem20-io-console-0.4.2-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20" release="1.25.amzn1" version="2.0.0.645"><filename>Packages/ruby20-2.0.0.645-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-532</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-532: medium priority package update for ruby21</title><issued date="2015-05-27 14:06" /><updated date="2015-05-27 15:23" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6072 CVE-2015-1855: 6073 1209981: 6074 CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125 6075 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1855" id="CVE-2015-1855" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ruby21-devel" release="1.16.amzn1" version="2.1.6"><filename>Packages/ruby21-devel-2.1.6-1.16.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby21-irb" release="1.16.amzn1" version="2.1.6"><filename>Packages/ruby21-irb-2.1.6-1.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems21-devel" release="1.16.amzn1" version="2.2.3"><filename>Packages/rubygems21-devel-2.2.3-1.16.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-bigdecimal" release="1.16.amzn1" version="1.2.4"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.16.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems21" release="1.16.amzn1" version="2.2.3"><filename>Packages/rubygems21-2.2.3-1.16.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-debuginfo" release="1.16.amzn1" version="2.1.6"><filename>Packages/ruby21-debuginfo-2.1.6-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21" release="1.16.amzn1" version="2.1.6"><filename>Packages/ruby21-2.1.6-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-io-console" release="1.16.amzn1" version="0.4.3"><filename>Packages/rubygem21-io-console-0.4.3-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-libs" release="1.16.amzn1" version="2.1.6"><filename>Packages/ruby21-libs-2.1.6-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-psych" release="1.16.amzn1" version="2.0.5"><filename>Packages/rubygem21-psych-2.0.5-1.16.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby21-doc" release="1.16.amzn1" version="2.1.6"><filename>Packages/ruby21-doc-2.1.6-1.16.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-io-console" release="1.16.amzn1" version="0.4.3"><filename>Packages/rubygem21-io-console-0.4.3-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-debuginfo" release="1.16.amzn1" version="2.1.6"><filename>Packages/ruby21-debuginfo-2.1.6-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-bigdecimal" release="1.16.amzn1" version="1.2.4"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21" release="1.16.amzn1" version="2.1.6"><filename>Packages/ruby21-2.1.6-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-psych" release="1.16.amzn1" version="2.0.5"><filename>Packages/rubygem21-psych-2.0.5-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-libs" release="1.16.amzn1" version="2.1.6"><filename>Packages/ruby21-libs-2.1.6-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-devel" release="1.16.amzn1" version="2.1.6"><filename>Packages/ruby21-devel-2.1.6-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-533</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-533: medium priority package update for ruby22</title><issued date="2015-05-27 14:06" /><updated date="2015-05-27 15:23" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6076 CVE-2015-1855: 6077 1209981: 6078 CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125 6079 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1855" id="CVE-2015-1855" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="rubygems22-devel" release="1.5.amzn1" version="2.4.5"><filename>Packages/rubygems22-devel-2.4.5-1.5.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-libs" release="1.5.amzn1" version="2.2.2"><filename>Packages/ruby22-libs-2.2.2-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-debuginfo" release="1.5.amzn1" version="2.2.2"><filename>Packages/ruby22-debuginfo-2.2.2-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-devel" release="1.5.amzn1" version="2.2.2"><filename>Packages/ruby22-devel-2.2.2-1.5.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby22-doc" release="1.5.amzn1" version="2.2.2"><filename>Packages/ruby22-doc-2.2.2-1.5.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22" release="1.5.amzn1" version="2.2.2"><filename>Packages/ruby22-2.2.2-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-bigdecimal" release="1.5.amzn1" version="1.2.6"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-psych" release="1.5.amzn1" version="2.0.8"><filename>Packages/rubygem22-psych-2.0.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-io-console" release="1.5.amzn1" version="0.4.3"><filename>Packages/rubygem22-io-console-0.4.3-1.5.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems22" release="1.5.amzn1" version="2.4.5"><filename>Packages/rubygems22-2.4.5-1.5.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby22-irb" release="1.5.amzn1" version="2.2.2"><filename>Packages/ruby22-irb-2.2.2-1.5.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-libs" release="1.5.amzn1" version="2.2.2"><filename>Packages/ruby22-libs-2.2.2-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-psych" release="1.5.amzn1" version="2.0.8"><filename>Packages/rubygem22-psych-2.0.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22" release="1.5.amzn1" version="2.2.2"><filename>Packages/ruby22-2.2.2-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-io-console" release="1.5.amzn1" version="0.4.3"><filename>Packages/rubygem22-io-console-0.4.3-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-debuginfo" release="1.5.amzn1" version="2.2.2"><filename>Packages/ruby22-debuginfo-2.2.2-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-devel" release="1.5.amzn1" version="2.2.2"><filename>Packages/ruby22-devel-2.2.2-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-bigdecimal" release="1.5.amzn1" version="1.2.6"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-534</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-534: important priority package update for php54</title><issued date="2015-06-02 22:20" /><updated date="2015-06-02 22:33" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6080 CVE-2015-4026: 6081 1223422: 6082 CVE-2015-4026 php: pcntl_exec() accepts paths with NUL character 6083 It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. 6084 6085 CVE-2015-4025: 6086 1223408: 6087 CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+ 6088 It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. 6089 6090 CVE-2015-4024: 6091 1222485: 6092 CVE-2015-4024 php: multipart/form-data request paring CPU usage DoS 6093 A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. 6094 6095 CVE-2015-4022: 6096 An integer overflow flaw leading to a heap based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code. 6097 1223412: 6098 CVE-2015-4022 php: integer overflow leading to heap overflow when reading FTP file listing 6099 1223412: 6100 CVE-2015-4022 php: integer overflow on reading FTP server data leading to heap overflow 6101 6102 CVE-2015-4021: 6103 An integer underflow flaw leading to out-of-bounds memory access was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. 6104 1223425: 6105 CVE-2015-4021 php: memory corruption in phar_parse_tarfile when entry filename starts with NULL 6106 1223425: 6107 CVE-2015-4021 php: memory corruption in phar_parse_tarfile caused by empty entry file name 6108 6109 CVE-2015-2326: 6110 1207202: 6111 CVE-2015-2326 pcre: heap buffer overflow in pcre_compile2() 6112 6113 CVE-2015-2325: 6114 1207198: 6115 CVE-2015-2325 pcre: heap buffer overflow in compile_branch() 6116 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4021" id="CVE-2015-4021" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4022" id="CVE-2015-4022" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4025" id="CVE-2015-4025" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4024" id="CVE-2015-4024" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4026" id="CVE-2015-4026" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2325" id="CVE-2015-2325" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2326" id="CVE-2015-2326" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-intl" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-intl-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-mysql-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-common-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-gd-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-tidy-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-ldap-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-mssql-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-imap-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-xml-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-embedded-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-cli-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-enchant-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-pdo-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-odbc-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-soap-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-pgsql-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-pspell-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-recode-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-mysqlnd-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-process-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-debuginfo-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-xmlrpc-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-devel-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-fpm-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-dba-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-bcmath-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-mcrypt-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-snmp-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-mbstring-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-enchant-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-mssql-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-mbstring-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-pdo-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-gd-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-pgsql-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-mysql-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-odbc-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-soap-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-embedded-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-imap-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-bcmath-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-process-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-recode-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-mysqlnd-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-fpm-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-xmlrpc-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-mcrypt-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-snmp-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-tidy-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-cli-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-intl-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-dba-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-debuginfo-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-ldap-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-xml-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-pspell-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-devel-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-common-5.4.41-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.69.amzn1" version="5.4.41"><filename>Packages/php54-5.4.41-1.69.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-535</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-535: medium priority package update for php55</title><issued date="2015-06-02 22:21" /><updated date="2015-06-02 22:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6117 CVE-2015-4026: 6118 1223422: 6119 CVE-2015-4026 php: pcntl_exec() accepts paths with NUL character 6120 It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. 6121 6122 CVE-2015-4025: 6123 1223408: 6124 CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+ 6125 It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. 6126 6127 CVE-2015-4024: 6128 1222485: 6129 CVE-2015-4024 php: multipart/form-data request paring CPU usage DoS 6130 A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. 6131 6132 CVE-2015-4022: 6133 An integer overflow flaw leading to a heap based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code. 6134 1223412: 6135 CVE-2015-4022 php: integer overflow leading to heap overflow when reading FTP file listing 6136 1223412: 6137 CVE-2015-4022 php: integer overflow on reading FTP server data leading to heap overflow 6138 6139 CVE-2015-4021: 6140 An integer underflow flaw leading to out-of-bounds memory access was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. 6141 1223425: 6142 CVE-2015-4021 php: memory corruption in phar_parse_tarfile when entry filename starts with NULL 6143 1223425: 6144 CVE-2015-4021 php: memory corruption in phar_parse_tarfile caused by empty entry file name 6145 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4021" id="CVE-2015-4021" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4022" id="CVE-2015-4022" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4025" id="CVE-2015-4025" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4024" id="CVE-2015-4024" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4026" id="CVE-2015-4026" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-mbstring-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-xmlrpc-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-cli-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-recode-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-devel-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-gmp-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-enchant-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-process-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-pgsql-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-debuginfo-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-gd-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-soap-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-intl-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-ldap-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-odbc-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-xml-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-pspell-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-opcache-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-dba-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-embedded-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-tidy-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-mssql-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-snmp-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-common-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-imap-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-fpm-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-mysqlnd-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-pdo-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-bcmath-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-mcrypt-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-xml-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-soap-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-dba-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-imap-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-pspell-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-gd-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-intl-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-opcache-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-tidy-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-fpm-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-mssql-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-enchant-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-mysqlnd-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-cli-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-pdo-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-devel-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-snmp-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-xmlrpc-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-mcrypt-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-recode-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-common-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-bcmath-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-debuginfo-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-embedded-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-odbc-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-mbstring-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-ldap-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-pgsql-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-gmp-5.5.25-1.101.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.101.amzn1" version="5.5.25"><filename>Packages/php55-process-5.5.25-1.101.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-536</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-536: important priority package update for php56</title><issued date="2015-06-02 22:22" /><updated date="2015-06-02 22:33" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6146 CVE-2015-4026: 6147 1223422: 6148 CVE-2015-4026 php: pcntl_exec() accepts paths with NUL character 6149 It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. 6150 6151 CVE-2015-4025: 6152 1223408: 6153 CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+ 6154 It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. 6155 6156 CVE-2015-4024: 6157 1222485: 6158 CVE-2015-4024 php: multipart/form-data request paring CPU usage DoS 6159 A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. 6160 6161 CVE-2015-4022: 6162 An integer overflow flaw leading to a heap based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code. 6163 1223412: 6164 CVE-2015-4022 php: integer overflow leading to heap overflow when reading FTP file listing 6165 1223412: 6166 CVE-2015-4022 php: integer overflow on reading FTP server data leading to heap overflow 6167 6168 CVE-2015-4021: 6169 An integer underflow flaw leading to out-of-bounds memory access was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. 6170 1223425: 6171 CVE-2015-4021 php: memory corruption in phar_parse_tarfile when entry filename starts with NULL 6172 1223425: 6173 CVE-2015-4021 php: memory corruption in phar_parse_tarfile caused by empty entry file name 6174 6175 CVE-2015-2326: 6176 1207202: 6177 CVE-2015-2326 pcre: heap buffer overflow in pcre_compile2() 6178 6179 CVE-2015-2325: 6180 1207198: 6181 CVE-2015-2325 pcre: heap buffer overflow in compile_branch() 6182 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4021" id="CVE-2015-4021" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4022" id="CVE-2015-4022" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4025" id="CVE-2015-4025" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4024" id="CVE-2015-4024" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4026" id="CVE-2015-4026" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2325" id="CVE-2015-2325" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2326" id="CVE-2015-2326" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-enchant" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-enchant-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-gmp-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-mysqlnd-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-imap-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-pgsql-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-common-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-soap-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-intl-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-debuginfo-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-opcache-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-embedded-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-dba-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-tidy-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-mssql-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-fpm-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-snmp-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-ldap-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-dbg-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-bcmath-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-xmlrpc-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-process-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-gd-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-devel-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-mbstring-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-recode-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-mcrypt-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-pspell-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-pdo-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-odbc-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-cli-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-xml-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-ldap-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-bcmath-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-cli-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-intl-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-devel-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-common-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-imap-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-gd-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-mysqlnd-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-mssql-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-enchant-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-debuginfo-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-process-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-fpm-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-pdo-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-odbc-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-xml-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-mcrypt-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-recode-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-dba-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-xmlrpc-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-pgsql-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-mbstring-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-pspell-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-embedded-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-gmp-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-soap-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-opcache-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-tidy-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-snmp-5.6.9-1.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.112.amzn1" version="5.6.9"><filename>Packages/php56-dbg-5.6.9-1.112.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-537</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-537: medium priority package update for clamav</title><issued date="2015-06-02 22:23" /><updated date="2015-06-02 22:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6183 CVE-2015-2668: 6184 ClamAV before 0.98.7 allows remote attackers to cause a denial of service (infinite loop) via a crafted xz archive file. 6185 1217208: 6186 CVE-2015-2668 clamav: Infinite loop condition on a crafted "xz" archive file 6187 6188 CVE-2015-2222: 6189 1217207: 6190 CVE-2015-2222 clamav: crash on crafted petite packed file 6191 ClamAV before 0.98.7 allows remote attackers to cause a denial of service (crash) via a crafted petite packed file. 6192 6193 CVE-2015-2221: 6194 ClamAV before 0.98.7 allows remote attackers to cause a denial of service (infinite loop) via a crafted y0da cryptor file. 6195 1217206: 6196 CVE-2015-2221: clamav Infinite loop condition on crafted y0da cryptor file 6197 6198 CVE-2015-2170: 6199 The upx decoder in ClamAV before 0.98.7 allows remote attackers to cause a denial of service (crash) via a crafted file. 6200 1217209: 6201 CVE-2015-2170: clamav: Crash in upx decoder with crafted file 6202 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2221" id="CVE-2015-2221" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2170" id="CVE-2015-2170" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2222" id="CVE-2015-2222" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2668" id="CVE-2015-2668" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="clamav" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-filesystem" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-filesystem-0.98.7-1.12.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-update" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-update-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-server-sysvinit" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-server-sysvinit-0.98.7-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-scanner" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-scanner-0.98.7-1.12.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamd" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamd-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-server" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-server-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-milter" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-milter-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-milter-sysvinit" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-milter-sysvinit-0.98.7-1.12.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-db" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-db-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-debuginfo" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-debuginfo-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-lib" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-lib-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-data-empty" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-data-empty-0.98.7-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-data" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-data-0.98.7-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-scanner-sysvinit" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-scanner-sysvinit-0.98.7-1.12.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-devel" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-devel-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="clamd" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamd-0.98.7-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-db" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-db-0.98.7-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-debuginfo" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-debuginfo-0.98.7-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-0.98.7-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-lib" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-lib-0.98.7-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-server" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-server-0.98.7-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-devel" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-devel-0.98.7-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-update" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-update-0.98.7-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-milter" release="1.12.amzn1" version="0.98.7"><filename>Packages/clamav-milter-0.98.7-1.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-538</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-538: important priority package update for 389-ds-base</title><issued date="2015-06-02 22:24" /><updated date="2015-06-02 22:37" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6203 CVE-2015-1854: 6204 A flaw was found in the way Red Hat Directory Server performed authorization of modrdn operations. An unauthenticated attacker able to issue an ldapmodrdn call to the directory server could use this flaw to perform unauthorized modifications of entries in the directory server. 6205 1209573: 6206 CVE-2015-1854 389-ds-base: access control bypass with modrdn 6207 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1854" id="CVE-2015-1854" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base" release="16.41.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-1.3.3.1-16.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="16.41.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-devel-1.3.3.1-16.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="16.41.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-debuginfo-1.3.3.1-16.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="16.41.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-libs-1.3.3.1-16.41.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="16.41.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-devel-1.3.3.1-16.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="16.41.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-libs-1.3.3.1-16.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="16.41.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-1.3.3.1-16.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="16.41.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-debuginfo-1.3.3.1-16.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-539</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-539: medium priority package update for chrony</title><issued date="2015-06-02 22:25" /><updated date="2015-06-02 22:42" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6208 CVE-2015-1853: 6209 1209572: 6210 CVE-2015-1853 chrony: authentication doesn't protect symmetric associations against DoS attacks 6211 6212 CVE-2015-1822: 6213 1209632: 6214 CVE-2015-1822 chrony: uninitialized pointer in cmdmon reply slots 6215 chrony before 1.31.1 does not initialize the last "next" pointer when saving unacknowledged replies to command requests, which allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command requests. 6216 6217 CVE-2015-1821: 6218 Heap-based buffer overflow in chrony before 1.31.1 allows remote authenticated users to cause a denial of service (chronyd crash) or possibly execute arbitrary code by configuring the (1) NTP or (2) cmdmon access with a subnet size that is indivisible by four and an address with a nonzero bit in the subnet remainder. 6219 1209631: 6220 CVE-2015-1821 chrony: Heap out of bound write in address filter 6221 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1822" id="CVE-2015-1822" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1853" id="CVE-2015-1853" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1821" id="CVE-2015-1821" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="chrony-debuginfo" release="1.13.amzn1" version="1.31.1"><filename>Packages/chrony-debuginfo-1.31.1-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="chrony" release="1.13.amzn1" version="1.31.1"><filename>Packages/chrony-1.31.1-1.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="chrony-debuginfo" release="1.13.amzn1" version="1.31.1"><filename>Packages/chrony-debuginfo-1.31.1-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="chrony" release="1.13.amzn1" version="1.31.1"><filename>Packages/chrony-1.31.1-1.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-540</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-540: low priority package update for libjpeg-turbo</title><issued date="2015-06-11 08:08" /><updated date="2015-06-11 08:09" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6222 CVE-2014-9092: 6223 1169845: 6224 CVE-2014-9092 libjpeg-turbo: denial of service via specially-crafted JPEG file 6225 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9092" id="CVE-2014-9092" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libjpeg-turbo-debuginfo" release="5.10.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-debuginfo-1.2.90-5.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libjpeg-turbo-devel" release="5.10.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-devel-1.2.90-5.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libjpeg-turbo-utils" release="5.10.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-utils-1.2.90-5.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="turbojpeg-devel" release="5.10.amzn1" version="1.2.90"><filename>Packages/turbojpeg-devel-1.2.90-5.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libjpeg-turbo-static" release="5.10.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-static-1.2.90-5.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libjpeg-turbo" release="5.10.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-1.2.90-5.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="turbojpeg" release="5.10.amzn1" version="1.2.90"><filename>Packages/turbojpeg-1.2.90-5.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo-static" release="5.10.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-static-1.2.90-5.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="turbojpeg-devel" release="5.10.amzn1" version="1.2.90"><filename>Packages/turbojpeg-devel-1.2.90-5.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo-devel" release="5.10.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-devel-1.2.90-5.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo-debuginfo" release="5.10.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-debuginfo-1.2.90-5.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo-utils" release="5.10.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-utils-1.2.90-5.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo" release="5.10.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-1.2.90-5.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="turbojpeg" release="5.10.amzn1" version="1.2.90"><filename>Packages/turbojpeg-1.2.90-5.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-541</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-541: medium priority package update for python-pip</title><issued date="2015-06-11 08:08" /><updated date="2015-06-11 08:09" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6226 CVE-2015-2296: 6227 A flaw was found in the way python-requests set the domain cookie parameter for certain HTTP responses. A remote attacker could use this flaw to modify a cookie to be sent to an arbitrary URL. 6228 1202904: 6229 CVE-2015-2296 python-requests: session fixation and cookie stealing vulnerability 6230 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2296" id="CVE-2015-2296" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python26-pip" release="1.20.amzn1" version="6.1.1"><filename>Packages/python26-pip-6.1.1-1.20.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="python27-pip" release="1.20.amzn1" version="6.1.1"><filename>Packages/python27-pip-6.1.1-1.20.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="python34-pip" release="1.20.amzn1" version="6.1.1"><filename>Packages/python34-pip-6.1.1-1.20.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-542</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-542: low priority package update for e2fsprogs</title><issued date="2015-06-16 10:26" /><updated date="2015-06-16 11:37" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6231 CVE-2015-0247: 6232 A heap-based buffer overflow flaw was found in e2fsprogs. A specially crafted Ext2/3/4 file system could cause an application using the ext2fs library (for example, fsck) to crash or, possibly, execute arbitrary code. 6233 1187032: 6234 CVE-2015-0247 e2fsprogs: ext2fs_open2() missing first_meta_bg boundary check leading to heap buffer overflow (oCERT-015-002) 6235 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0247" id="CVE-2015-0247" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libcom_err" release="4.35.amzn1" version="1.42.12"><filename>Packages/libcom_err-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="e2fsprogs-debuginfo" release="4.35.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-debuginfo-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcom_err-devel" release="4.35.amzn1" version="1.42.12"><filename>Packages/libcom_err-devel-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="e2fsprogs-devel" release="4.35.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-devel-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libss-devel" release="4.35.amzn1" version="1.42.12"><filename>Packages/libss-devel-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="e2fsprogs-libs" release="4.35.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-libs-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="e2fsprogs" release="4.35.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libss" release="4.35.amzn1" version="1.42.12"><filename>Packages/libss-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="e2fsprogs-static" release="4.35.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-static-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="e2fsprogs-devel" release="4.35.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-devel-1.42.12-4.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcom_err-devel" release="4.35.amzn1" version="1.42.12"><filename>Packages/libcom_err-devel-1.42.12-4.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="e2fsprogs-static" release="4.35.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-static-1.42.12-4.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="e2fsprogs-libs" release="4.35.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-libs-1.42.12-4.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcom_err" release="4.35.amzn1" version="1.42.12"><filename>Packages/libcom_err-1.42.12-4.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="e2fsprogs-debuginfo" release="4.35.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-debuginfo-1.42.12-4.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libss-devel" release="4.35.amzn1" version="1.42.12"><filename>Packages/libss-devel-1.42.12-4.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="e2fsprogs" release="4.35.amzn1" version="1.42.12"><filename>Packages/e2fsprogs-1.42.12-4.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libss" release="4.35.amzn1" version="1.42.12"><filename>Packages/libss-1.42.12-4.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-543</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-543: medium priority package update for libcap-ng</title><issued date="2015-06-16 10:27" /><updated date="2015-06-16 11:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6236 CVE-2014-3215: 6237 1095855: 6238 CVE-2014-3215 policycoreutils: local privilege escalation via seunshare 6239 A flaw was found in the way seunshare, a utility for running executables under a different security context, used the capng_lock functionality of the libcap-ng library. The subsequent invocation of suid root binaries that relied on the fact that the setuid() system call, among others, also sets the saved set-user-ID when dropping the binaries' process privileges, could allow a local, unprivileged user to potentially escalate their privileges on the system. Note: the fix for this issue is the kernel part of the overall fix, and introduces the PR_SET_NO_NEW_PRIVS functionality and the related SELinux exec transitions support. 6240 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215" id="CVE-2014-3215" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libcap-ng" release="5.13.amzn1" version="0.7.3"><filename>Packages/libcap-ng-0.7.3-5.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcap-ng-debuginfo" release="5.13.amzn1" version="0.7.3"><filename>Packages/libcap-ng-debuginfo-0.7.3-5.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcap-ng-python" release="5.13.amzn1" version="0.7.3"><filename>Packages/libcap-ng-python-0.7.3-5.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcap-ng-devel" release="5.13.amzn1" version="0.7.3"><filename>Packages/libcap-ng-devel-0.7.3-5.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcap-ng-utils" release="5.13.amzn1" version="0.7.3"><filename>Packages/libcap-ng-utils-0.7.3-5.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libcap-ng-utils" release="5.13.amzn1" version="0.7.3"><filename>Packages/libcap-ng-utils-0.7.3-5.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcap-ng-python" release="5.13.amzn1" version="0.7.3"><filename>Packages/libcap-ng-python-0.7.3-5.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcap-ng-debuginfo" release="5.13.amzn1" version="0.7.3"><filename>Packages/libcap-ng-debuginfo-0.7.3-5.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcap-ng" release="5.13.amzn1" version="0.7.3"><filename>Packages/libcap-ng-0.7.3-5.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcap-ng-devel" release="5.13.amzn1" version="0.7.3"><filename>Packages/libcap-ng-devel-0.7.3-5.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-544</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-544: medium priority package update for kernel</title><issued date="2015-06-16 10:28" /><updated date="2015-06-16 11:42" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6241 CVE-2014-3215: 6242 1095855: 6243 CVE-2014-3215 policycoreutils: local privilege escalation via seunshare 6244 A flaw was found in the way seunshare, a utility for running executables under a different security context, used the capng_lock functionality of the libcap-ng library. The subsequent invocation of suid root binaries that relied on the fact that the setuid() system call, among others, also sets the saved set-user-ID when dropping the binaries' process privileges, could allow a local, unprivileged user to potentially escalate their privileges on the system. Note: the fix for this issue is the kernel part of the overall fix, and introduces the PR_SET_NO_NEW_PRIVS functionality and the related SELinux exec transitions support. 6245 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215" id="CVE-2014-3215" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-tools-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-debuginfo-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-headers-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="32.39.amzn1" version="3.14.44"><filename>Packages/perf-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-devel-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="32.39.amzn1" version="3.14.44"><filename>Packages/perf-debuginfo-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-tools-debuginfo-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-tools-devel-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-tools-debuginfo-3.14.44-32.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-3.14.44-32.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="32.39.amzn1" version="3.14.44"><filename>Packages/perf-debuginfo-3.14.44-32.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-tools-3.14.44-32.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-debuginfo-3.14.44-32.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-headers-3.14.44-32.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-debuginfo-common-i686-3.14.44-32.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-tools-devel-3.14.44-32.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="32.39.amzn1" version="3.14.44"><filename>Packages/perf-3.14.44-32.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-devel-3.14.44-32.39.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="32.39.amzn1" version="3.14.44"><filename>Packages/kernel-doc-3.14.44-32.39.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-545</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-545: medium priority package update for postgresql92</title><issued date="2015-06-16 10:29" /><updated date="2015-06-16 11:42" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6246 CVE-2015-3165: 6247 1221537: 6248 CVE-2015-3165 postgresql: double-free after authentication timeout 6249 Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence. 6250 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3165" id="CVE-2015-3165" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql92-contrib" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-contrib-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython27" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-plpython27-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-server-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-debuginfo" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-debuginfo-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-libs" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-libs-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server-compat" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-server-compat-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-pltcl" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-pltcl-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython26" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-plpython26-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-test" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-test-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plperl" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-plperl-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-devel" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-devel-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-docs" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-docs-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython26" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-plpython26-9.2.13-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-docs" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-docs-9.2.13-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-contrib" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-contrib-9.2.13-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-debuginfo" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-debuginfo-9.2.13-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython27" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-plpython27-9.2.13-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server-compat" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-server-compat-9.2.13-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-libs" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-libs-9.2.13-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-server-9.2.13-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-pltcl" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-pltcl-9.2.13-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-test" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-test-9.2.13-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plperl" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-plperl-9.2.13-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-9.2.13-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-devel" release="1.54.amzn1" version="9.2.13"><filename>Packages/postgresql92-devel-9.2.13-1.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-546</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-546: medium priority package update for postgresql93</title><issued date="2015-06-16 10:29" /><updated date="2015-06-16 11:42" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6251 CVE-2015-3165: 6252 1221537: 6253 CVE-2015-3165 postgresql: double-free after authentication timeout 6254 Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence. 6255 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3165" id="CVE-2015-3165" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql93-docs" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-docs-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-debuginfo" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-debuginfo-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-pltcl" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-pltcl-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-devel" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-devel-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-server" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-server-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython27" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-plpython27-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-test" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-test-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-libs" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-libs-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython26" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-plpython26-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-contrib" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-contrib-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plperl" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-plperl-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython26" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-plpython26-9.3.9-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-debuginfo" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-debuginfo-9.3.9-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-devel" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-devel-9.3.9-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-9.3.9-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plperl" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-plperl-9.3.9-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-libs" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-libs-9.3.9-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-docs" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-docs-9.3.9-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-pltcl" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-pltcl-9.3.9-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-test" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-test-9.3.9-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython27" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-plpython27-9.3.9-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-contrib" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-contrib-9.3.9-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-server" release="1.58.amzn1" version="9.3.9"><filename>Packages/postgresql93-server-9.3.9-1.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-547</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-547: medium priority package update for ruby20</title><issued date="2015-06-16 10:30" /><updated date="2015-06-18 20:44" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6256 CVE-2015-4020: 6257 Incomplete fix for CVE-2015-3900, which allowed redirection to an arbitrary gem server in any security domain. 6258 6259 CVE-2015-3900: 6260 RubyGems did not validate the hostname returned in the SRV record before sending requests to it. 6261 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4020" id="CVE-2015-4020" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3900" id="CVE-2015-3900" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ruby20-debuginfo" release="1.27.amzn1" version="2.0.0.645"><filename>Packages/ruby20-debuginfo-2.0.0.645-1.27.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems20-devel" release="1.27.amzn1" version="2.0.14"><filename>Packages/rubygems20-devel-2.0.14-1.27.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-psych" release="1.27.amzn1" version="2.0.0"><filename>Packages/rubygem20-psych-2.0.0-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-libs" release="1.27.amzn1" version="2.0.0.645"><filename>Packages/ruby20-libs-2.0.0.645-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-devel" release="1.27.amzn1" version="2.0.0.645"><filename>Packages/ruby20-devel-2.0.0.645-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20" release="1.27.amzn1" version="2.0.0.645"><filename>Packages/ruby20-2.0.0.645-1.27.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems20" release="1.27.amzn1" version="2.0.14"><filename>Packages/rubygems20-2.0.14-1.27.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-bigdecimal" release="1.27.amzn1" version="1.2.0"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-io-console" release="1.27.amzn1" version="0.4.2"><filename>Packages/rubygem20-io-console-0.4.2-1.27.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby20-irb" release="1.27.amzn1" version="2.0.0.645"><filename>Packages/ruby20-irb-2.0.0.645-1.27.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby20-doc" release="1.27.amzn1" version="2.0.0.645"><filename>Packages/ruby20-doc-2.0.0.645-1.27.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ruby20" release="1.27.amzn1" version="2.0.0.645"><filename>Packages/ruby20-2.0.0.645-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-devel" release="1.27.amzn1" version="2.0.0.645"><filename>Packages/ruby20-devel-2.0.0.645-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-debuginfo" release="1.27.amzn1" version="2.0.0.645"><filename>Packages/ruby20-debuginfo-2.0.0.645-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-io-console" release="1.27.amzn1" version="0.4.2"><filename>Packages/rubygem20-io-console-0.4.2-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-bigdecimal" release="1.27.amzn1" version="1.2.0"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-libs" release="1.27.amzn1" version="2.0.0.645"><filename>Packages/ruby20-libs-2.0.0.645-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-psych" release="1.27.amzn1" version="2.0.0"><filename>Packages/rubygem20-psych-2.0.0-1.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-548</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-548: medium priority package update for ruby21</title><issued date="2015-06-16 10:30" /><updated date="2015-06-18 20:44" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6262 CVE-2015-4020: 6263 Incomplete fix for CVE-2015-3900, which allowed redirection to an arbitrary gem server in any security domain. 6264 6265 CVE-2015-3900: 6266 RubyGems did not validate the hostname returned in the SRV record before sending requests to it. 6267 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4020" id="CVE-2015-4020" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3900" id="CVE-2015-3900" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="rubygems21" release="1.17.amzn1" version="2.2.3"><filename>Packages/rubygems21-2.2.3-1.17.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-libs" release="1.17.amzn1" version="2.1.6"><filename>Packages/ruby21-libs-2.1.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems21-devel" release="1.17.amzn1" version="2.2.3"><filename>Packages/rubygems21-devel-2.2.3-1.17.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-bigdecimal" release="1.17.amzn1" version="1.2.4"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-debuginfo" release="1.17.amzn1" version="2.1.6"><filename>Packages/ruby21-debuginfo-2.1.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-devel" release="1.17.amzn1" version="2.1.6"><filename>Packages/ruby21-devel-2.1.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby21-doc" release="1.17.amzn1" version="2.1.6"><filename>Packages/ruby21-doc-2.1.6-1.17.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby21-irb" release="1.17.amzn1" version="2.1.6"><filename>Packages/ruby21-irb-2.1.6-1.17.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-psych" release="1.17.amzn1" version="2.0.5"><filename>Packages/rubygem21-psych-2.0.5-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21" release="1.17.amzn1" version="2.1.6"><filename>Packages/ruby21-2.1.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-io-console" release="1.17.amzn1" version="0.4.3"><filename>Packages/rubygem21-io-console-0.4.3-1.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-devel" release="1.17.amzn1" version="2.1.6"><filename>Packages/ruby21-devel-2.1.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-libs" release="1.17.amzn1" version="2.1.6"><filename>Packages/ruby21-libs-2.1.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21" release="1.17.amzn1" version="2.1.6"><filename>Packages/ruby21-2.1.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-bigdecimal" release="1.17.amzn1" version="1.2.4"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-io-console" release="1.17.amzn1" version="0.4.3"><filename>Packages/rubygem21-io-console-0.4.3-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-debuginfo" release="1.17.amzn1" version="2.1.6"><filename>Packages/ruby21-debuginfo-2.1.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-psych" release="1.17.amzn1" version="2.0.5"><filename>Packages/rubygem21-psych-2.0.5-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-549</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-549: medium priority package update for ruby22</title><issued date="2015-06-16 10:30" /><updated date="2015-06-18 20:44" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6268 CVE-2015-4020: 6269 Incomplete fix for CVE-2015-3900, which allowed redirection to an arbitrary gem server in any security domain. 6270 6271 CVE-2015-3900: 6272 RubyGems did not validate the hostname returned in the SRV record before sending requests to it. 6273 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4020" id="CVE-2015-4020" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3900" id="CVE-2015-3900" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ruby22-devel" release="1.6.amzn1" version="2.2.2"><filename>Packages/ruby22-devel-2.2.2-1.6.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby22-doc" release="1.6.amzn1" version="2.2.2"><filename>Packages/ruby22-doc-2.2.2-1.6.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-libs" release="1.6.amzn1" version="2.2.2"><filename>Packages/ruby22-libs-2.2.2-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-io-console" release="1.6.amzn1" version="0.4.3"><filename>Packages/rubygem22-io-console-0.4.3-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-debuginfo" release="1.6.amzn1" version="2.2.2"><filename>Packages/ruby22-debuginfo-2.2.2-1.6.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby22-irb" release="1.6.amzn1" version="2.2.2"><filename>Packages/ruby22-irb-2.2.2-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems22-devel" release="1.6.amzn1" version="2.4.5"><filename>Packages/rubygems22-devel-2.4.5-1.6.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-psych" release="1.6.amzn1" version="2.0.8"><filename>Packages/rubygem22-psych-2.0.8-1.6.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems22" release="1.6.amzn1" version="2.4.5"><filename>Packages/rubygems22-2.4.5-1.6.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-bigdecimal" release="1.6.amzn1" version="1.2.6"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22" release="1.6.amzn1" version="2.2.2"><filename>Packages/ruby22-2.2.2-1.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-io-console" release="1.6.amzn1" version="0.4.3"><filename>Packages/rubygem22-io-console-0.4.3-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-devel" release="1.6.amzn1" version="2.2.2"><filename>Packages/ruby22-devel-2.2.2-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-libs" release="1.6.amzn1" version="2.2.2"><filename>Packages/ruby22-libs-2.2.2-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-debuginfo" release="1.6.amzn1" version="2.2.2"><filename>Packages/ruby22-debuginfo-2.2.2-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-bigdecimal" release="1.6.amzn1" version="1.2.6"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-psych" release="1.6.amzn1" version="2.0.8"><filename>Packages/rubygem22-psych-2.0.8-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22" release="1.6.amzn1" version="2.2.2"><filename>Packages/ruby22-2.2.2-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-550</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-550: medium priority package update for openssl</title><issued date="2015-06-16 11:29" /><updated date="2015-06-16 11:46" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6274 CVE-2015-4000: 6275 1223211: 6276 CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks 6277 A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic. 6278 6279 CVE-2015-3216: 6280 A regression was found in the versions of OpenSSL shipped with Red Hat Enterprise Linux 6 and 7, in the ssleay_rand_bytes() function. This could lead a multi-threaded application to crash. 6281 1227574: 6282 CVE-2015-3216 openssl: Crash in ssleay_rand_bytes due to locking regression 6283 6284 CVE-2015-1792: 6285 A denial of service flaw was found in OpenSSL in the way it verified certain signed messages using CMS (Cryptographic Message Syntax). A remote attacker could cause an application using OpenSSL to use excessive amounts of memory by sending a specially-crafted message for verification. 6286 1228607: 6287 CVE-2015-1792 OpenSSL: CMS verify infinite loop with unknown hash function 6288 6289 CVE-2015-1791: 6290 1228608: 6291 CVE-2015-1791 OpenSSL: Race condition handling NewSessionTicket 6292 A race condition was found in the session handling code of OpenSSL. An attacker could cause a multi-threaded SSL/TLS server to crash. 6293 6294 CVE-2015-1790: 6295 A NULL pointer dereference was found in the way OpenSSL handled certain PKCS#7 inputs. An attacker able to make an application using OpenSSL verify, decrypt, or parse a specially crafted PKCS#7 input could cause that application to crash. TLS/SSL clients and servers using OpenSSL were not affected by this flaw. 6296 1228604: 6297 CVE-2015-1790 OpenSSL: PKCS7 crash with missing EnvelopedContent 6298 6299 CVE-2015-1789: 6300 An out-of-bounds read flaw was found in the X509_cmp_time() function of OpenSSL, which is used to test the expiry dates of SSL/TLS certificates. An attacker could possibly use a specially-crafted SSL/TLS certificate or CRL (Certificate Revocation List), which when parsed by an application would cause that application to crash. 6301 1228603: 6302 CVE-2015-1789 OpenSSL: out-of-bounds read in X509_cmp_time 6303 6304 CVE-2014-8176: 6305 An invalid-free flaw was found in the way OpenSSL handled certain DTLS handshake messages. A malicious DTLS client or server could send a specially-crafted message to the peer, which could cause the application to crash or potentially cause arbitrary code execution. 6306 1228611: 6307 CVE-2014-8176 OpenSSL: Invalid free in DTLS 6308 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1789" id="CVE-2015-1789" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1790" id="CVE-2015-1790" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1791" id="CVE-2015-1791" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1792" id="CVE-2015-1792" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8176" id="CVE-2014-8176" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3216" id="CVE-2015-3216" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000" id="CVE-2015-4000" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl" release="10.86.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-10.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="10.86.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-10.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="10.86.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-10.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="10.86.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-10.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="10.86.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-10.86.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="10.86.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-10.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="10.86.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-10.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="10.86.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-10.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="10.86.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-10.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="10.86.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-10.86.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-551</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-551: medium priority package update for curl</title><issued date="2015-06-18 20:48" /><updated date="2015-06-18 20:57" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6309 CVE-2015-3237: 6310 libcurl can get tricked by a malicious SMB server to send off data it did not intend to. 6311 6312 CVE-2015-3236: 6313 libcurl can wrongly send HTTP credentials when re-using connections. 6314 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3237" id="CVE-2015-3237" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3236" id="CVE-2015-3236" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="curl" release="3.51.amzn1" version="7.40.0"><filename>Packages/curl-7.40.0-3.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="3.51.amzn1" version="7.40.0"><filename>Packages/libcurl-devel-7.40.0-3.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="3.51.amzn1" version="7.40.0"><filename>Packages/libcurl-7.40.0-3.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="3.51.amzn1" version="7.40.0"><filename>Packages/curl-debuginfo-7.40.0-3.51.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="3.51.amzn1" version="7.40.0"><filename>Packages/curl-7.40.0-3.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="3.51.amzn1" version="7.40.0"><filename>Packages/libcurl-7.40.0-3.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="3.51.amzn1" version="7.40.0"><filename>Packages/libcurl-devel-7.40.0-3.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="3.51.amzn1" version="7.40.0"><filename>Packages/curl-debuginfo-7.40.0-3.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-552</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-552: medium priority package update for python27</title><issued date="2015-06-22 10:31" /><updated date="2017-08-31 22:55" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6315 CVE-2014-9365: 6316 The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data. 6317 1173041: 6318 CVE-2014-9365 python: failure to validate certificates in the HTTP client with TLS (PEP 476) 6319 6320 CVE-2013-1753: 6321 1046170: 6322 CVE-2013-1753 python: XMLRPC library unrestricted decompression of HTTP responses using gzip enconding 6323 It was discovered that the Python xmlrpclib did not restrict the size of a gzip compressed HTTP responses. A malicious XMLRPC server could cause an XMLRPC client using xmlrpclib to consume an excessive amount of memory. 6324 6325 CVE-2013-1752: 6326 It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory. 6327 1046174: 6328 CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib 6329 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752" id="CVE-2013-1752" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1753" id="CVE-2013-1753" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365" id="CVE-2014-9365" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python27" release="4.114.amzn1" version="2.7.9"><filename>Packages/python27-2.7.9-4.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libs" release="4.114.amzn1" version="2.7.9"><filename>Packages/python27-libs-2.7.9-4.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-tools" release="4.114.amzn1" version="2.7.9"><filename>Packages/python27-tools-2.7.9-4.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-devel" release="4.114.amzn1" version="2.7.9"><filename>Packages/python27-devel-2.7.9-4.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-test" release="4.114.amzn1" version="2.7.9"><filename>Packages/python27-test-2.7.9-4.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-debuginfo" release="4.114.amzn1" version="2.7.9"><filename>Packages/python27-debuginfo-2.7.9-4.114.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python27-devel" release="4.114.amzn1" version="2.7.9"><filename>Packages/python27-devel-2.7.9-4.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-tools" release="4.114.amzn1" version="2.7.9"><filename>Packages/python27-tools-2.7.9-4.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27" release="4.114.amzn1" version="2.7.9"><filename>Packages/python27-2.7.9-4.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-debuginfo" release="4.114.amzn1" version="2.7.9"><filename>Packages/python27-debuginfo-2.7.9-4.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libs" release="4.114.amzn1" version="2.7.9"><filename>Packages/python27-libs-2.7.9-4.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-test" release="4.114.amzn1" version="2.7.9"><filename>Packages/python27-test-2.7.9-4.114.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-553</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-553: medium priority package update for libtiff</title><issued date="2015-06-22 15:07" /><updated date="2015-06-24 10:14" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6330 CVE-2015-1547: 6331 1190709: 6332 CVE-2015-1547 libtiff: use of uninitialized memory in NeXTDecode 6333 6334 CVE-2014-9655: 6335 1190703: 6336 CVE-2014-9655 libtiff: use of uninitialized memory in putcontig8bitYCbCr21tile and NeXTDecode 6337 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1547" id="CVE-2015-1547" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9655" id="CVE-2014-9655" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libtiff-debuginfo" release="20.20.amzn1" version="4.0.3"><filename>Packages/libtiff-debuginfo-4.0.3-20.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-devel" release="20.20.amzn1" version="4.0.3"><filename>Packages/libtiff-devel-4.0.3-20.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-static" release="20.20.amzn1" version="4.0.3"><filename>Packages/libtiff-static-4.0.3-20.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff" release="20.20.amzn1" version="4.0.3"><filename>Packages/libtiff-4.0.3-20.20.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libtiff" release="20.20.amzn1" version="4.0.3"><filename>Packages/libtiff-4.0.3-20.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-debuginfo" release="20.20.amzn1" version="4.0.3"><filename>Packages/libtiff-debuginfo-4.0.3-20.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-devel" release="20.20.amzn1" version="4.0.3"><filename>Packages/libtiff-devel-4.0.3-20.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-static" release="20.20.amzn1" version="4.0.3"><filename>Packages/libtiff-static-4.0.3-20.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-554</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-554: medium priority package update for t1utils</title><issued date="2015-06-22 20:26" /><updated date="2015-06-24 10:14" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6338 CVE-2015-3905: 6339 1218365: 6340 CVE-2015-3905 t1utils: buffer overflow flaw 6341 A buffer overflow flaw was found in the way t1utils processed, for example, certain PFB (Printer Font Binary) files. An attacker could use this flaw to potentially execute arbitrary code by tricking a user into processing a specially crafted PFB file with t1utils. 6342 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3905" id="CVE-2015-3905" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="t1utils-debuginfo" release="1.3.amzn1" version="1.39"><filename>Packages/t1utils-debuginfo-1.39-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="t1utils" release="1.3.amzn1" version="1.39"><filename>Packages/t1utils-1.39-1.3.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="t1utils" release="1.3.amzn1" version="1.39"><filename>Packages/t1utils-1.39-1.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="t1utils-debuginfo" release="1.3.amzn1" version="1.39"><filename>Packages/t1utils-debuginfo-1.39-1.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-555</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-555: medium priority package update for mod_dav_svn subversion</title><issued date="2015-06-24 10:08" /><updated date="2015-06-24 10:15" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6343 CVE-2014-8108: 6344 1174057: 6345 CVE-2014-8108 subversion: NULL pointer dereference flaw in mod_dav_svn when handling URIs for virtual transaction names 6346 A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled certain requests for URIs that trigger a lookup of a virtual transaction name. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing mod_dav_svn to crash. 6347 6348 CVE-2014-3580: 6349 1174054: 6350 CVE-2014-3580 subversion: NULL pointer dereference flaw in mod_dav_svn when handling REPORT requests 6351 A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn. 6352 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8108" id="CVE-2014-8108" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3580" id="CVE-2014-3580" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="subversion-ruby" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-ruby-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-tools" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-tools-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_dav_svn" release="1.50.amzn1" version="1.8.11"><filename>Packages/mod24_dav_svn-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-javahl" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-javahl-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-devel" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-devel-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-debuginfo" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-debuginfo-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-perl" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-perl-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python27" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-python27-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python26" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-python26-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-libs" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-libs-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python26" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-python26-1.8.11-1.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-javahl" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-javahl-1.8.11-1.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-debuginfo" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-debuginfo-1.8.11-1.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-tools" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-tools-1.8.11-1.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-1.8.11-1.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python27" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-python27-1.8.11-1.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-perl" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-perl-1.8.11-1.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-ruby" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-ruby-1.8.11-1.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-devel" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-devel-1.8.11-1.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_dav_svn" release="1.50.amzn1" version="1.8.11"><filename>Packages/mod24_dav_svn-1.8.11-1.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-libs" release="1.50.amzn1" version="1.8.11"><filename>Packages/subversion-libs-1.8.11-1.50.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_dav_svn" release="1.49.amzn1" version="1.8.11"><filename>Packages/mod_dav_svn-1.8.11-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_dav_svn-debuginfo" release="1.49.amzn1" version="1.8.11"><filename>Packages/mod_dav_svn-debuginfo-1.8.11-1.49.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn" release="1.49.amzn1" version="1.8.11"><filename>Packages/mod_dav_svn-1.8.11-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn-debuginfo" release="1.49.amzn1" version="1.8.11"><filename>Packages/mod_dav_svn-debuginfo-1.8.11-1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-556</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-556: medium priority package update for postgresql8</title><issued date="2015-07-07 12:29" /><updated date="2015-07-07 22:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6353 CVE-2015-3167: 6354 It was discovered that the pgcrypto module could return different error messages when decrypting certain data with an incorrect key. This can help an authenticated user to launch a possible cryptographic attack, although no suitable attack is currently known. 6355 6356 CVE-2015-3166: 6357 It was discovered that PostgreSQL did not properly check the return values of certain standard library functions. If the system is in a state that would cause the standard library functions to fail, for example memory exhaustion, an authenticated user could exploit this flaw to disclose partial memory contents or cause the GSSAPI authentication to use an incorrect keytab file. 6358 6359 CVE-2015-3165: 6360 A double-free flaw was found in the connection handling. An unauthenticated attacker could exploit this flaw to crash the PostgreSQL back end by disconnecting at approximately the same time as the authentication time out is triggered. 6361 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3165" id="CVE-2015-3165" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3167" id="CVE-2015-3167" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3166" id="CVE-2015-3166" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1194.html" id="RHSA-2015:1194" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql8-server" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-server-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-pltcl" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-pltcl-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-devel" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-devel-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plperl" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-plperl-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plpython" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-plpython-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-libs" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-libs-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-contrib" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-contrib-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-docs" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-docs-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-debuginfo" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-debuginfo-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-test" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-test-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-test" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-test-8.4.20-3.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-libs" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-libs-8.4.20-3.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plpython" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-plpython-8.4.20-3.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-contrib" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-contrib-8.4.20-3.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-server" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-server-8.4.20-3.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-pltcl" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-pltcl-8.4.20-3.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-docs" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-docs-8.4.20-3.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-debuginfo" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-debuginfo-8.4.20-3.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-devel" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-devel-8.4.20-3.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-8.4.20-3.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plperl" release="3.50.amzn1" version="8.4.20"><filename>Packages/postgresql8-plperl-8.4.20-3.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-557</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-557: medium priority package update for tcpdump</title><issued date="2015-07-07 12:31" /><updated date="2015-07-07 22:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6362 CVE-2015-2154: 6363 The osi_print_cksum function in print-isoclns.c in the ethernet printer in tcpdump before 4.7.2 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) length, (2) offset, or (3) base pointer checksum value. 6364 1201797: 6365 CVE-2015-2154 tcpdump: ethernet printer osi_print_cksum() missing sanity checks out-of-bounds read 6366 6367 CVE-2015-0261: 6368 1201792: 6369 CVE-2015-0261 tcpdump: IPv6 mobility printer mobility_opt_print() typecastimg/signedness error 6370 Integer signedness error in the mobility_opt_print function in the IPv6 mobility printer in tcpdump before 4.7.2 allows remote attackers to cause a denial of service (out-of-bounds read and crash) or possibly execute arbitrary code via a negative length value. 6371 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0261" id="CVE-2015-0261" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2154" id="CVE-2015-2154" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="14" name="tcpdump-debuginfo" release="3.20090921gitdf3cb4.2.10.amzn1" version="4.0.0"><filename>Packages/tcpdump-debuginfo-4.0.0-3.20090921gitdf3cb4.2.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="14" name="tcpdump" release="3.20090921gitdf3cb4.2.10.amzn1" version="4.0.0"><filename>Packages/tcpdump-4.0.0-3.20090921gitdf3cb4.2.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="14" name="tcpdump" release="3.20090921gitdf3cb4.2.10.amzn1" version="4.0.0"><filename>Packages/tcpdump-4.0.0-3.20090921gitdf3cb4.2.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="14" name="tcpdump-debuginfo" release="3.20090921gitdf3cb4.2.10.amzn1" version="4.0.0"><filename>Packages/tcpdump-debuginfo-4.0.0-3.20090921gitdf3cb4.2.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-558</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-558: medium priority package update for fuse</title><issued date="2015-07-07 12:33" /><updated date="2015-07-07 22:26" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6372 CVE-2015-3202: 6373 It was discovered that fusermount failed to properly sanitize its environment before executing mount and umount commands. A local user could possibly use this flaw to escalate their privileges on the system. 6374 1224103: 6375 CVE-2015-3202 fuse: incorrect filtering of environment variables leading to privilege escalation 6376 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3202" id="CVE-2015-3202" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="fuse-devel" release="1.17.amzn1" version="2.9.4"><filename>Packages/fuse-devel-2.9.4-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="fuse-debuginfo" release="1.17.amzn1" version="2.9.4"><filename>Packages/fuse-debuginfo-2.9.4-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="fuse" release="1.17.amzn1" version="2.9.4"><filename>Packages/fuse-2.9.4-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="fuse-libs" release="1.17.amzn1" version="2.9.4"><filename>Packages/fuse-libs-2.9.4-1.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="fuse-debuginfo" release="1.17.amzn1" version="2.9.4"><filename>Packages/fuse-debuginfo-2.9.4-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="fuse-devel" release="1.17.amzn1" version="2.9.4"><filename>Packages/fuse-devel-2.9.4-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="fuse" release="1.17.amzn1" version="2.9.4"><filename>Packages/fuse-2.9.4-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="fuse-libs" release="1.17.amzn1" version="2.9.4"><filename>Packages/fuse-libs-2.9.4-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-559</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-559: medium priority package update for cups</title><issued date="2015-07-07 12:34" /><updated date="2015-07-07 22:26" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6377 CVE-2015-1159: 6378 A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. 6379 6380 CVE-2015-1158: 6381 A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server 6382 6383 CVE-2014-9679: 6384 An integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially-crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash. 6385 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1158" id="CVE-2015-1158" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1159" id="CVE-2015-1159" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9679" id="CVE-2014-9679" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1123.html" id="RHSA-2015:1123" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="cups-debuginfo" release="67.21.amzn1" version="1.4.2"><filename>Packages/cups-debuginfo-1.4.2-67.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups-php" release="67.21.amzn1" version="1.4.2"><filename>Packages/cups-php-1.4.2-67.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups-libs" release="67.21.amzn1" version="1.4.2"><filename>Packages/cups-libs-1.4.2-67.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups-devel" release="67.21.amzn1" version="1.4.2"><filename>Packages/cups-devel-1.4.2-67.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups" release="67.21.amzn1" version="1.4.2"><filename>Packages/cups-1.4.2-67.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="cups-lpd" release="67.21.amzn1" version="1.4.2"><filename>Packages/cups-lpd-1.4.2-67.21.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="cups-debuginfo" release="67.21.amzn1" version="1.4.2"><filename>Packages/cups-debuginfo-1.4.2-67.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups-libs" release="67.21.amzn1" version="1.4.2"><filename>Packages/cups-libs-1.4.2-67.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups-php" release="67.21.amzn1" version="1.4.2"><filename>Packages/cups-php-1.4.2-67.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups-devel" release="67.21.amzn1" version="1.4.2"><filename>Packages/cups-devel-1.4.2-67.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups" release="67.21.amzn1" version="1.4.2"><filename>Packages/cups-1.4.2-67.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="cups-lpd" release="67.21.amzn1" version="1.4.2"><filename>Packages/cups-lpd-1.4.2-67.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-560</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-560: medium priority package update for php-ZendFramework</title><issued date="2015-07-07 12:35" /><updated date="2015-07-07 22:29" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6386 CVE-2015-3154: 6387 1215712: 6388 CVE-2015-3154 php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability 6389 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154" id="CVE-2015-3154" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="php-ZendFramework-extras" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-extras-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-demos" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-demos-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Mssql" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Pdf" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Pdf-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Libmemcached" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Cache-Backend-Libmemcached-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Memcached" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Cache-Backend-Memcached-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Serializer-Adapter-Igbinary" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Serializer-Adapter-Igbinary-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Pgsql" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Captcha" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Captcha-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Ldap" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Ldap-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Search-Lucene" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Search-Lucene-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Dojo" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Dojo-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Mysqli" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Db-Adapter-Mysqli-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Auth-Adapter-Ldap" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Auth-Adapter-Ldap-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Feed" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Feed-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-full" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-full-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Apc" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Cache-Backend-Apc-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Soap" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Soap-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Services" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Services-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Mysql" release="1.11.amzn1" version="1.12.13"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.13-1.11.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-561</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-561: medium priority package update for php54</title><issued date="2015-07-07 12:39" /><updated date="2015-07-07 22:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6390 CVE-2015-4644: 6391 1234940: 6392 CVE-2015-4644 php: segmentation fault in php_pgsql_meta_data() 6393 6394 CVE-2015-4643: 6395 1234938: 6396 CVE-2015-4643 php: integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) 6397 6398 CVE-2015-4642: 6399 6400 6401 CVE-2015-3415: 6402 The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O;&gt;O) in a CREATE TABLE statement. 6403 1212356: 6404 CVE-2015-3415 sqlite: invalid free() in src/vdbe.c 6405 6406 CVE-2015-3414: 6407 1212353: 6408 CVE-2015-3414 sqlite: use of uninitialized memory when parsing collation sequences in src/where.c 6409 SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement. 6410 6411 CVE-2014-3416: 6412 6413 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4644" id="CVE-2015-4644" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3415" id="CVE-2015-3415" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3414" id="CVE-2015-3414" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4643" id="CVE-2015-4643" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4642" id="CVE-2015-4642" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3416" id="CVE-2014-3416" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-tidy" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-tidy-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-gd-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-ldap-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-bcmath-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-process-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-mbstring-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-devel-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-xml-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-mysql-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-embedded-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-odbc-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-recode-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-imap-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-cli-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-snmp-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-mcrypt-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-debuginfo-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-intl-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-fpm-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-xmlrpc-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-pgsql-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-mssql-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-mysqlnd-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-enchant-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-dba-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-common-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-pspell-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-pdo-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-soap-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-mssql-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-devel-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-xml-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-imap-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-odbc-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-debuginfo-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-pdo-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-snmp-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-mysql-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-tidy-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-dba-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-pspell-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-ldap-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-xmlrpc-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-pgsql-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-common-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-intl-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-enchant-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-mysqlnd-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-soap-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-fpm-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-recode-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-mbstring-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-process-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-mcrypt-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-bcmath-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-gd-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-embedded-5.4.42-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.71.amzn1" version="5.4.42"><filename>Packages/php54-cli-5.4.42-1.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-562</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-562: medium priority package update for php55</title><issued date="2015-07-07 12:40" /><updated date="2015-07-07 22:40" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6414 CVE-2015-4644: 6415 1234940: 6416 CVE-2015-4644 php: segmentation fault in php_pgsql_meta_data() 6417 6418 CVE-2015-4643: 6419 1234938: 6420 CVE-2015-4643 php: integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) 6421 6422 CVE-2015-4642: 6423 6424 6425 CVE-2015-3415: 6426 The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O;&gt;O) in a CREATE TABLE statement. 6427 1212356: 6428 CVE-2015-3415 sqlite: invalid free() in src/vdbe.c 6429 6430 CVE-2015-3414: 6431 1212353: 6432 CVE-2015-3414 sqlite: use of uninitialized memory when parsing collation sequences in src/where.c 6433 SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement. 6434 6435 CVE-2015-2326: 6436 1207202: 6437 CVE-2015-2326 pcre: heap buffer overflow in pcre_compile2() 6438 6439 CVE-2015-2325: 6440 1207198: 6441 CVE-2015-2325 pcre: heap buffer overflow in compile_branch() 6442 6443 CVE-2014-3416: 6444 6445 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3415" id="CVE-2015-3415" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3414" id="CVE-2015-3414" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3416" id="CVE-2014-3416" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4644" id="CVE-2015-4644" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4643" id="CVE-2015-4643" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4642" id="CVE-2015-4642" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2325" id="CVE-2015-2325" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2326" id="CVE-2015-2326" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-pspell" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-pspell-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-imap-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-embedded-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-mcrypt-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-cli-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-tidy-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-gd-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-odbc-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-process-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-mbstring-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-gmp-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-mssql-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-snmp-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-ldap-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-devel-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-mysqlnd-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-common-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-xml-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-recode-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-debuginfo-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-fpm-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-bcmath-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-xmlrpc-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-opcache-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-enchant-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-pgsql-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-pdo-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-intl-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-dba-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-soap-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-cli-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-odbc-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-dba-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-bcmath-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-common-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-mysqlnd-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-xml-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-recode-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-intl-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-devel-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-opcache-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-gd-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-gmp-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-soap-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-ldap-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-imap-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-debuginfo-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-mbstring-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-xmlrpc-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-mcrypt-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-mssql-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-embedded-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-pdo-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-process-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-pspell-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-enchant-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-fpm-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-pgsql-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-tidy-5.5.26-1.103.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.103.amzn1" version="5.5.26"><filename>Packages/php55-snmp-5.5.26-1.103.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-563</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-563: medium priority package update for php56</title><issued date="2015-07-07 12:40" /><updated date="2015-07-07 22:39" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6446 CVE-2015-4644: 6447 1234940: 6448 CVE-2015-4644 php: segmentation fault in php_pgsql_meta_data() 6449 6450 CVE-2015-4643: 6451 1234938: 6452 CVE-2015-4643 php: integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) 6453 6454 CVE-2015-4642: 6455 6456 6457 CVE-2015-3415: 6458 The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O;&gt;O) in a CREATE TABLE statement. 6459 1212356: 6460 CVE-2015-3415 sqlite: invalid free() in src/vdbe.c 6461 6462 CVE-2015-3414: 6463 1212353: 6464 CVE-2015-3414 sqlite: use of uninitialized memory when parsing collation sequences in src/where.c 6465 SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement. 6466 6467 CVE-2015-2326: 6468 1207202: 6469 CVE-2015-2326 pcre: heap buffer overflow in pcre_compile2() 6470 6471 CVE-2015-2325: 6472 1207198: 6473 CVE-2015-2325 pcre: heap buffer overflow in compile_branch() 6474 6475 CVE-2014-3416: 6476 6477 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3415" id="CVE-2015-3415" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3414" id="CVE-2015-3414" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3416" id="CVE-2014-3416" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4644" id="CVE-2015-4644" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4643" id="CVE-2015-4643" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4642" id="CVE-2015-4642" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2325" id="CVE-2015-2325" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2326" id="CVE-2015-2326" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-common" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-common-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-dba-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-mbstring-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-enchant-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-debuginfo-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-devel-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-process-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-odbc-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-xml-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-bcmath-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-imap-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-embedded-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-dbg-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-pgsql-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-ldap-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-xmlrpc-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-mysqlnd-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-recode-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-gmp-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-intl-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-mcrypt-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-mssql-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-snmp-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-pspell-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-cli-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-fpm-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-gd-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-pdo-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-tidy-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-opcache-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-soap-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-intl-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-enchant-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-snmp-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-fpm-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-pgsql-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-mssql-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-dba-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-odbc-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-mysqlnd-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-mbstring-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-tidy-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-pdo-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-gd-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-pspell-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-recode-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-opcache-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-embedded-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-dbg-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-gmp-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-debuginfo-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-common-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-ldap-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-bcmath-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-soap-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-devel-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-mcrypt-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-imap-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-xml-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-cli-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-process-5.6.10-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.115.amzn1" version="5.6.10"><filename>Packages/php56-xmlrpc-5.6.10-1.115.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-564</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-564: critical priority package update for openssl</title><issued date="2015-07-09 06:15" /><updated date="2015-07-09 06:15" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6478 CVE-2015-1793: 6479 6480 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793" id="CVE-2015-1793" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-devel" release="10.87.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-10.87.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="10.87.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-10.87.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="10.87.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-10.87.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="10.87.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-10.87.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="10.87.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-10.87.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="10.87.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-10.87.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="10.87.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-10.87.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="10.87.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-10.87.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="10.87.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-10.87.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="10.87.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-10.87.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-565</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-565: medium priority package update for kernel</title><issued date="2015-07-22 10:00" /><updated date="2015-09-25 15:21" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6481 CVE-2015-5366: 6482 1239029: 6483 CVE-2015-5366 CVE-2015-5364 kernel: net: incorrect processing of checksums in UDP implementation 6484 A flaw was found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use this flaw to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. 6485 6486 CVE-2015-5364: 6487 1239029: 6488 CVE-2015-5366 CVE-2015-5364 kernel: net: incorrect processing of checksums in UDP implementation 6489 A flaw was found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use this flaw to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality. 6490 6491 CVE-2015-3212: 6492 1226442: 6493 CVE-2015-3212 kernel: SCTP race condition allows list corruption and panic from userlevel 6494 6495 CVE-2015-1805: 6496 It was found that the Linux kernel's implementation of vectored pipe read and write functionality did not take into account the I/O vectors that were already processed when retrying after a failed atomic access operation, potentially resulting in memory corruption due to an I/O vector array overrun. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system. 6497 1202855: 6498 CVE-2015-1805 kernel: pipe: iovec overrun leading to memory corruption 6499 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3212" id="CVE-2015-3212" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805" id="CVE-2015-1805" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5364" id="CVE-2015-5364" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5366" id="CVE-2015-5366" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-tools-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-tools-debuginfo-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="33.39.amzn1" version="3.14.48"><filename>Packages/perf-debuginfo-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-tools-devel-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-devel-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-headers-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="33.39.amzn1" version="3.14.48"><filename>Packages/perf-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-debuginfo-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-tools-debuginfo-3.14.48-33.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-debuginfo-3.14.48-33.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-tools-devel-3.14.48-33.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="33.39.amzn1" version="3.14.48"><filename>Packages/perf-3.14.48-33.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="33.39.amzn1" version="3.14.48"><filename>Packages/perf-debuginfo-3.14.48-33.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-devel-3.14.48-33.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-3.14.48-33.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-headers-3.14.48-33.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-debuginfo-common-i686-3.14.48-33.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-tools-3.14.48-33.39.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="33.39.amzn1" version="3.14.48"><filename>Packages/kernel-doc-3.14.48-33.39.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-566</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-566: important priority package update for bind</title><issued date="2015-07-22 10:00" /><updated date="2015-07-22 10:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6500 CVE-2015-4620: 6501 1237258: 6502 CVE-2015-4620 bind: abort DoS caused by uninitialized value use in isselfsigned() 6503 A flaw was found in the way BIND performed DNSSEC validation. An attacker able to make BIND (functioning as a DNS resolver with DNSSEC validation enabled) resolve a name in an attacker-controlled domain could cause named to exit unexpectedly with an assertion failure. 6504 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4620" id="CVE-2015-4620" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-devel" release="0.30.rc1.37.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.30.rc1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.30.rc1.37.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.30.rc1.37.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.30.rc1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.30.rc1.37.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.30.rc1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.30.rc1.37.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.30.rc1.37.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.30.rc1.37.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.30.rc1.37.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.30.rc1.37.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.30.rc1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.30.rc1.37.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.30.rc1.37.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.30.rc1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.30.rc1.37.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.30.rc1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.30.rc1.37.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.30.rc1.37.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.30.rc1.37.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.30.rc1.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-567</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-567: medium priority package update for 389-ds-base</title><issued date="2015-07-22 10:00" /><updated date="2015-07-22 10:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6505 CVE-2015-3230: 6506 1232096: 6507 CVE-2015-3230 389-ds-base: nsSSL3Ciphers preference not enforced server side (regression) 6508 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3230" id="CVE-2015-3230" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="16.42.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-devel-1.3.3.1-16.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="16.42.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-debuginfo-1.3.3.1-16.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base" release="16.42.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-1.3.3.1-16.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="16.42.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-libs-1.3.3.1-16.42.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="16.42.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-1.3.3.1-16.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="16.42.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-libs-1.3.3.1-16.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="16.42.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-debuginfo-1.3.3.1-16.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="16.42.amzn1" version="1.3.3.1"><filename>Packages/389-ds-base-devel-1.3.3.1-16.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-568</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-568: medium priority package update for openssh</title><issued date="2015-07-22 10:00" /><updated date="2015-07-22 10:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6509 CVE-2015-5352: 6510 1238231: 6511 CVE-2015-5352 openssh: XSECURITY restrictions bypass under certain conditions in ssh(1) 6512 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5352" id="CVE-2015-5352" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openssh" release="8.44.amzn1" version="6.2p2"><filename>Packages/openssh-6.2p2-8.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-keycat" release="8.44.amzn1" version="6.2p2"><filename>Packages/openssh-keycat-6.2p2-8.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam_ssh_agent_auth" release="5.8.44.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.8.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-clients" release="8.44.amzn1" version="6.2p2"><filename>Packages/openssh-clients-6.2p2-8.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-debuginfo" release="8.44.amzn1" version="6.2p2"><filename>Packages/openssh-debuginfo-6.2p2-8.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-ldap" release="8.44.amzn1" version="6.2p2"><filename>Packages/openssh-ldap-6.2p2-8.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-server" release="8.44.amzn1" version="6.2p2"><filename>Packages/openssh-server-6.2p2-8.44.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssh-server" release="8.44.amzn1" version="6.2p2"><filename>Packages/openssh-server-6.2p2-8.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-debuginfo" release="8.44.amzn1" version="6.2p2"><filename>Packages/openssh-debuginfo-6.2p2-8.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-clients" release="8.44.amzn1" version="6.2p2"><filename>Packages/openssh-clients-6.2p2-8.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam_ssh_agent_auth" release="5.8.44.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.8.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh" release="8.44.amzn1" version="6.2p2"><filename>Packages/openssh-6.2p2-8.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-ldap" release="8.44.amzn1" version="6.2p2"><filename>Packages/openssh-ldap-6.2p2-8.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-keycat" release="8.44.amzn1" version="6.2p2"><filename>Packages/openssh-keycat-6.2p2-8.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-569</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-569: medium priority package update for nss nss-util</title><issued date="2015-07-22 10:00" /><updated date="2015-07-22 10:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6513 CVE-2015-4000: 6514 1223211: 6515 CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks 6516 A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic. 6517 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000" id="CVE-2015-4000" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1185.html" id="RHSA-2015:1185" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-util-debuginfo" release="1.41.amzn1" version="3.19.1"><filename>Packages/nss-util-debuginfo-3.19.1-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util" release="1.41.amzn1" version="3.19.1"><filename>Packages/nss-util-3.19.1-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util-devel" release="1.41.amzn1" version="3.19.1"><filename>Packages/nss-util-devel-3.19.1-1.41.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-util" release="1.41.amzn1" version="3.19.1"><filename>Packages/nss-util-3.19.1-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-util-devel" release="1.41.amzn1" version="3.19.1"><filename>Packages/nss-util-devel-3.19.1-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-util-debuginfo" release="1.41.amzn1" version="3.19.1"><filename>Packages/nss-util-debuginfo-3.19.1-1.41.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="3.71.amzn1" version="3.19.1"><filename>Packages/nss-pkcs11-devel-3.19.1-3.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="3.71.amzn1" version="3.19.1"><filename>Packages/nss-tools-3.19.1-3.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="3.71.amzn1" version="3.19.1"><filename>Packages/nss-devel-3.19.1-3.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="3.71.amzn1" version="3.19.1"><filename>Packages/nss-sysinit-3.19.1-3.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="3.71.amzn1" version="3.19.1"><filename>Packages/nss-3.19.1-3.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="3.71.amzn1" version="3.19.1"><filename>Packages/nss-debuginfo-3.19.1-3.71.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="3.71.amzn1" version="3.19.1"><filename>Packages/nss-sysinit-3.19.1-3.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="3.71.amzn1" version="3.19.1"><filename>Packages/nss-tools-3.19.1-3.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="3.71.amzn1" version="3.19.1"><filename>Packages/nss-devel-3.19.1-3.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="3.71.amzn1" version="3.19.1"><filename>Packages/nss-pkcs11-devel-3.19.1-3.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="3.71.amzn1" version="3.19.1"><filename>Packages/nss-3.19.1-3.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="3.71.amzn1" version="3.19.1"><filename>Packages/nss-debuginfo-3.19.1-3.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-570</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-570: critical priority package update for java-1.7.0-openjdk</title><issued date="2015-07-22 10:00" /><updated date="2015-07-22 10:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6518 CVE-2015-4760: 6519 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6520 6521 CVE-2015-4749: 6522 It was discovered that the JNDI component in OpenJDK did not handle DNS resolutions correctly. An attacker able to trigger such DNS errors could cause a Java application using JNDI to consume memory and CPU time, and possibly block further DNS resolution. 6523 6524 CVE-2015-4748: 6525 A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol (OCSP) responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid. 6526 6527 CVE-2015-4733: 6528 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6529 6530 CVE-2015-4732: 6531 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6532 6533 CVE-2015-4731: 6534 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6535 6536 CVE-2015-4000: 6537 A flaw was found in the way the TLS protocol composed the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them do decrypt all traffic. 6538 6539 CVE-2015-2808: 6540 A flaw was found in the RC4 encryption algorithm. When using certain keys for RC4 encryption, an attacker could obtain portions of the plain text from the cipher text without the knowledge of the encryption key. 6541 6542 CVE-2015-2632: 6543 Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 6544 6545 CVE-2015-2628: 6546 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6547 6548 CVE-2015-2625: 6549 A flaw was found in the way the JSSE component in OpenJDK performed X.509 certificate identity verification when establishing a TLS/SSL connection to a host identified by an IP address. In certain cases, the certificate was accepted as valid if it was issued for a host name to which the IP address resolves rather than for the IP address. 6550 6551 CVE-2015-2621: 6552 Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 6553 6554 CVE-2015-2601: 6555 It was discovered that the JCE component in OpenJDK failed to use constant time comparisons in multiple cases. An attacker could possibly use these flaws to disclose sensitive information by measuring the time used to perform operations using these non-constant time comparisons. 6556 6557 CVE-2015-2590: 6558 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6559 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4748" id="CVE-2015-4748" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2628" id="CVE-2015-2628" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625" id="CVE-2015-2625" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2632" id="CVE-2015-2632" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2601" id="CVE-2015-2601" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4732" id="CVE-2015-4732" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2621" id="CVE-2015-2621" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2590" id="CVE-2015-2590" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4731" id="CVE-2015-4731" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4760" id="CVE-2015-4760" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000" id="CVE-2015-4000" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808" id="CVE-2015-2808" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4733" id="CVE-2015-4733" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4749" id="CVE-2015-4749" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1229.html" id="RHSA-2015:1229" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.1.3.61.amzn1" version="1.7.0.85"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.1.3.61.amzn1" version="1.7.0.85"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.1.3.61.amzn1" version="1.7.0.85"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.1.3.61.amzn1" version="1.7.0.85"><filename>Packages/java-1.7.0-openjdk-1.7.0.85-2.6.1.3.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.1.3.61.amzn1" version="1.7.0.85"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.61.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.1.3.61.amzn1" version="1.7.0.85"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.61.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.1.3.61.amzn1" version="1.7.0.85"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.1.3.61.amzn1" version="1.7.0.85"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.1.3.61.amzn1" version="1.7.0.85"><filename>Packages/java-1.7.0-openjdk-1.7.0.85-2.6.1.3.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.1.3.61.amzn1" version="1.7.0.85"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.1.3.61.amzn1" version="1.7.0.85"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.61.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-571</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-571: important priority package update for java-1.8.0-openjdk</title><issued date="2015-07-22 10:00" /><updated date="2015-07-22 10:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6560 CVE-2015-4760: 6561 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6562 6563 CVE-2015-4749: 6564 It was discovered that the JNDI component in OpenJDK did not handle DNS resolutions correctly. An attacker able to trigger such DNS errors could cause a Java application using JNDI to consume memory and CPU time, and possibly block further DNS resolution. 6565 6566 CVE-2015-4748: 6567 A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol (OCSP) responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid. 6568 6569 CVE-2015-4733: 6570 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6571 6572 CVE-2015-4732: 6573 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6574 6575 CVE-2015-4731: 6576 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6577 6578 CVE-2015-4000: 6579 A flaw was found in the way the TLS protocol composed the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them do decrypt all traffic. 6580 6581 CVE-2015-3149: 6582 Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. Note: This issue was originally fixed as CVE-2015-0383, but the fix was regressed in the RHSA-2015:0809 advisory. 6583 6584 CVE-2015-2808: 6585 A flaw was found in the RC4 encryption algorithm. When using certain keys for RC4 encryption, an attacker could obtain portions of the plain text from the cipher text without the knowledge of the encryption key. 6586 6587 CVE-2015-2659: 6588 It was discovered that the GCM (Galois Counter Mode) implementation in the Security component of OpenJDK failed to properly perform a null check. This could cause the Java Virtual Machine to crash when an application performed encryption using a block cipher in the GCM mode. 6589 6590 CVE-2015-2632: 6591 Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 6592 6593 CVE-2015-2628: 6594 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6595 6596 CVE-2015-2625: 6597 A flaw was found in the way the JSSE component in OpenJDK performed X.509 certificate identity verification when establishing a TLS/SSL connection to a host identified by an IP address. In certain cases, the certificate was accepted as valid if it was issued for a host name to which the IP address resolves rather than for the IP address. 6598 6599 CVE-2015-2621: 6600 Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 6601 6602 CVE-2015-2601: 6603 It was discovered that the JCE component in OpenJDK failed to use constant time comparisons in multiple cases. An attacker could possibly use these flaws to disclose sensitive information by measuring the time used to perform operations using these non-constant time comparisons. 6604 6605 CVE-2015-2590: 6606 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6607 6608 CVE-2015-0383: 6609 Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. Note: This issue was originally fixed as CVE-2015-0383, but the fix was regressed in the RHSA-2015:0809 advisory. 6610 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4748" id="CVE-2015-4748" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4749" id="CVE-2015-4749" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4731" id="CVE-2015-4731" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2621" id="CVE-2015-2621" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4733" id="CVE-2015-4733" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4732" id="CVE-2015-4732" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2659" id="CVE-2015-2659" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4760" id="CVE-2015-4760" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808" id="CVE-2015-2808" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000" id="CVE-2015-4000" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2628" id="CVE-2015-2628" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625" id="CVE-2015-2625" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2601" id="CVE-2015-2601" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0383" id="CVE-2015-0383" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2632" id="CVE-2015-2632" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2590" id="CVE-2015-2590" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3149" id="CVE-2015-3149" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1228.html" id="RHSA-2015:1228" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="1.b16.6.amzn1" version="1.8.0.51"><filename>Packages/java-1.8.0-openjdk-1.8.0.51-1.b16.6.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="1.b16.6.amzn1" version="1.8.0.51"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.51-1.b16.6.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="1.b16.6.amzn1" version="1.8.0.51"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.51-1.b16.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="1.b16.6.amzn1" version="1.8.0.51"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.51-1.b16.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="1.b16.6.amzn1" version="1.8.0.51"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="1.b16.6.amzn1" version="1.8.0.51"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.51-1.b16.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="1.b16.6.amzn1" version="1.8.0.51"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.51-1.b16.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="1.b16.6.amzn1" version="1.8.0.51"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.51-1.b16.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="1.b16.6.amzn1" version="1.8.0.51"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.51-1.b16.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="1.b16.6.amzn1" version="1.8.0.51"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.51-1.b16.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="1.b16.6.amzn1" version="1.8.0.51"><filename>Packages/java-1.8.0-openjdk-1.8.0.51-1.b16.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="1.b16.6.amzn1" version="1.8.0.51"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.51-1.b16.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="1.b16.6.amzn1" version="1.8.0.51"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-572</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-572: important priority package update for usermode libuser</title><issued date="2015-07-23 10:50" /><updated date="2015-07-27 17:12" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6611 CVE-2015-3246: 6612 Two flaws were found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser (for example, userhelper) to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root. 6613 6614 CVE-2015-3245: 6615 libuser does not filter newline characters in the GECOS field. 6616 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3245" id="CVE-2015-3245" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3246" id="CVE-2015-3246" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1482.html" id="RHSA-2015:1482" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="usermode" release="3.18.amzn1" version="1.102"><filename>Packages/usermode-1.102-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="usermode-debuginfo" release="3.18.amzn1" version="1.102"><filename>Packages/usermode-debuginfo-1.102-3.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="usermode" release="3.18.amzn1" version="1.102"><filename>Packages/usermode-1.102-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="usermode-debuginfo" release="3.18.amzn1" version="1.102"><filename>Packages/usermode-debuginfo-1.102-3.18.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libuser-devel" release="8.15.amzn1" version="0.56.13"><filename>Packages/libuser-devel-0.56.13-8.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libuser-python" release="8.15.amzn1" version="0.56.13"><filename>Packages/libuser-python-0.56.13-8.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libuser-debuginfo" release="8.15.amzn1" version="0.56.13"><filename>Packages/libuser-debuginfo-0.56.13-8.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libuser" release="8.15.amzn1" version="0.56.13"><filename>Packages/libuser-0.56.13-8.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libuser-python" release="8.15.amzn1" version="0.56.13"><filename>Packages/libuser-python-0.56.13-8.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libuser" release="8.15.amzn1" version="0.56.13"><filename>Packages/libuser-0.56.13-8.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libuser-debuginfo" release="8.15.amzn1" version="0.56.13"><filename>Packages/libuser-debuginfo-0.56.13-8.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libuser-devel" release="8.15.amzn1" version="0.56.13"><filename>Packages/libuser-devel-0.56.13-8.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-573</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-573: critical priority package update for bind</title><issued date="2015-07-28 11:32" /><updated date="2015-07-28 11:32" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6617 CVE-2015-5477: 6618 Embargoed 6619 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477" id="CVE-2015-5477" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-sdb" release="0.30.rc1.38.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.30.rc1.38.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.30.rc1.38.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.30.rc1.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.30.rc1.38.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.30.rc1.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.30.rc1.38.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.30.rc1.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.30.rc1.38.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.30.rc1.38.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.30.rc1.38.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.30.rc1.38.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.30.rc1.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.30.rc1.38.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.30.rc1.38.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.30.rc1.38.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.30.rc1.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.30.rc1.38.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.30.rc1.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.30.rc1.38.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.30.rc1.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.30.rc1.38.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-574</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-574: low priority package update for gnupg2</title><issued date="2015-07-28 11:35" /><updated date="2015-07-28 11:35" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6620 CVE-2015-1606: 6621 1193008: 6622 CVE-2015-1606 gnupg2: invalid memory read using a garbled keyring 6623 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1606" id="CVE-2015-1606" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnupg2-debuginfo" release="1.30.amzn1" version="2.0.28"><filename>Packages/gnupg2-debuginfo-2.0.28-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg2-smime" release="1.30.amzn1" version="2.0.28"><filename>Packages/gnupg2-smime-2.0.28-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg2" release="1.30.amzn1" version="2.0.28"><filename>Packages/gnupg2-2.0.28-1.30.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2-debuginfo" release="1.30.amzn1" version="2.0.28"><filename>Packages/gnupg2-debuginfo-2.0.28-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2" release="1.30.amzn1" version="2.0.28"><filename>Packages/gnupg2-2.0.28-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2-smime" release="1.30.amzn1" version="2.0.28"><filename>Packages/gnupg2-smime-2.0.28-1.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-575</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-575: medium priority package update for gnutls</title><issued date="2015-08-04 11:36" /><updated date="2015-08-04 17:48" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6624 CVE-2015-0294: 6625 It was discovered that GnuTLS did not check if all sections of X.509 certificates indicate the same signature algorithm. This flaw, in combination with a different flaw, could possibly lead to a bypass of the certificate signature check. 6626 6627 CVE-2015-0282: 6628 It was found that GnuTLS did not verify whether a hashing algorithm listed in a signature matched the hashing algorithm listed in the certificate. An attacker could create a certificate that used a different hashing algorithm than it claimed, possibly causing GnuTLS to use an insecure, disallowed hashing algorithm during certificate verification. 6629 6630 CVE-2014-8155: 6631 It was found that GnuTLS did not check activation and expiration dates of CA certificates. This could cause an application using GnuTLS to incorrectly accept a certificate as valid when its issuing CA is already expired. 6632 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8155" id="CVE-2014-8155" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0282" id="CVE-2015-0282" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0294" id="CVE-2015-0294" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1457.html" id="RHSA-2015:1457" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnutls-debuginfo" release="18.14.amzn1" version="2.8.5"><filename>Packages/gnutls-debuginfo-2.8.5-18.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-guile" release="18.14.amzn1" version="2.8.5"><filename>Packages/gnutls-guile-2.8.5-18.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-utils" release="18.14.amzn1" version="2.8.5"><filename>Packages/gnutls-utils-2.8.5-18.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls" release="18.14.amzn1" version="2.8.5"><filename>Packages/gnutls-2.8.5-18.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-devel" release="18.14.amzn1" version="2.8.5"><filename>Packages/gnutls-devel-2.8.5-18.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnutls" release="18.14.amzn1" version="2.8.5"><filename>Packages/gnutls-2.8.5-18.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-debuginfo" release="18.14.amzn1" version="2.8.5"><filename>Packages/gnutls-debuginfo-2.8.5-18.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-devel" release="18.14.amzn1" version="2.8.5"><filename>Packages/gnutls-devel-2.8.5-18.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-guile" release="18.14.amzn1" version="2.8.5"><filename>Packages/gnutls-guile-2.8.5-18.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-utils" release="18.14.amzn1" version="2.8.5"><filename>Packages/gnutls-utils-2.8.5-18.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-576</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-576: medium priority package update for tigervnc</title><issued date="2015-08-04 17:16" /><updated date="2015-08-04 17:48" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6633 CVE-2014-0011: 6634 1050928: 6635 CVE-2014-0011 tigervnc: ZRLE decoding heap-based buffer overflow in vncviewer 6636 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0011" id="CVE-2014-0011" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="tigervnc-server-module" release="7.23.amzn1" version="1.3.0"><filename>Packages/tigervnc-server-module-1.3.0-7.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="tigervnc" release="7.23.amzn1" version="1.3.0"><filename>Packages/tigervnc-1.3.0-7.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="tigervnc-server" release="7.23.amzn1" version="1.3.0"><filename>Packages/tigervnc-server-1.3.0-7.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="tigervnc-debuginfo" release="7.23.amzn1" version="1.3.0"><filename>Packages/tigervnc-debuginfo-1.3.0-7.23.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="tigervnc-debuginfo" release="7.23.amzn1" version="1.3.0"><filename>Packages/tigervnc-debuginfo-1.3.0-7.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="tigervnc-server-module" release="7.23.amzn1" version="1.3.0"><filename>Packages/tigervnc-server-module-1.3.0-7.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="tigervnc-server" release="7.23.amzn1" version="1.3.0"><filename>Packages/tigervnc-server-1.3.0-7.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="tigervnc" release="7.23.amzn1" version="1.3.0"><filename>Packages/tigervnc-1.3.0-7.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-577</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-577: medium priority package update for libgcrypt</title><issued date="2015-08-04 17:43" /><updated date="2015-08-04 17:55" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6637 CVE-2015-0837: 6638 1198147: 6639 CVE-2015-0837 libgcrypt: last-level cache side-channel attack 6640 6641 CVE-2014-5270: 6642 Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576. 6643 1128531: 6644 CVE-2014-5270 libgcrypt: ELGAMAL side-channel attack 6645 6646 CVE-2014-3591: 6647 1198145: 6648 CVE-2014-3591 libgcrypt: use ciphertext blinding for Elgamal decryption (new side-channel attack) 6649 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837" id="CVE-2015-0837" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3591" id="CVE-2014-3591" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270" id="CVE-2014-5270" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libgcrypt-devel" release="12.18.amzn1" version="1.5.3"><filename>Packages/libgcrypt-devel-1.5.3-12.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libgcrypt-debuginfo" release="12.18.amzn1" version="1.5.3"><filename>Packages/libgcrypt-debuginfo-1.5.3-12.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libgcrypt" release="12.18.amzn1" version="1.5.3"><filename>Packages/libgcrypt-1.5.3-12.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libgcrypt-debuginfo" release="12.18.amzn1" version="1.5.3"><filename>Packages/libgcrypt-debuginfo-1.5.3-12.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libgcrypt-devel" release="12.18.amzn1" version="1.5.3"><filename>Packages/libgcrypt-devel-1.5.3-12.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libgcrypt" release="12.18.amzn1" version="1.5.3"><filename>Packages/libgcrypt-1.5.3-12.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-578</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-578: medium priority package update for httpd</title><issued date="2015-08-17 12:23" /><updated date="2015-08-17 12:23" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6650 CVE-2015-3183: 6651 Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. 6652 1243887: 6653 CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser 6654 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183" id="CVE-2015-3183" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.6.amzn1" version="2.2.31"><filename>Packages/httpd-debuginfo-2.2.31-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-devel" release="1.6.amzn1" version="2.2.31"><filename>Packages/httpd-devel-2.2.31-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-tools" release="1.6.amzn1" version="2.2.31"><filename>Packages/httpd-tools-2.2.31-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod_ssl" release="1.6.amzn1" version="2.2.31"><filename>Packages/mod_ssl-2.2.31-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd" release="1.6.amzn1" version="2.2.31"><filename>Packages/httpd-2.2.31-1.6.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd-manual" release="1.6.amzn1" version="2.2.31"><filename>Packages/httpd-manual-2.2.31-1.6.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="httpd-devel" release="1.6.amzn1" version="2.2.31"><filename>Packages/httpd-devel-2.2.31-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod_ssl" release="1.6.amzn1" version="2.2.31"><filename>Packages/mod_ssl-2.2.31-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-tools" release="1.6.amzn1" version="2.2.31"><filename>Packages/httpd-tools-2.2.31-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-debuginfo" release="1.6.amzn1" version="2.2.31"><filename>Packages/httpd-debuginfo-2.2.31-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd" release="1.6.amzn1" version="2.2.31"><filename>Packages/httpd-2.2.31-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-579</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-579: medium priority package update for httpd24</title><issued date="2015-08-17 12:27" /><updated date="2015-08-17 12:27" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6655 CVE-2015-3185: 6656 1243888: 6657 CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4 6658 It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. 6659 6660 CVE-2015-3183: 6661 Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. 6662 1243887: 6663 CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser 6664 6665 CVE-2015-0253: 6666 1243891: 6667 CVE-2015-0253 httpd: NULL pointer dereference crash with ErrorDocument 400 pointing to a local URL-path 6668 A NULL pointer dereference flaw was found in the way httpd generated certain error responses. A remote attacker could possibly use this flaw crash the httpd child process using a request that triggers a certain HTTP error. 6669 6670 CVE-2015-0228: 6671 1202988: 6672 CVE-2015-0228 httpd: Possible mod_lua crash due to websocket bug 6673 A denial of service flaw was found in the way the mod_lua httpd module processed certain WebSocket Ping requests. A remote attacker could send a specially crafted WebSocket Ping packet that would cause the httpd child process to crash. 6674 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185" id="CVE-2015-3185" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183" id="CVE-2015-3183" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0253" id="CVE-2015-0253" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0228" id="CVE-2015-0228" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="httpd24-devel" release="1.62.amzn1" version="2.4.16"><filename>Packages/httpd24-devel-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-tools" release="1.62.amzn1" version="2.4.16"><filename>Packages/httpd24-tools-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_ldap" release="1.62.amzn1" version="2.4.16"><filename>Packages/mod24_ldap-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="1.62.amzn1" version="2.4.16"><filename>Packages/mod24_proxy_html-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd24-manual" release="1.62.amzn1" version="2.4.16"><filename>Packages/httpd24-manual-2.4.16-1.62.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24" release="1.62.amzn1" version="2.4.16"><filename>Packages/httpd24-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="1.62.amzn1" version="2.4.16"><filename>Packages/mod24_session-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_ssl" release="1.62.amzn1" version="2.4.16"><filename>Packages/mod24_ssl-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="1.62.amzn1" version="2.4.16"><filename>Packages/httpd24-debuginfo-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="1.62.amzn1" version="2.4.16"><filename>Packages/mod24_ldap-2.4.16-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="1.62.amzn1" version="2.4.16"><filename>Packages/mod24_session-2.4.16-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="1.62.amzn1" version="2.4.16"><filename>Packages/mod24_ssl-2.4.16-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="1.62.amzn1" version="2.4.16"><filename>Packages/httpd24-devel-2.4.16-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="1.62.amzn1" version="2.4.16"><filename>Packages/mod24_proxy_html-2.4.16-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="1.62.amzn1" version="2.4.16"><filename>Packages/httpd24-tools-2.4.16-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="1.62.amzn1" version="2.4.16"><filename>Packages/httpd24-2.4.16-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="1.62.amzn1" version="2.4.16"><filename>Packages/httpd24-debuginfo-2.4.16-1.62.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-580</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-580: medium priority package update for wireshark</title><issued date="2015-08-17 12:29" /><updated date="2015-08-17 12:29" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6675 CVE-2015-2191: 6676 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 6677 6678 CVE-2015-2189: 6679 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 6680 6681 CVE-2015-0564: 6682 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 6683 6684 CVE-2015-0562: 6685 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 6686 6687 CVE-2014-8714: 6688 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 6689 6690 CVE-2014-8713: 6691 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 6692 6693 CVE-2014-8712: 6694 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 6695 6696 CVE-2014-8711: 6697 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 6698 6699 CVE-2014-8710: 6700 Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. 6701 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2191" id="CVE-2015-2191" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8710" id="CVE-2014-8710" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8711" id="CVE-2014-8711" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8712" id="CVE-2014-8712" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8713" id="CVE-2014-8713" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8714" id="CVE-2014-8714" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0562" id="CVE-2015-0562" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0564" id="CVE-2015-0564" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2189" id="CVE-2015-2189" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1460.html" id="RHSA-2015:1460" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="wireshark-debuginfo" release="17.19.amzn1" version="1.8.10"><filename>Packages/wireshark-debuginfo-1.8.10-17.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wireshark" release="17.19.amzn1" version="1.8.10"><filename>Packages/wireshark-1.8.10-17.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wireshark-devel" release="17.19.amzn1" version="1.8.10"><filename>Packages/wireshark-devel-1.8.10-17.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="wireshark-debuginfo" release="17.19.amzn1" version="1.8.10"><filename>Packages/wireshark-debuginfo-1.8.10-17.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wireshark" release="17.19.amzn1" version="1.8.10"><filename>Packages/wireshark-1.8.10-17.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wireshark-devel" release="17.19.amzn1" version="1.8.10"><filename>Packages/wireshark-devel-1.8.10-17.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-581</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-581: medium priority package update for freeradius</title><issued date="2015-08-17 12:30" /><updated date="2015-08-17 12:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6702 CVE-2014-2015: 6703 A stack-based buffer overflow was found in the way the FreeRADIUS rlm_pap module handled long password hashes. An attacker able to make radiusd process a malformed password hash could cause the daemon to crash. 6704 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2015" id="CVE-2014-2015" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1287.html" id="RHSA-2015:1287" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="freeradius-utils" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-utils-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-mysql" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-mysql-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-debuginfo" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-debuginfo-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-perl" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-perl-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-postgresql" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-postgresql-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-unixODBC" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-unixODBC-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-python" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-python-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-krb5" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-krb5-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-ldap" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-ldap-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-mysql" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-mysql-2.2.6-4.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-utils" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-utils-2.2.6-4.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-debuginfo" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-debuginfo-2.2.6-4.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-unixODBC" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-unixODBC-2.2.6-4.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-2.2.6-4.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-perl" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-perl-2.2.6-4.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-postgresql" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-postgresql-2.2.6-4.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-ldap" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-ldap-2.2.6-4.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-krb5" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-krb5-2.2.6-4.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-python" release="4.15.amzn1" version="2.2.6"><filename>Packages/freeradius-python-2.2.6-4.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-582</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-582: medium priority package update for mailman</title><issued date="2015-08-17 12:31" /><updated date="2015-08-17 12:31" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6705 CVE-2015-2775: 6706 It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman. 6707 6708 CVE-2002-0389: 6709 It was found that mailman stored private email messages in a world-readable directory. A local user could use this flaw to read private mailing list archives. 6710 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0389" id="CVE-2002-0389" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2775" id="CVE-2015-2775" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1417.html" id="RHSA-2015:1417" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="3" name="mailman-debuginfo" release="21.20.amzn1" version="2.1.15"><filename>Packages/mailman-debuginfo-2.1.15-21.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="3" name="mailman" release="21.20.amzn1" version="2.1.15"><filename>Packages/mailman-2.1.15-21.20.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="3" name="mailman" release="21.20.amzn1" version="2.1.15"><filename>Packages/mailman-2.1.15-21.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="3" name="mailman-debuginfo" release="21.20.amzn1" version="2.1.15"><filename>Packages/mailman-debuginfo-2.1.15-21.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-583</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-583: medium priority package update for php54</title><issued date="2015-08-17 12:39" /><updated date="2016-03-16 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6711 CVE-2015-6833: 6712 1283702: 6713 CVE-2015-6833 php: Files from archive can be extracted outside of destination directory using phar 6714 A flaw was found in the way the way PHP&#039;s Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. 6715 6716 CVE-2015-6832: 6717 1256322: 6718 CVE-2015-6832 php: dangling pointer in the unserialization of ArrayObject items 6719 A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. 6720 6721 CVE-2015-6831: 6722 1256290: 6723 CVE-2015-6831 php: Use After Free Vulnerability in unserialize() 6724 A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. 6725 6726 CVE-2015-5590: 6727 1245242: 6728 CVE-2015-5590 php: buffer overflow and stack smashing error in phar_fix_filepath 6729 6730 CVE-2015-5589: 6731 1245236: 6732 CVE-2015-5589 php: segmentation fault in Phar::convertToData on invalid file 6733 6734 CVE-2015-3152: 6735 1217506: 6736 CVE-2015-3152 mysql: use of SSL/TLS can not be enforced in mysql client library (oCERT-2015-003, BACKRONYM) 6737 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6831" id="CVE-2015-6831" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6832" id="CVE-2015-6832" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6833" id="CVE-2015-6833" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5590" id="CVE-2015-5590" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3152" id="CVE-2015-3152" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5589" id="CVE-2015-5589" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-pspell" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-pspell-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-process-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-bcmath-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-enchant-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-mssql-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-mysql-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-gd-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-snmp-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-soap-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-mbstring-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-debuginfo-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-intl-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-devel-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-imap-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-mcrypt-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-tidy-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-xml-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-ldap-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-pgsql-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-common-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-mysqlnd-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-dba-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-recode-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-embedded-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-xmlrpc-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-pdo-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-fpm-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-cli-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-odbc-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-embedded-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-mcrypt-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-mssql-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-snmp-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-enchant-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-odbc-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-mysql-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-intl-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-common-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-bcmath-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-tidy-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-mbstring-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-devel-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-mysqlnd-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-process-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-recode-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-ldap-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-dba-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-fpm-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-xmlrpc-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-debuginfo-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-pgsql-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-imap-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-pspell-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-pdo-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-cli-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-soap-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-xml-5.4.44-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.72.amzn1" version="5.4.44"><filename>Packages/php54-gd-5.4.44-1.72.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-584</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-584: medium priority package update for php55</title><issued date="2015-08-17 12:41" /><updated date="2016-03-16 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6738 CVE-2015-6833: 6739 1283702: 6740 CVE-2015-6833 php: Files from archive can be extracted outside of destination directory using phar 6741 A flaw was found in the way the way PHP&#039;s Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. 6742 6743 CVE-2015-6832: 6744 1256322: 6745 CVE-2015-6832 php: dangling pointer in the unserialization of ArrayObject items 6746 A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. 6747 6748 CVE-2015-6831: 6749 1256290: 6750 CVE-2015-6831 php: Use After Free Vulnerability in unserialize() 6751 A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. 6752 6753 CVE-2015-5590: 6754 1245242: 6755 CVE-2015-5590 php: buffer overflow and stack smashing error in phar_fix_filepath 6756 6757 CVE-2015-5589: 6758 1245236: 6759 CVE-2015-5589 php: segmentation fault in Phar::convertToData on invalid file 6760 6761 CVE-2015-3152: 6762 1217506: 6763 CVE-2015-3152 mysql: use of SSL/TLS can not be enforced in mysql client library (oCERT-2015-003, BACKRONYM) 6764 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6831" id="CVE-2015-6831" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6832" id="CVE-2015-6832" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6833" id="CVE-2015-6833" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5590" id="CVE-2015-5590" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3152" id="CVE-2015-3152" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5589" id="CVE-2015-5589" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-xmlrpc-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-enchant-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-mysqlnd-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-debuginfo-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-devel-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-recode-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-pspell-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-pdo-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-process-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-imap-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-opcache-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-gmp-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-mbstring-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-fpm-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-embedded-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-soap-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-bcmath-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-gd-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-tidy-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-pgsql-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-intl-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-xml-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-common-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-ldap-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-mcrypt-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-snmp-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-mssql-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-cli-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-dba-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-odbc-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-imap-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-tidy-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-gd-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-enchant-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-xmlrpc-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-debuginfo-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-snmp-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-mbstring-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-dba-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-embedded-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-common-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-process-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-pspell-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-soap-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-odbc-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-mysqlnd-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-gmp-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-fpm-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-intl-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-ldap-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-pgsql-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-devel-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-cli-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-mcrypt-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-xml-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-bcmath-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-opcache-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-recode-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-mssql-5.5.28-1.106.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.106.amzn1" version="5.5.28"><filename>Packages/php55-pdo-5.5.28-1.106.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-585</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-585: medium priority package update for php56</title><issued date="2015-08-17 12:46" /><updated date="2016-03-16 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6765 CVE-2015-6833: 6766 1283702: 6767 CVE-2015-6833 php: Files from archive can be extracted outside of destination directory using phar 6768 A flaw was found in the way the way PHP&#039;s Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened. 6769 6770 CVE-2015-6832: 6771 1256322: 6772 CVE-2015-6832 php: dangling pointer in the unserialization of ArrayObject items 6773 A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. 6774 6775 CVE-2015-6831: 6776 1256290: 6777 CVE-2015-6831 php: Use After Free Vulnerability in unserialize() 6778 A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. 6779 6780 CVE-2015-5590: 6781 1245242: 6782 CVE-2015-5590 php: buffer overflow and stack smashing error in phar_fix_filepath 6783 6784 CVE-2015-5589: 6785 1245236: 6786 CVE-2015-5589 php: segmentation fault in Phar::convertToData on invalid file 6787 6788 CVE-2015-3152: 6789 1217506: 6790 CVE-2015-3152 mysql: use of SSL/TLS can not be enforced in mysql client library (oCERT-2015-003, BACKRONYM) 6791 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6831" id="CVE-2015-6831" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6832" id="CVE-2015-6832" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6833" id="CVE-2015-6833" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5590" id="CVE-2015-5590" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3152" id="CVE-2015-3152" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5589" id="CVE-2015-5589" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-mbstring-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-devel-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-opcache-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-cli-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-snmp-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-dba-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-odbc-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-mysqlnd-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-recode-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-fpm-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-enchant-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-debuginfo-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-gmp-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-xml-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-common-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-pdo-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-embedded-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-tidy-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-imap-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-intl-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-bcmath-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-xmlrpc-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-pgsql-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-process-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-soap-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-pspell-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-dbg-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-mcrypt-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-ldap-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-mssql-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-gd-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-mbstring-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-ldap-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-mysqlnd-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-soap-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-devel-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-recode-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-snmp-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-mssql-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-tidy-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-intl-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-pspell-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-embedded-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-gd-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-mcrypt-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-pgsql-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-debuginfo-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-enchant-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-gmp-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-xmlrpc-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-fpm-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-bcmath-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-cli-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-dbg-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-dba-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-common-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-odbc-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-xml-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-imap-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-pdo-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-opcache-5.6.12-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.116.amzn1" version="5.6.12"><filename>Packages/php56-process-5.6.12-1.116.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-586</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-586: important priority package update for java-1.6.0-openjdk</title><issued date="2015-08-24 22:26" /><updated date="2015-08-24 22:33" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6792 CVE-2015-4760: 6793 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6794 6795 CVE-2015-4749: 6796 It was discovered that the JNDI component in OpenJDK did not handle DNS resolutions correctly. An attacker able to trigger such DNS errors could cause a Java application using JNDI to consume memory and CPU time, and possibly block further DNS resolution. 6797 6798 CVE-2015-4748: 6799 A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol (OCSP) responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid. 6800 6801 CVE-2015-4733: 6802 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6803 6804 CVE-2015-4732: 6805 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6806 6807 CVE-2015-4731: 6808 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6809 6810 CVE-2015-4000: 6811 A flaw was found in the way the TLS protocol composed the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them to decrypt all traffic. 6812 6813 CVE-2015-2808: 6814 A flaw was found in the RC4 encryption algorithm. When using certain keys for RC4 encryption, an attacker could obtain portions of the plain text from the cipher text without the knowledge of the encryption key. 6815 6816 CVE-2015-2632: 6817 Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 6818 6819 CVE-2015-2628: 6820 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6821 6822 CVE-2015-2625: 6823 A flaw was found in the way the JSSE component in OpenJDK performed X.509 certificate identity verification when establishing a TLS/SSL connection to a host identified by an IP address. In certain cases, the certificate was accepted as valid if it was issued for a host name to which the IP address resolves rather than for the IP address. 6824 6825 CVE-2015-2621: 6826 Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 6827 6828 CVE-2015-2601: 6829 It was discovered that the JCE component in OpenJDK failed to use constant time comparisons in multiple cases. An attacker could possibly use these flaws to disclose sensitive information by measuring the time used to perform operations using these non-constant time comparisons. 6830 6831 CVE-2015-2590: 6832 Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 6833 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4748" id="CVE-2015-4748" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2628" id="CVE-2015-2628" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625" id="CVE-2015-2625" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2632" id="CVE-2015-2632" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2601" id="CVE-2015-2601" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4732" id="CVE-2015-4732" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2621" id="CVE-2015-2621" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2590" id="CVE-2015-2590" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4731" id="CVE-2015-4731" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4760" id="CVE-2015-4760" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000" id="CVE-2015-4000" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808" id="CVE-2015-2808" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4733" id="CVE-2015-4733" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4749" id="CVE-2015-4749" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1526.html" id="RHSA-2015:1526" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="1.13.8.1.71.amzn1" version="1.6.0.36"><filename>Packages/java-1.6.0-openjdk-1.6.0.36-1.13.8.1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="1.13.8.1.71.amzn1" version="1.6.0.36"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="1.13.8.1.71.amzn1" version="1.6.0.36"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="1.13.8.1.71.amzn1" version="1.6.0.36"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="1.13.8.1.71.amzn1" version="1.6.0.36"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="1.13.8.1.71.amzn1" version="1.6.0.36"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.71.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="1.13.8.1.71.amzn1" version="1.6.0.36"><filename>Packages/java-1.6.0-openjdk-1.6.0.36-1.13.8.1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="1.13.8.1.71.amzn1" version="1.6.0.36"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="1.13.8.1.71.amzn1" version="1.6.0.36"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="1.13.8.1.71.amzn1" version="1.6.0.36"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="1.13.8.1.71.amzn1" version="1.6.0.36"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="1.13.8.1.71.amzn1" version="1.6.0.36"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-587</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-587: medium priority package update for subversion mod_dav_svn</title><issued date="2015-08-24 22:27" /><updated date="2015-08-24 22:35" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6834 CVE-2015-0251: 6835 1205140: 6836 CVE-2015-0251 subversion: (mod_dav_svn) spoofing svn:author property values for new revisions 6837 It was found that the mod_dav_svn module did not properly validate the svn:author property of certain requests. An attacker able to create new revisions could use this flaw to spoof the svn:author property. 6838 6839 CVE-2015-0248: 6840 1205138: 6841 CVE-2015-0248 subversion: (mod_dav_svn) remote denial of service with certain requests with dynamically evaluated revision numbers 6842 An assertion failure flaw was found in the way the SVN server processed certain requests with dynamically evaluated revision numbers. A remote attacker could use this flaw to cause the SVN server (both svnserve and httpd with the mod_dav_svn module) to crash. 6843 6844 CVE-2015-0202: 6845 The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes. 6846 1205134: 6847 CVE-2015-0202 subversion: (mod_dav_svn) remote denial of service with certain REPORT requests 6848 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0202" id="CVE-2015-0202" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0248" id="CVE-2015-0248" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0251" id="CVE-2015-0251" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod_dav_svn" release="7.50.amzn1" version="1.8.13"><filename>Packages/mod_dav_svn-1.8.13-7.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_dav_svn-debuginfo" release="7.50.amzn1" version="1.8.13"><filename>Packages/mod_dav_svn-debuginfo-1.8.13-7.50.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn" release="7.50.amzn1" version="1.8.13"><filename>Packages/mod_dav_svn-1.8.13-7.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn-debuginfo" release="7.50.amzn1" version="1.8.13"><filename>Packages/mod_dav_svn-debuginfo-1.8.13-7.50.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-debuginfo" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-debuginfo-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python27" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-python27-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_dav_svn" release="7.52.amzn1" version="1.8.13"><filename>Packages/mod24_dav_svn-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-devel" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-devel-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-javahl" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-javahl-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-ruby" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-ruby-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-perl" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-perl-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-tools" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-tools-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-libs" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-libs-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python26" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-python26-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python26" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-python26-1.8.13-7.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-libs" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-libs-1.8.13-7.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python27" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-python27-1.8.13-7.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-tools" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-tools-1.8.13-7.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-ruby" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-ruby-1.8.13-7.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-debuginfo" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-debuginfo-1.8.13-7.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-devel" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-devel-1.8.13-7.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-javahl" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-javahl-1.8.13-7.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-1.8.13-7.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_dav_svn" release="7.52.amzn1" version="1.8.13"><filename>Packages/mod24_dav_svn-1.8.13-7.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-perl" release="7.52.amzn1" version="1.8.13"><filename>Packages/subversion-perl-1.8.13-7.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-588</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-588: medium priority package update for golang docker</title><issued date="2015-08-24 22:29" /><updated date="2015-08-24 22:42" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6849 CVE-2015-5741: 6850 1250352: 6851 CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in net/http library 6852 6853 CVE-2015-5740: 6854 1250352: 6855 CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in net/http library 6856 6857 CVE-2015-5739: 6858 1250352: 6859 CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in net/http library 6860 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5741" id="CVE-2015-5741" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5740" id="CVE-2015-5740" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5739" id="CVE-2015-5739" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="golang-pkg-plan9-386" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-plan9-386-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-1.4.2-3.16.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-netbsd-arm" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-netbsd-arm-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-windows-amd64" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-windows-amd64-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-openbsd-386" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-openbsd-386-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-freebsd-amd64" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-freebsd-amd64-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-windows-386" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-windows-386-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-openbsd-amd64" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-openbsd-amd64-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-darwin-amd64" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-darwin-amd64-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang-pkg-bin-linux-amd64" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-bin-linux-amd64-1.4.2-3.16.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-freebsd-386" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-freebsd-386-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-linux-arm" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-linux-arm-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-darwin-386" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-darwin-386-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-netbsd-386" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-netbsd-386-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-linux-386" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-linux-386-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-src" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-src-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-netbsd-amd64" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-netbsd-amd64-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-linux-amd64" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-linux-amd64-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-freebsd-arm" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-freebsd-arm-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-pkg-plan9-amd64" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-plan9-amd64-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="golang-pkg-bin-linux-386" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-pkg-bin-linux-386-1.4.2-3.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="golang" release="3.16.amzn1" version="1.4.2"><filename>Packages/golang-1.4.2-3.16.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="docker" release="1.3.amzn1" version="1.6.2"><filename>Packages/docker-1.6.2-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="docker-devel" release="1.3.amzn1" version="1.6.2"><filename>Packages/docker-devel-1.6.2-1.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="docker-pkg-devel" release="1.3.amzn1" version="1.6.2"><filename>Packages/docker-pkg-devel-1.6.2-1.3.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-589</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-589: medium priority package update for pam</title><issued date="2015-09-02 12:00" /><updated date="2015-09-02 12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6861 CVE-2015-3238: 6862 It was discovered that the _unix_run_helper_binary() function of PAM's unix_pam module could write to a blocking pipe, possibly causing the function to become unresponsive. An attacker able to supply large passwords to the unix_pam module could use this flaw to enumerate valid user accounts, or cause a denial of service on the system. 6863 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3238" id="CVE-2015-3238" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1640.html" id="RHSA-2015:1640" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="pam-devel" release="12.32.amzn1" version="1.1.8"><filename>Packages/pam-devel-1.1.8-12.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam" release="12.32.amzn1" version="1.1.8"><filename>Packages/pam-1.1.8-12.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam-debuginfo" release="12.32.amzn1" version="1.1.8"><filename>Packages/pam-debuginfo-1.1.8-12.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="pam-devel" release="12.32.amzn1" version="1.1.8"><filename>Packages/pam-devel-1.1.8-12.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam" release="12.32.amzn1" version="1.1.8"><filename>Packages/pam-1.1.8-12.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam-debuginfo" release="12.32.amzn1" version="1.1.8"><filename>Packages/pam-debuginfo-1.1.8-12.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-590</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-590: medium priority package update for net-snmp</title><issued date="2015-09-02 12:00" /><updated date="2015-09-02 12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6864 CVE-2015-5621: 6865 It was discovered that the snmp_pdu_parse() function could leave incompletely parsed varBind variables in the list of variables. A remote, unauthenticated attacker could use this flaw to crash snmpd or, potentially, execute arbitrary code on the system with the privileges of the user running snmpd. 6866 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5621" id="CVE-2015-5621" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1636.html" id="RHSA-2015:1636" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="net-snmp-libs" release="54.1.20.amzn1" version="5.5"><filename>Packages/net-snmp-libs-5.5-54.1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp" release="54.1.20.amzn1" version="5.5"><filename>Packages/net-snmp-5.5-54.1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-python" release="54.1.20.amzn1" version="5.5"><filename>Packages/net-snmp-python-5.5-54.1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-debuginfo" release="54.1.20.amzn1" version="5.5"><filename>Packages/net-snmp-debuginfo-5.5-54.1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-perl" release="54.1.20.amzn1" version="5.5"><filename>Packages/net-snmp-perl-5.5-54.1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-utils" release="54.1.20.amzn1" version="5.5"><filename>Packages/net-snmp-utils-5.5-54.1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="net-snmp-devel" release="54.1.20.amzn1" version="5.5"><filename>Packages/net-snmp-devel-5.5-54.1.20.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-devel" release="54.1.20.amzn1" version="5.5"><filename>Packages/net-snmp-devel-5.5-54.1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-libs" release="54.1.20.amzn1" version="5.5"><filename>Packages/net-snmp-libs-5.5-54.1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-utils" release="54.1.20.amzn1" version="5.5"><filename>Packages/net-snmp-utils-5.5-54.1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-python" release="54.1.20.amzn1" version="5.5"><filename>Packages/net-snmp-python-5.5-54.1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-debuginfo" release="54.1.20.amzn1" version="5.5"><filename>Packages/net-snmp-debuginfo-5.5-54.1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp" release="54.1.20.amzn1" version="5.5"><filename>Packages/net-snmp-5.5-54.1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="net-snmp-perl" release="54.1.20.amzn1" version="5.5"><filename>Packages/net-snmp-perl-5.5-54.1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-591</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-591: medium priority package update for sqlite</title><issued date="2015-09-02 12:00" /><updated date="2015-09-02 12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6867 CVE-2015-3416: 6868 1212357: 6869 CVE-2015-3416 sqlite: stack buffer overflow in src/printf.c 6870 The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement. 6871 It was found that SQLite's sqlite3VXPrintf() function did not properly handle precision and width values during floating-point conversions. A local attacker could submit a specially crafted SELECT statement that would crash the SQLite process, or have other unspecified impacts. 6872 6873 CVE-2015-3415: 6874 The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O;&gt;O) in a CREATE TABLE statement. 6875 It was found that SQLite's sqlite3VdbeExec() function did not properly implement comparison operators. A local attacker could submit a specially crafted CHECK statement that would crash the SQLite process, or have other unspecified impacts. 6876 1212356: 6877 CVE-2015-3415 sqlite: invalid free() in src/vdbe.c 6878 6879 CVE-2015-3414: 6880 1212353: 6881 CVE-2015-3414 sqlite: use of uninitialized memory when parsing collation sequences in src/where.c 6882 A flaw was found in the way SQLite handled dequoting of collation-sequence names. A local attacker could submit a specially crafted COLLATE statement that would crash the SQLite process, or have other unspecified impacts. 6883 SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement. 6884 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3415" id="CVE-2015-3415" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3414" id="CVE-2015-3414" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3416" id="CVE-2015-3416" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="sqlite-doc" release="6.13.amzn1" version="3.7.17"><filename>Packages/sqlite-doc-3.7.17-6.13.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="sqlite" release="6.13.amzn1" version="3.7.17"><filename>Packages/sqlite-3.7.17-6.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sqlite-devel" release="6.13.amzn1" version="3.7.17"><filename>Packages/sqlite-devel-3.7.17-6.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lemon" release="6.13.amzn1" version="3.7.17"><filename>Packages/lemon-3.7.17-6.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sqlite-tcl" release="6.13.amzn1" version="3.7.17"><filename>Packages/sqlite-tcl-3.7.17-6.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sqlite-debuginfo" release="6.13.amzn1" version="3.7.17"><filename>Packages/sqlite-debuginfo-3.7.17-6.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="sqlite-tcl" release="6.13.amzn1" version="3.7.17"><filename>Packages/sqlite-tcl-3.7.17-6.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sqlite" release="6.13.amzn1" version="3.7.17"><filename>Packages/sqlite-3.7.17-6.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sqlite-devel" release="6.13.amzn1" version="3.7.17"><filename>Packages/sqlite-devel-3.7.17-6.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lemon" release="6.13.amzn1" version="3.7.17"><filename>Packages/lemon-3.7.17-6.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sqlite-debuginfo" release="6.13.amzn1" version="3.7.17"><filename>Packages/sqlite-debuginfo-3.7.17-6.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-592</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-592: medium priority package update for openssh</title><issued date="2015-09-02 12:00" /><updated date="2015-09-02 12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6885 CVE-2015-6564: 6886 1252852: 6887 CVE-2015-6564 openssh: Use-after-free bug related to PAM support 6888 Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request. 6889 6890 CVE-2015-6563: 6891 The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c. 6892 1252844: 6893 CVE-2015-6563 openssh: Privilege separation weakness related to PAM support 6894 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6563" id="CVE-2015-6563" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6564" id="CVE-2015-6564" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="pam_ssh_agent_auth" release="5.8.45.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.8.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-keycat" release="8.45.amzn1" version="6.2p2"><filename>Packages/openssh-keycat-6.2p2-8.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-server" release="8.45.amzn1" version="6.2p2"><filename>Packages/openssh-server-6.2p2-8.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-debuginfo" release="8.45.amzn1" version="6.2p2"><filename>Packages/openssh-debuginfo-6.2p2-8.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh" release="8.45.amzn1" version="6.2p2"><filename>Packages/openssh-6.2p2-8.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-clients" release="8.45.amzn1" version="6.2p2"><filename>Packages/openssh-clients-6.2p2-8.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-ldap" release="8.45.amzn1" version="6.2p2"><filename>Packages/openssh-ldap-6.2p2-8.45.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="pam_ssh_agent_auth" release="5.8.45.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.8.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-debuginfo" release="8.45.amzn1" version="6.2p2"><filename>Packages/openssh-debuginfo-6.2p2-8.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-server" release="8.45.amzn1" version="6.2p2"><filename>Packages/openssh-server-6.2p2-8.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-ldap" release="8.45.amzn1" version="6.2p2"><filename>Packages/openssh-ldap-6.2p2-8.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh" release="8.45.amzn1" version="6.2p2"><filename>Packages/openssh-6.2p2-8.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-keycat" release="8.45.amzn1" version="6.2p2"><filename>Packages/openssh-keycat-6.2p2-8.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-clients" release="8.45.amzn1" version="6.2p2"><filename>Packages/openssh-clients-6.2p2-8.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-593</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-593: low priority package update for ntp</title><issued date="2015-09-02 12:00" /><updated date="2016-02-09 13:30" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6895 CVE-2015-7703: 6896 1254547: 6897 CVE-2015-7703 ntp: config command can be used to set the pidfile and drift file paths 6898 6899 CVE-2015-5219: 6900 1255118: 6901 CVE-2015-5219 ntp: infinite loop in sntp processing crafted packet 6902 6903 CVE-2015-5195: 6904 1254544: 6905 CVE-2015-5195 ntp: ntpd crash when processing config commands with statistics type 6906 6907 CVE-2015-5194: 6908 1254542: 6909 CVE-2015-5194 ntp: crash with crafted logconfig configuration command 6910 6911 CVE-2015-5146: 6912 1238136: 6913 CVE-2015-5146 ntp: ntpd control message crash on crafted NUL-byte in configuration directive (VU#668167) 6914 6915 CVE-2015-3405: 6916 A flaw was found in the way the ntp-keygen utility generated MD5 symmetric keys on big-endian systems. An attacker could possibly use this flaw to guess generated MD5 keys, which could then be used to spoof an NTP client or server. 6917 1210324: 6918 CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems 6919 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5146" id="CVE-2015-5146" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703" id="CVE-2015-7703" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194" id="CVE-2015-5194" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5195" id="CVE-2015-5195" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5219" id="CVE-2015-5219" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3405" id="CVE-2015-3405" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="ntp-doc" release="33.26.amzn1" version="4.2.6p5"><filename>Packages/ntp-doc-4.2.6p5-33.26.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp" release="33.26.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-33.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntpdate" release="33.26.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-33.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp-debuginfo" release="33.26.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-33.26.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-perl" release="33.26.amzn1" version="4.2.6p5"><filename>Packages/ntp-perl-4.2.6p5-33.26.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ntpdate" release="33.26.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-33.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp-debuginfo" release="33.26.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-33.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp" release="33.26.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-33.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-594</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-594: critical priority package update for bind</title><issued date="2015-09-02 12:00" /><updated date="2015-09-02 13:05" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6920 CVE-2015-5722: 6921 Embargoed 6922 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5722" id="CVE-2015-5722" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-sdb" release="0.30.rc1.39.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.30.rc1.39.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.30.rc1.39.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.30.rc1.39.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.30.rc1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.30.rc1.39.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.30.rc1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.30.rc1.39.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.30.rc1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.30.rc1.39.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.30.rc1.39.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.30.rc1.39.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.30.rc1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.30.rc1.39.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.30.rc1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.30.rc1.39.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.30.rc1.39.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.30.rc1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.30.rc1.39.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.30.rc1.39.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.30.rc1.39.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.30.rc1.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-595</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-595: important priority package update for jakarta-taglibs-standard</title><issued date="2015-09-22 10:00" /><updated date="2015-09-22 10:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6923 CVE-2015-0254: 6924 It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution. 6925 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254" id="CVE-2015-0254" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1695.html" id="RHSA-2015:1695" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="jakarta-taglibs-standard" release="11.7.9.amzn1" version="1.1.1"><filename>Packages/jakarta-taglibs-standard-1.1.1-11.7.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="jakarta-taglibs-standard-javadoc" release="11.7.9.amzn1" version="1.1.1"><filename>Packages/jakarta-taglibs-standard-javadoc-1.1.1-11.7.9.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-596</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-596: medium priority package update for nss-softokn</title><issued date="2015-09-22 10:00" /><updated date="2015-09-22 10:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6926 CVE-2015-2730: 6927 A flaw was found in the way NSS verified certain ECDSA (Elliptic Curve Digital Signature Algorithm) signatures. Under certain conditions, an attacker could use this flaw to conduct signature forgery attacks. 6928 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2730" id="CVE-2015-2730" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1699.html" id="RHSA-2015:1699" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-softokn-freebl" release="13.37.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-freebl-3.16.2.3-13.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn" release="13.37.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-3.16.2.3-13.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn-devel" release="13.37.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-devel-3.16.2.3-13.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn-freebl-devel" release="13.37.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-freebl-devel-3.16.2.3-13.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn-debuginfo" release="13.37.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-debuginfo-3.16.2.3-13.37.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-debuginfo" release="13.37.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-debuginfo-3.16.2.3-13.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-freebl-devel" release="13.37.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-freebl-devel-3.16.2.3-13.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn" release="13.37.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-3.16.2.3-13.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-devel" release="13.37.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-devel-3.16.2.3-13.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-freebl" release="13.37.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-freebl-3.16.2.3-13.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-597</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-597: important priority package update for libXfont</title><issued date="2015-09-22 10:00" /><updated date="2015-09-22 10:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6929 CVE-2015-1804: 6930 An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. 6931 6932 CVE-2015-1803: 6933 A NULL pointer dereference flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server. 6934 6935 CVE-2015-1802: 6936 An integer overflow flaw was found in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server. 6937 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1804" id="CVE-2015-1804" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1802" id="CVE-2015-1802" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1803" id="CVE-2015-1803" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1708.html" id="RHSA-2015:1708" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libXfont-devel" release="5.12.amzn1" version="1.4.5"><filename>Packages/libXfont-devel-1.4.5-5.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXfont" release="5.12.amzn1" version="1.4.5"><filename>Packages/libXfont-1.4.5-5.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXfont-debuginfo" release="5.12.amzn1" version="1.4.5"><filename>Packages/libXfont-debuginfo-1.4.5-5.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXfont-debuginfo" release="5.12.amzn1" version="1.4.5"><filename>Packages/libXfont-debuginfo-1.4.5-5.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXfont-devel" release="5.12.amzn1" version="1.4.5"><filename>Packages/libXfont-devel-1.4.5-5.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXfont" release="5.12.amzn1" version="1.4.5"><filename>Packages/libXfont-1.4.5-5.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-598</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-598: low priority package update for grep</title><issued date="2015-09-22 10:00" /><updated date="2015-09-22 10:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6938 CVE-2015-1345: 6939 A heap-based buffer overflow flaw was found in the way grep processed certain pattern and text combinations. An attacker able to trick a user into running grep on specially crafted input could use this flaw to crash grep or, potentially, read from uninitialized memory. 6940 6941 CVE-2012-5667: 6942 An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way grep parsed large lines of data. An attacker able to trick a user into running grep on a specially crafted data file could use this flaw to crash grep or, potentially, execute arbitrary code with the privileges of the user running grep. 6943 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5667" id="CVE-2012-5667" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1345" id="CVE-2015-1345" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1447.html" id="RHSA-2015:1447" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="grep-debuginfo" release="1.14.amzn1" version="2.20"><filename>Packages/grep-debuginfo-2.20-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="grep" release="1.14.amzn1" version="2.20"><filename>Packages/grep-2.20-1.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="grep" release="1.14.amzn1" version="2.20"><filename>Packages/grep-2.20-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="grep-debuginfo" release="1.14.amzn1" version="2.20"><filename>Packages/grep-debuginfo-2.20-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-599</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-599: important priority package update for openldap compat-openldap</title><issued date="2015-10-09 16:33" /><updated date="2015-10-09 17:06" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6944 CVE-2015-6908: 6945 A flaw was found in the way the OpenLDAP server daemon (slapd) parsed certain Basic Encoding Rules (BER) data. A remote attacker could use this flaw to crash slapd via a specially crafted packet. 6946 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6908" id="CVE-2015-6908" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1840.html" id="RHSA-2015:1840" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openldap-debuginfo" release="34.25.amzn1" version="2.4.23"><filename>Packages/openldap-debuginfo-2.4.23-34.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-servers-sql" release="34.25.amzn1" version="2.4.23"><filename>Packages/openldap-servers-sql-2.4.23-34.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-devel" release="34.25.amzn1" version="2.4.23"><filename>Packages/openldap-devel-2.4.23-34.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap" release="34.25.amzn1" version="2.4.23"><filename>Packages/openldap-2.4.23-34.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-clients" release="34.25.amzn1" version="2.4.23"><filename>Packages/openldap-clients-2.4.23-34.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-servers" release="34.25.amzn1" version="2.4.23"><filename>Packages/openldap-servers-2.4.23-34.25.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openldap-devel" release="34.25.amzn1" version="2.4.23"><filename>Packages/openldap-devel-2.4.23-34.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-servers-sql" release="34.25.amzn1" version="2.4.23"><filename>Packages/openldap-servers-sql-2.4.23-34.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-servers" release="34.25.amzn1" version="2.4.23"><filename>Packages/openldap-servers-2.4.23-34.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-clients" release="34.25.amzn1" version="2.4.23"><filename>Packages/openldap-clients-2.4.23-34.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap" release="34.25.amzn1" version="2.4.23"><filename>Packages/openldap-2.4.23-34.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-debuginfo" release="34.25.amzn1" version="2.4.23"><filename>Packages/openldap-debuginfo-2.4.23-34.25.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="1" name="compat-openldap-debuginfo" release="2.5.amzn1" version="2.3.43"><filename>Packages/compat-openldap-debuginfo-2.3.43-2.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="compat-openldap" release="2.5.amzn1" version="2.3.43"><filename>Packages/compat-openldap-2.3.43-2.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="compat-openldap-debuginfo" release="2.5.amzn1" version="2.3.43"><filename>Packages/compat-openldap-debuginfo-2.3.43-2.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="compat-openldap" release="2.5.amzn1" version="2.3.43"><filename>Packages/compat-openldap-2.3.43-2.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-600</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-600: low priority package update for libunwind</title><issued date="2015-10-09 16:35" /><updated date="2015-10-09 16:40" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6947 CVE-2015-3239: 6948 An off-by-one array indexing error was found in the libunwind API, which could cause an error when reading untrusted binaries or dwarf debug info data. Red Hat products do not call the API in this way; and it is unlikely that any exploitable attack vector exists in current builds or supported usage. 6949 1232265: 6950 CVE-2015-3239 libunwind: off-by-one in dwarf_to_unw_regnum() 6951 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3239" id="CVE-2015-3239" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libunwind" release="10.8.amzn1" version="1.1"><filename>Packages/libunwind-1.1-10.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libunwind-debuginfo" release="10.8.amzn1" version="1.1"><filename>Packages/libunwind-debuginfo-1.1-10.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libunwind-devel" release="10.8.amzn1" version="1.1"><filename>Packages/libunwind-devel-1.1-10.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libunwind-devel" release="10.8.amzn1" version="1.1"><filename>Packages/libunwind-devel-1.1-10.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libunwind" release="10.8.amzn1" version="1.1"><filename>Packages/libunwind-1.1-10.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libunwind-debuginfo" release="10.8.amzn1" version="1.1"><filename>Packages/libunwind-debuginfo-1.1-10.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-601</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-601: medium priority package update for php56</title><issued date="2015-10-20 14:50" /><updated date="2016-03-16 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6952 CVE-2015-7804: 6953 1271088: 6954 CVE-2015-7804 php: uninitialized pointer in phar_make_dirstream() 6955 6956 CVE-2015-7803: 6957 1271081: 6958 CVE-2015-7803 php: NULL pointer dereference in phar_get_fp_offset() 6959 6960 CVE-2015-6838: 6961 1260711: 6962 CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class 6963 A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets. 6964 6965 CVE-2015-6837: 6966 1260711: 6967 CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class 6968 A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets. 6969 6970 CVE-2015-6836: 6971 1260683: 6972 CVE-2015-6836 php: SOAP serialize_function_call() type confusion 6973 A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. 6974 6975 CVE-2015-6835: 6976 1260647: 6977 CVE-2015-6835 php: use-after-free vulnerability in session deserializer 6978 6979 CVE-2015-6834: 6980 1260642: 6981 CVE-2015-6834 php: multiple unserialization use-after-free issues 6982 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7803" id="CVE-2015-7803" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6834" id="CVE-2015-6834" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6835" id="CVE-2015-6835" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7804" id="CVE-2015-7804" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6837" id="CVE-2015-6837" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6838" id="CVE-2015-6838" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6836" id="CVE-2015-6836" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-intl" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-intl-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-process-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-xml-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-common-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-xmlrpc-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-recode-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-snmp-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-ldap-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-debuginfo-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-mssql-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-mysqlnd-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-soap-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-mcrypt-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-enchant-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-devel-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-pgsql-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-dbg-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-opcache-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-cli-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-embedded-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-tidy-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-mbstring-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-gd-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-bcmath-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-pdo-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-gmp-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-imap-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-fpm-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-odbc-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-pspell-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-dba-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-xmlrpc-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-xml-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-odbc-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-imap-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-pdo-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-debuginfo-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-gmp-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-mcrypt-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-dba-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-tidy-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-enchant-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-opcache-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-common-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-devel-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-fpm-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-mssql-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-pspell-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-snmp-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-process-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-cli-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-mysqlnd-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-ldap-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-gd-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-intl-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-embedded-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-dbg-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-bcmath-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-soap-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-pgsql-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-recode-5.6.14-1.119.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.119.amzn1" version="5.6.14"><filename>Packages/php56-mbstring-5.6.14-1.119.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-602</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-602: medium priority package update for php55</title><issued date="2015-10-20 14:52" /><updated date="2016-03-16 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 6983 CVE-2015-7804: 6984 1271088: 6985 CVE-2015-7804 php: uninitialized pointer in phar_make_dirstream() 6986 6987 CVE-2015-7803: 6988 1271081: 6989 CVE-2015-7803 php: NULL pointer dereference in phar_get_fp_offset() 6990 6991 CVE-2015-6838: 6992 1260711: 6993 CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class 6994 A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets. 6995 6996 CVE-2015-6837: 6997 1260711: 6998 CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class 6999 A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets. 7000 7001 CVE-2015-6836: 7002 1260683: 7003 CVE-2015-6836 php: SOAP serialize_function_call() type confusion 7004 A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. 7005 7006 CVE-2015-6835: 7007 1260647: 7008 CVE-2015-6835 php: use-after-free vulnerability in session deserializer 7009 7010 CVE-2015-6834: 7011 1260642: 7012 CVE-2015-6834 php: multiple unserialization use-after-free issues 7013 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7803" id="CVE-2015-7803" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6834" id="CVE-2015-6834" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6835" id="CVE-2015-6835" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7804" id="CVE-2015-7804" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6837" id="CVE-2015-6837" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6838" id="CVE-2015-6838" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6836" id="CVE-2015-6836" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-cli" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-cli-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-pdo-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-odbc-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-common-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-tidy-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-mbstring-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-intl-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-mysqlnd-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-mcrypt-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-fpm-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-process-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-dba-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-pspell-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-recode-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-mssql-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-debuginfo-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-bcmath-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-xml-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-imap-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-opcache-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-soap-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-xmlrpc-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-embedded-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-snmp-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-devel-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-enchant-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-gd-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-gmp-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-ldap-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-pgsql-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-embedded-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-bcmath-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-snmp-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-cli-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-mbstring-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-ldap-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-pgsql-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-pdo-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-pspell-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-dba-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-common-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-odbc-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-enchant-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-xml-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-soap-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-fpm-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-gmp-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-xmlrpc-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-opcache-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-process-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-debuginfo-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-mcrypt-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-devel-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-imap-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-mssql-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-mysqlnd-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-recode-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-tidy-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-intl-5.5.30-1.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.110.amzn1" version="5.5.30"><filename>Packages/php55-gd-5.5.30-1.110.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-603</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-603: medium priority package update for kernel</title><issued date="2015-10-27 13:40" /><updated date="2017-10-13 00:11" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7014 CVE-2017-1000253: 7015 A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application&#039;s data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. 7016 1492212: 7017 CVE-2017-1000253 kernel: load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary 7018 7019 CVE-2015-8787: 7020 1300731: 7021 CVE-2015-8787 kernel: Missing NULL pointer check in nf_nat_redirect_ipv4 7022 A NULL-pointer dereference vulnerability was found in the Linux kernel&#039;s TCP stack, in net/netfilter/nf_nat_redirect.c in the nf_nat_redirect_ipv4() function. A remote, unauthenticated user could exploit this flaw to create a system crash (denial of service). 7023 7024 CVE-2015-7613: 7025 Race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c. 7026 1268270: 7027 CVE-2015-7613 kernel: Unauthorized access to IPC objects with SysV shm 7028 7029 CVE-2015-2925: 7030 1209367: 7031 CVE-2015-2925 Kernel: vfs: Do not allow escaping from bind mounts 7032 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7613" id="CVE-2015-7613" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2925" id="CVE-2015-2925" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000253" id="CVE-2017-1000253" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8787" id="CVE-2015-8787" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-tools-devel-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="17.31.amzn1" version="4.1.10"><filename>Packages/perf-debuginfo-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-debuginfo-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-tools-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-tools-debuginfo-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-headers-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="17.31.amzn1" version="4.1.10"><filename>Packages/perf-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-debuginfo-common-x86_64-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-devel-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-debuginfo-common-i686-4.1.10-17.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-tools-debuginfo-4.1.10-17.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="17.31.amzn1" version="4.1.10"><filename>Packages/perf-debuginfo-4.1.10-17.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-devel-4.1.10-17.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-4.1.10-17.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-headers-4.1.10-17.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="17.31.amzn1" version="4.1.10"><filename>Packages/perf-4.1.10-17.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-debuginfo-4.1.10-17.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-tools-4.1.10-17.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-tools-devel-4.1.10-17.31.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="17.31.amzn1" version="4.1.10"><filename>Packages/kernel-doc-4.1.10-17.31.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-604</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-604: important priority package update for libwmf</title><issued date="2015-10-27 13:51" /><updated date="2015-10-27 14:16" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7033 CVE-2015-4696: 7034 It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash or execute arbitrary code with the privileges of the user running the application. 7035 7036 CVE-2015-4695: 7037 It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash. 7038 7039 CVE-2015-4588: 7040 It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) with embedded BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application. 7041 7042 CVE-2015-0848: 7043 It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) with embedded BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application. 7044 7045 CVE-2009-3546: 7046 A missing input sanitization flaw, leading to a buffer overflow, was discovered in PHP's gd library. A specially-crafted GD image file could cause the PHP interpreter to crash or, possibly, execute arbitrary code when opened. 7047 A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A specially-crafted GD image file could cause an application using the gd library to crash or, possibly, execute arbitrary code when opened. 7048 529213: 7049 CVE-2009-3546 gd: insufficient input validation in _gdGetColors() 7050 The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information. 7051 7052 CVE-2007-3473: 7053 A flaw was discovered in the gd X BitMap (XBM) image-handling code. A malformed or truncated XBM image could cause a crash in an application using the gd library. 7054 276791: 7055 CVE-2007-3473 libgd NULL pointer dereference when reading a corrupt X bitmap 7056 The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. 7057 7058 CVE-2007-3472: 7059 Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified attack vectors and impact. 7060 276751: 7061 CVE-2007-3472 libgd Integer overflow in TrueColor code 7062 An integer overflow was discovered in the gdImageCreateTrueColor() function, leading to incorrect memory allocations. A carefully crafted image could cause a crash or possibly execute code with the privileges of the application using the gd library. 7063 7064 CVE-2007-2756: 7065 A flaw was discovered in the gd PNG image handling code. A truncated PNG image could cause an infinite loop in an application using the gd library. 7066 An infinite-loop flaw was discovered in the PHP gd extension. A script that could be forced to process PNG images from an untrusted source could allow a remote attacker to cause a denial of service. 7067 242033: 7068 CVE-2007-2756 gd / php-gd ImageCreateFromPng infinite loop caused by truncated PNG 7069 The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng. 7070 7071 CVE-2007-0455: 7072 A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash. 7073 224607: 7074 CVE-2007-0455 gd buffer overrun 7075 Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. 7076 A buffer over-read flaw was discovered. This could cause a crash in an application using the gd library to render certain strings using a JIS-encoded font. 7077 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756" id="CVE-2007-2756" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4695" id="CVE-2015-4695" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455" id="CVE-2007-0455" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546" id="CVE-2009-3546" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588" id="CVE-2015-4588" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4696" id="CVE-2015-4696" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3472" id="CVE-2007-3472" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3473" id="CVE-2007-3473" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848" id="CVE-2015-0848" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1917.html" id="RHSA-2015:1917" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libwmf-lite" release="41.11.amzn1" version="0.2.8.4"><filename>Packages/libwmf-lite-0.2.8.4-41.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwmf-devel" release="41.11.amzn1" version="0.2.8.4"><filename>Packages/libwmf-devel-0.2.8.4-41.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwmf-debuginfo" release="41.11.amzn1" version="0.2.8.4"><filename>Packages/libwmf-debuginfo-0.2.8.4-41.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwmf" release="41.11.amzn1" version="0.2.8.4"><filename>Packages/libwmf-0.2.8.4-41.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libwmf-debuginfo" release="41.11.amzn1" version="0.2.8.4"><filename>Packages/libwmf-debuginfo-0.2.8.4-41.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwmf-devel" release="41.11.amzn1" version="0.2.8.4"><filename>Packages/libwmf-devel-0.2.8.4-41.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwmf" release="41.11.amzn1" version="0.2.8.4"><filename>Packages/libwmf-0.2.8.4-41.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwmf-lite" release="41.11.amzn1" version="0.2.8.4"><filename>Packages/libwmf-lite-0.2.8.4-41.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-605</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-605: critical priority package update for java-1.7.0-openjdk</title><issued date="2015-10-27 13:52" /><updated date="2015-10-27 14:14" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7078 CVE-2015-4911: 7079 Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. 7080 7081 CVE-2015-4903: 7082 Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7083 7084 CVE-2015-4893: 7085 Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. 7086 7087 CVE-2015-4883: 7088 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7089 7090 CVE-2015-4882: 7091 Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7092 7093 CVE-2015-4881: 7094 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7095 7096 CVE-2015-4872: 7097 It was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. 7098 7099 CVE-2015-4860: 7100 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7101 7102 CVE-2015-4844: 7103 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7104 7105 CVE-2015-4843: 7106 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7107 7108 CVE-2015-4842: 7109 Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7110 7111 CVE-2015-4840: 7112 Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7113 7114 CVE-2015-4835: 7115 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7116 7117 CVE-2015-4806: 7118 Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7119 7120 CVE-2015-4805: 7121 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7122 7123 CVE-2015-4803: 7124 Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. 7125 7126 CVE-2015-4734: 7127 Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7128 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843" id="CVE-2015-4843" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842" id="CVE-2015-4842" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840" id="CVE-2015-4840" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872" id="CVE-2015-4872" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860" id="CVE-2015-4860" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844" id="CVE-2015-4844" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883" id="CVE-2015-4883" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893" id="CVE-2015-4893" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911" id="CVE-2015-4911" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734" id="CVE-2015-4734" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881" id="CVE-2015-4881" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882" id="CVE-2015-4882" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903" id="CVE-2015-4903" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806" id="CVE-2015-4806" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805" id="CVE-2015-4805" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803" id="CVE-2015-4803" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835" id="CVE-2015-4835" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1920.html" id="RHSA-2015:1920" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.2.2.63.amzn1" version="1.7.0.91"><filename>Packages/java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.2.2.63.amzn1" version="1.7.0.91"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.2.2.63.amzn1" version="1.7.0.91"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.2.63.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.2.2.63.amzn1" version="1.7.0.91"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.63.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.2.2.63.amzn1" version="1.7.0.91"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.2.2.63.amzn1" version="1.7.0.91"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.63.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.2.2.63.amzn1" version="1.7.0.91"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.2.2.63.amzn1" version="1.7.0.91"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.2.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.2.2.63.amzn1" version="1.7.0.91"><filename>Packages/java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.2.2.63.amzn1" version="1.7.0.91"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.2.2.63.amzn1" version="1.7.0.91"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.63.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-606</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-606: important priority package update for java-1.8.0-openjdk</title><issued date="2015-10-27 16:39" /><updated date="2015-10-27 16:51" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7129 CVE-2015-4911: 7130 Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. 7131 7132 CVE-2015-4903: 7133 Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7134 7135 CVE-2015-4893: 7136 Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. 7137 7138 CVE-2015-4883: 7139 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7140 7141 CVE-2015-4882: 7142 Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7143 7144 CVE-2015-4881: 7145 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7146 7147 CVE-2015-4872: 7148 It was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. 7149 7150 CVE-2015-4868: 7151 A flaw was found in the way the Libraries component in OpenJDK handled certificate revocation lists (CRL). In certain cases, CRL checking code could fail to report a revoked certificate, causing the application to accept it as trusted. 7152 7153 CVE-2015-4860: 7154 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7155 7156 CVE-2015-4844: 7157 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7158 7159 CVE-2015-4843: 7160 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7161 7162 CVE-2015-4842: 7163 Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7164 7165 CVE-2015-4840: 7166 Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7167 7168 CVE-2015-4835: 7169 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7170 7171 CVE-2015-4806: 7172 Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7173 7174 CVE-2015-4805: 7175 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7176 7177 CVE-2015-4803: 7178 Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. 7179 7180 CVE-2015-4734: 7181 Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7182 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843" id="CVE-2015-4843" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842" id="CVE-2015-4842" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840" id="CVE-2015-4840" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872" id="CVE-2015-4872" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860" id="CVE-2015-4860" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844" id="CVE-2015-4844" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883" id="CVE-2015-4883" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893" id="CVE-2015-4893" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911" id="CVE-2015-4911" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734" id="CVE-2015-4734" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881" id="CVE-2015-4881" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4868" id="CVE-2015-4868" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903" id="CVE-2015-4903" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882" id="CVE-2015-4882" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806" id="CVE-2015-4806" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805" id="CVE-2015-4805" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803" id="CVE-2015-4803" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835" id="CVE-2015-4835" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1919.html" id="RHSA-2015:1919" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="2.b17.7.amzn1" version="1.8.0.65"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.65-2.b17.7.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="2.b17.7.amzn1" version="1.8.0.65"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.65-2.b17.7.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="2.b17.7.amzn1" version="1.8.0.65"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.65-2.b17.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="2.b17.7.amzn1" version="1.8.0.65"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.65-2.b17.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="2.b17.7.amzn1" version="1.8.0.65"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.65-2.b17.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="2.b17.7.amzn1" version="1.8.0.65"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.65-2.b17.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="2.b17.7.amzn1" version="1.8.0.65"><filename>Packages/java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="2.b17.7.amzn1" version="1.8.0.65"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.65-2.b17.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="2.b17.7.amzn1" version="1.8.0.65"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.65-2.b17.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="2.b17.7.amzn1" version="1.8.0.65"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.65-2.b17.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="2.b17.7.amzn1" version="1.8.0.65"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.65-2.b17.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="2.b17.7.amzn1" version="1.8.0.65"><filename>Packages/java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="2.b17.7.amzn1" version="1.8.0.65"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.65-2.b17.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-607</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-607: important priority package update for ntp</title><issued date="2015-10-27 16:42" /><updated date="2015-10-27 16:53" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7183 CVE-2015-7871: 7184 1274265: 7185 CVE-2015-7871 ntp: crypto-NAK symmetric association authentication bypass vulnerability 7186 7187 CVE-2015-7852: 7188 1274261: 7189 CVE-2015-7852 ntp: ntpq atoascii memory corruption vulnerability 7190 7191 CVE-2015-7704: 7192 It was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that would increase the client&#039;s polling interval value, and effectively disable synchronization with the server. 7193 1271070: 7194 CVE-2015-7704 ntp: disabling synchronization via crafted KoD packet 7195 7196 CVE-2015-7702: 7197 1274254: 7198 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 ntp: incomplete checks in ntp_crypto.c 7199 7200 CVE-2015-7701: 7201 1274255: 7202 CVE-2015-7701 ntp: slow memory leak in CRYPTO_ASSOC 7203 7204 CVE-2015-7692: 7205 1274254: 7206 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 ntp: incomplete checks in ntp_crypto.c 7207 7208 CVE-2015-7691: 7209 1274254: 7210 CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 ntp: incomplete checks in ntp_crypto.c 7211 7212 CVE-2015-5300: 7213 1271076: 7214 CVE-2015-5300 ntp: MITM attacker can force ntpd to make a step larger than the panic threshold 7215 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692" id="CVE-2015-7692" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691" id="CVE-2015-7691" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852" id="CVE-2015-7852" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704" id="CVE-2015-7704" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701" id="CVE-2015-7701" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702" id="CVE-2015-7702" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300" id="CVE-2015-5300" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871" id="CVE-2015-7871" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1930.html" id="RHSA-2015:1930" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ntp" release="34.27.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-34.27.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-doc" release="34.27.amzn1" version="4.2.6p5"><filename>Packages/ntp-doc-4.2.6p5-34.27.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntpdate" release="34.27.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-34.27.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-perl" release="34.27.amzn1" version="4.2.6p5"><filename>Packages/ntp-perl-4.2.6p5-34.27.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp-debuginfo" release="34.27.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-34.27.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ntpdate" release="34.27.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-34.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp" release="34.27.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-34.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp-debuginfo" release="34.27.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-34.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-608</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-608: critical priority package update for nspr nss-util nss jss</title><issued date="2015-11-05 01:58" /><updated date="2015-11-04 22:49" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7216 CVE-2015-7183: 7217 1269353: 7218 CVE-2015-7183 nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (MFSA 2015-133) 7219 A heap-based buffer overflow was found in NSPR. An attacker could use this flaw to cause NSPR to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSPR library. 7220 7221 CVE-2015-7182: 7222 A heap-based buffer overflow flaw was found in the way NSS parsed certain ASN.1 structures. An attacker could use this flaw to cause NSS to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSS library. 7223 1269351: 7224 CVE-2015-7182 nss: ASN.1 decoder heap overflow when decoding constructed OCTET STRING that mixes indefinite and definite length encodings (MFSA 2015-133) 7225 7226 CVE-2015-7181: 7227 A use-after-poison flaw was found in the way NSS parsed certain ASN.1 structures. An attacker could use this flaw to cause NSS to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSS library. 7228 1269345: 7229 CVE-2015-7181 nss: use-after-poison in sec_asn1d_parse_leaf() (MFSA 2015-133) 7230 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7183" id="CVE-2015-7183" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7182" id="CVE-2015-7182" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7181" id="CVE-2015-7181" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1981.html" id="RHSA-2015:1981" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nspr" release="2.35.amzn1" version="4.10.8"><filename>Packages/nspr-4.10.8-2.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nspr-debuginfo" release="2.35.amzn1" version="4.10.8"><filename>Packages/nspr-debuginfo-4.10.8-2.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nspr-devel" release="2.35.amzn1" version="4.10.8"><filename>Packages/nspr-devel-4.10.8-2.35.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nspr-debuginfo" release="2.35.amzn1" version="4.10.8"><filename>Packages/nspr-debuginfo-4.10.8-2.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nspr" release="2.35.amzn1" version="4.10.8"><filename>Packages/nspr-4.10.8-2.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nspr-devel" release="2.35.amzn1" version="4.10.8"><filename>Packages/nspr-devel-4.10.8-2.35.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util-devel" release="4.47.amzn1" version="3.19.1"><filename>Packages/nss-util-devel-3.19.1-4.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util" release="4.47.amzn1" version="3.19.1"><filename>Packages/nss-util-3.19.1-4.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util-debuginfo" release="4.47.amzn1" version="3.19.1"><filename>Packages/nss-util-debuginfo-3.19.1-4.47.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-util-debuginfo" release="4.47.amzn1" version="3.19.1"><filename>Packages/nss-util-debuginfo-3.19.1-4.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-util" release="4.47.amzn1" version="3.19.1"><filename>Packages/nss-util-3.19.1-4.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-util-devel" release="4.47.amzn1" version="3.19.1"><filename>Packages/nss-util-devel-3.19.1-4.47.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="7.74.amzn1" version="3.19.1"><filename>Packages/nss-3.19.1-7.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="7.74.amzn1" version="3.19.1"><filename>Packages/nss-debuginfo-3.19.1-7.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="7.74.amzn1" version="3.19.1"><filename>Packages/nss-sysinit-3.19.1-7.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="7.74.amzn1" version="3.19.1"><filename>Packages/nss-tools-3.19.1-7.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="7.74.amzn1" version="3.19.1"><filename>Packages/nss-devel-3.19.1-7.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="7.74.amzn1" version="3.19.1"><filename>Packages/nss-pkcs11-devel-3.19.1-7.74.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="7.74.amzn1" version="3.19.1"><filename>Packages/nss-tools-3.19.1-7.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="7.74.amzn1" version="3.19.1"><filename>Packages/nss-debuginfo-3.19.1-7.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="7.74.amzn1" version="3.19.1"><filename>Packages/nss-sysinit-3.19.1-7.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="7.74.amzn1" version="3.19.1"><filename>Packages/nss-3.19.1-7.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="7.74.amzn1" version="3.19.1"><filename>Packages/nss-pkcs11-devel-3.19.1-7.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="7.74.amzn1" version="3.19.1"><filename>Packages/nss-devel-3.19.1-7.74.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="jss-debuginfo" release="35.17.amzn1" version="4.2.6"><filename>Packages/jss-debuginfo-4.2.6-35.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jss" release="35.17.amzn1" version="4.2.6"><filename>Packages/jss-4.2.6-35.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jss-javadoc" release="35.17.amzn1" version="4.2.6"><filename>Packages/jss-javadoc-4.2.6-35.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="jss" release="35.17.amzn1" version="4.2.6"><filename>Packages/jss-4.2.6-35.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jss-javadoc" release="35.17.amzn1" version="4.2.6"><filename>Packages/jss-javadoc-4.2.6-35.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jss-debuginfo" release="35.17.amzn1" version="4.2.6"><filename>Packages/jss-debuginfo-4.2.6-35.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-609</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-609: medium priority package update for postgresql92 postgresql93 postgresql94</title><issued date="2015-11-05 02:14" /><updated date="2015-11-05 03:26" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7231 CVE-2015-5289: 7232 Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values. 7233 1270312: 7234 CVE-2015-5289 postgresql: Json or jsonb input values can cause DoS 7235 7236 CVE-2015-5288: 7237 1270306: 7238 CVE-2015-5288 postgresql: A few bytes of memory leak in crypt() 7239 The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows attackers to cause a denial of service (server crash) or read arbitrary server memory via a &quot;too-short&quot; salt. 7240 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5288" id="CVE-2015-5288" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5289" id="CVE-2015-5289" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql92-test" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-test-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-contrib" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-contrib-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-devel" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-devel-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plperl" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-plperl-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-server-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-debuginfo" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-debuginfo-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython27" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-plpython27-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython26" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-plpython26-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-pltcl" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-pltcl-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-docs" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-docs-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server-compat" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-server-compat-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-libs" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-libs-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plperl" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-plperl-9.2.14-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-server-9.2.14-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython26" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-plpython26-9.2.14-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-9.2.14-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-debuginfo" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-debuginfo-9.2.14-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-docs" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-docs-9.2.14-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-libs" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-libs-9.2.14-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-test" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-test-9.2.14-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-devel" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-devel-9.2.14-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server-compat" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-server-compat-9.2.14-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython27" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-plpython27-9.2.14-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-contrib" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-contrib-9.2.14-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-pltcl" release="1.56.amzn1" version="9.2.14"><filename>Packages/postgresql92-pltcl-9.2.14-1.56.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plperl" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-plperl-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython27" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-plpython27-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-pltcl" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-pltcl-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-test" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-test-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-contrib" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-contrib-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-devel" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-devel-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-server" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-server-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython26" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-plpython26-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-libs" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-libs-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-debuginfo" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-debuginfo-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-docs" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-docs-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-libs" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-libs-9.3.10-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython26" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-plpython26-9.3.10-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython27" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-plpython27-9.3.10-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-docs" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-docs-9.3.10-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-contrib" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-contrib-9.3.10-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-devel" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-devel-9.3.10-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-test" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-test-9.3.10-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-9.3.10-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-pltcl" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-pltcl-9.3.10-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plperl" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-plperl-9.3.10-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-server" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-server-9.3.10-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-debuginfo" release="1.60.amzn1" version="9.3.10"><filename>Packages/postgresql93-debuginfo-9.3.10-1.60.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-libs" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-libs-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-test" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-test-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-pltcl" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-pltcl-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-contrib" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-contrib-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython26" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-plpython26-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-devel" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-devel-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-server" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-server-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-docs" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-docs-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython27" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-plpython27-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plperl" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-plperl-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-debuginfo" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-debuginfo-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-libs" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-libs-9.4.5-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-devel" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-devel-9.4.5-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-test" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-test-9.4.5-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-docs" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-docs-9.4.5-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-server" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-server-9.4.5-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-9.4.5-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-pltcl" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-pltcl-9.4.5-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plperl" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-plperl-9.4.5-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython26" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-plpython26-9.4.5-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-debuginfo" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-debuginfo-9.4.5-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-contrib" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-contrib-9.4.5-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython27" release="1.63.amzn1" version="9.4.5"><filename>Packages/postgresql94-plpython27-9.4.5-1.63.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-610</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-610: medium priority package update for kernel</title><issued date="2015-11-23 13:41" /><updated date="2015-11-23 21:17" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7241 CVE-2015-7872: 7242 1272371: 7243 CVE-2015-7872 kernel: Keyrings crash triggerable by unprivileged user 7244 A denial of service vulnerability was discovered in the keyring function&#039;s garbage collector in the Linux kernel. The flaw allowed any local user account to trigger a kernel panic. 7245 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7872" id="CVE-2015-7872" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-headers" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-headers-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-tools-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-tools-devel-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="18.26.amzn1" version="4.1.13"><filename>Packages/perf-debuginfo-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-debuginfo-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-devel-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-debuginfo-common-x86_64-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-tools-debuginfo-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="18.26.amzn1" version="4.1.13"><filename>Packages/perf-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-devel-4.1.13-18.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-tools-devel-4.1.13-18.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-debuginfo-common-i686-4.1.13-18.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-tools-debuginfo-4.1.13-18.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="18.26.amzn1" version="4.1.13"><filename>Packages/perf-debuginfo-4.1.13-18.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="18.26.amzn1" version="4.1.13"><filename>Packages/perf-4.1.13-18.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-debuginfo-4.1.13-18.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-4.1.13-18.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-headers-4.1.13-18.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-tools-4.1.13-18.26.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="18.26.amzn1" version="4.1.13"><filename>Packages/kernel-doc-4.1.13-18.26.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-611</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-611: medium priority package update for libpng</title><issued date="2015-11-23 13:43" /><updated date="2015-11-23 22:53" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7246 CVE-2015-8126: 7247 Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. 7248 1281756: 7249 CVE-2015-8126 libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions 7250 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8126" id="CVE-2015-8126" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="2" name="libpng-devel" release="1.13.amzn1" version="1.2.49"><filename>Packages/libpng-devel-1.2.49-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng-static" release="1.13.amzn1" version="1.2.49"><filename>Packages/libpng-static-1.2.49-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng" release="1.13.amzn1" version="1.2.49"><filename>Packages/libpng-1.2.49-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng-debuginfo" release="1.13.amzn1" version="1.2.49"><filename>Packages/libpng-debuginfo-1.2.49-1.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="2" name="libpng-static" release="1.13.amzn1" version="1.2.49"><filename>Packages/libpng-static-1.2.49-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng-debuginfo" release="1.13.amzn1" version="1.2.49"><filename>Packages/libpng-debuginfo-1.2.49-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng-devel" release="1.13.amzn1" version="1.2.49"><filename>Packages/libpng-devel-1.2.49-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng" release="1.13.amzn1" version="1.2.49"><filename>Packages/libpng-1.2.49-1.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-612</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-612: important priority package update for ganglia</title><issued date="2015-11-23 13:44" /><updated date="2015-11-23 22:51" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7251 CVE-2015-6816: 7252 1260562: 7253 CVE-2015-6816 ganglia: Bypassing Ganglia-web auth using boolean serialization 7254 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6816" id="CVE-2015-6816" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ganglia-web" release="2.19.amzn1" version="3.7.1"><filename>Packages/ganglia-web-3.7.1-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ganglia-devel" release="2.19.amzn1" version="3.7.2"><filename>Packages/ganglia-devel-3.7.2-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ganglia-gmond-python" release="2.19.amzn1" version="3.7.2"><filename>Packages/ganglia-gmond-python-3.7.2-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ganglia" release="2.19.amzn1" version="3.7.2"><filename>Packages/ganglia-3.7.2-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ganglia-debuginfo" release="2.19.amzn1" version="3.7.2"><filename>Packages/ganglia-debuginfo-3.7.2-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ganglia-gmetad" release="2.19.amzn1" version="3.7.2"><filename>Packages/ganglia-gmetad-3.7.2-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ganglia-gmond" release="2.19.amzn1" version="3.7.2"><filename>Packages/ganglia-gmond-3.7.2-2.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ganglia-gmetad" release="2.19.amzn1" version="3.7.2"><filename>Packages/ganglia-gmetad-3.7.2-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ganglia-gmond" release="2.19.amzn1" version="3.7.2"><filename>Packages/ganglia-gmond-3.7.2-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ganglia-devel" release="2.19.amzn1" version="3.7.2"><filename>Packages/ganglia-devel-3.7.2-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ganglia-gmond-python" release="2.19.amzn1" version="3.7.2"><filename>Packages/ganglia-gmond-python-3.7.2-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ganglia-web" release="2.19.amzn1" version="3.7.1"><filename>Packages/ganglia-web-3.7.1-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ganglia" release="2.19.amzn1" version="3.7.2"><filename>Packages/ganglia-3.7.2-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ganglia-debuginfo" release="2.19.amzn1" version="3.7.2"><filename>Packages/ganglia-debuginfo-3.7.2-2.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-613</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-613: medium priority package update for git</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:13" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7255 CVE-2015-7545: 7256 1269794: 7257 CVE-2015-7545 git: arbitrary code execution via crafted URLs 7258 A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user&#039;s system. 7259 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7545" id="CVE-2015-7545" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="git-email" release="7.42.amzn1" version="2.4.3"><filename>Packages/git-email-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-debuginfo" release="7.42.amzn1" version="2.4.3"><filename>Packages/git-debuginfo-2.4.3-7.42.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git" release="7.42.amzn1" version="2.4.3"><filename>Packages/emacs-git-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-hg" release="7.42.amzn1" version="2.4.3"><filename>Packages/git-hg-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-all" release="7.42.amzn1" version="2.4.3"><filename>Packages/git-all-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-daemon" release="7.42.amzn1" version="2.4.3"><filename>Packages/git-daemon-2.4.3-7.42.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="gitweb" release="7.42.amzn1" version="2.4.3"><filename>Packages/gitweb-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git-el" release="7.42.amzn1" version="2.4.3"><filename>Packages/emacs-git-el-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-p4" release="7.42.amzn1" version="2.4.3"><filename>Packages/git-p4-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git" release="7.42.amzn1" version="2.4.3"><filename>Packages/git-2.4.3-7.42.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git" release="7.42.amzn1" version="2.4.3"><filename>Packages/perl-Git-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-bzr" release="7.42.amzn1" version="2.4.3"><filename>Packages/git-bzr-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-cvs" release="7.42.amzn1" version="2.4.3"><filename>Packages/git-cvs-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-svn" release="7.42.amzn1" version="2.4.3"><filename>Packages/git-svn-2.4.3-7.42.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git-SVN" release="7.42.amzn1" version="2.4.3"><filename>Packages/perl-Git-SVN-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="git-debuginfo" release="7.42.amzn1" version="2.4.3"><filename>Packages/git-debuginfo-2.4.3-7.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-daemon" release="7.42.amzn1" version="2.4.3"><filename>Packages/git-daemon-2.4.3-7.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-svn" release="7.42.amzn1" version="2.4.3"><filename>Packages/git-svn-2.4.3-7.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git" release="7.42.amzn1" version="2.4.3"><filename>Packages/git-2.4.3-7.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-614</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-614: medium priority package update for openssl</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:15" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7260 CVE-2015-3196: 7261 1288326: 7262 CVE-2015-3196 OpenSSL: Race condition handling PSK identify hint 7263 A race condition flaw, leading to a double free, was found in the way OpenSSL handled pre-shared keys (PSKs). A remote attacker could use this flaw to crash a multi-threaded SSL/TLS client. 7264 7265 CVE-2015-3195: 7266 1288322: 7267 CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak 7268 A memory leak vulnerability was found in the way OpenSSL parsed certain PKCS#7 or CMS data. A remote attacker could use this flaw to cause an application that parses PKCS#7 or CMS data from untrusted sources to crash due to memory exhaustion. 7269 7270 CVE-2015-3194: 7271 1288320: 7272 CVE-2015-3194 OpenSSL: Certificate verify crash with missing PSS parameter 7273 A denial of service flaw was found in the way OpenSSL verified certain signatures using the RSA PSS algorithm. If client authentication was enabled, a remote attacker could craft a X.509 client-side certificate which, when processed, could possibly crash a TLS/SSL server or client using OpenSSL. 7274 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194" id="CVE-2015-3194" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195" id="CVE-2015-3195" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3196" id="CVE-2015-3196" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="13.88.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-13.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="13.88.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-13.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="13.88.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-13.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="13.88.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-13.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="13.88.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-13.88.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="13.88.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-13.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="13.88.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-13.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="13.88.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-13.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="13.88.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-13.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="13.88.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-13.88.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-615</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-615: medium priority package update for libpng</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:16" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7275 CVE-2015-8472: 7276 1281756: 7277 CVE-2015-8126 CVE-2015-8472 libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions 7278 An array-indexing error was discovered in the png_convert_to_rfc1123() function of libpng. An attacker could possibly use this flaw to cause an out-of-bounds read by tricking an unsuspecting user into processing a specially crafted PNG image. 7279 7280 CVE-2015-7981: 7281 1276416: 7282 CVE-2015-7981 libpng: Out-of-bounds read in png_convert_to_rfc1123 7283 It was discovered that the png_get_PLTE() and png_set_PLTE() functions of libpng did not correctly calculate the maximum palette sizes for bit depths of less than 8. In case an application tried to use these functions in combination with properly calculated palette sizes, this could lead to a buffer overflow or out-of-bounds reads. An attacker could exploit this to cause a crash or potentially execute arbitrary code by tricking an unsuspecting user into processing a specially crafted PNG image. However, the exact impact is dependent on the application using the library. 7284 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7981" id="CVE-2015-7981" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8472" id="CVE-2015-8472" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="2" name="libpng-debuginfo" release="2.14.amzn1" version="1.2.49"><filename>Packages/libpng-debuginfo-1.2.49-2.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng-devel" release="2.14.amzn1" version="1.2.49"><filename>Packages/libpng-devel-1.2.49-2.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng-static" release="2.14.amzn1" version="1.2.49"><filename>Packages/libpng-static-1.2.49-2.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="libpng" release="2.14.amzn1" version="1.2.49"><filename>Packages/libpng-1.2.49-2.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="2" name="libpng-devel" release="2.14.amzn1" version="1.2.49"><filename>Packages/libpng-devel-1.2.49-2.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng-debuginfo" release="2.14.amzn1" version="1.2.49"><filename>Packages/libpng-debuginfo-1.2.49-2.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng-static" release="2.14.amzn1" version="1.2.49"><filename>Packages/libpng-static-1.2.49-2.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="libpng" release="2.14.amzn1" version="1.2.49"><filename>Packages/libpng-1.2.49-2.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-616</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-616: important priority package update for java-1.6.0-openjdk</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:17" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7285 CVE-2015-4911: 7286 Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. 7287 7288 CVE-2015-4903: 7289 Multiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7290 7291 CVE-2015-4893: 7292 Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. 7293 7294 CVE-2015-4883: 7295 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7296 7297 CVE-2015-4882: 7298 Multiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7299 7300 CVE-2015-4881: 7301 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7302 7303 CVE-2015-4872: 7304 It was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. 7305 7306 CVE-2015-4860: 7307 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7308 7309 CVE-2015-4844: 7310 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7311 7312 CVE-2015-4843: 7313 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7314 7315 CVE-2015-4842: 7316 Multiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7317 7318 CVE-2015-4835: 7319 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7320 7321 CVE-2015-4806: 7322 Multiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7323 7324 CVE-2015-4805: 7325 Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. 7326 7327 CVE-2015-4803: 7328 Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. 7329 7330 CVE-2015-4734: 7331 Multiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7332 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843" id="CVE-2015-4843" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842" id="CVE-2015-4842" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872" id="CVE-2015-4872" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860" id="CVE-2015-4860" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844" id="CVE-2015-4844" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883" id="CVE-2015-4883" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893" id="CVE-2015-4893" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911" id="CVE-2015-4911" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734" id="CVE-2015-4734" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881" id="CVE-2015-4881" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882" id="CVE-2015-4882" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903" id="CVE-2015-4903" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806" id="CVE-2015-4806" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805" id="CVE-2015-4805" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803" id="CVE-2015-4803" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835" id="CVE-2015-4835" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:2086.html" id="RHSA-2015:2086" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="1.13.9.4.72.amzn1" version="1.6.0.37"><filename>Packages/java-1.6.0-openjdk-1.6.0.37-1.13.9.4.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="1.13.9.4.72.amzn1" version="1.6.0.37"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="1.13.9.4.72.amzn1" version="1.6.0.37"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="1.13.9.4.72.amzn1" version="1.6.0.37"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="1.13.9.4.72.amzn1" version="1.6.0.37"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="1.13.9.4.72.amzn1" version="1.6.0.37"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.72.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="1.13.9.4.72.amzn1" version="1.6.0.37"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="1.13.9.4.72.amzn1" version="1.6.0.37"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="1.13.9.4.72.amzn1" version="1.6.0.37"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="1.13.9.4.72.amzn1" version="1.6.0.37"><filename>Packages/java-1.6.0-openjdk-1.6.0.37-1.13.9.4.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="1.13.9.4.72.amzn1" version="1.6.0.37"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="1.13.9.4.72.amzn1" version="1.6.0.37"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.72.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-617</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-617: important priority package update for glibc</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:19" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7333 CVE-2015-5277: 7334 1262914: 7335 CVE-2015-5277 glibc: data corruption while reading the NSS files database 7336 It was discovered that the nss_files backend for the Name Service Switch in glibc would return incorrect data to applications or corrupt the heap (depending on adjacent heap contents). A local attacker could potentially use this flaw to execute arbitrary code on the system. 7337 7338 CVE-2015-1781: 7339 1199525: 7340 CVE-2015-1781 glibc: buffer overflow in gethostbyname_r() and related functions with misaligned buffer 7341 A buffer overflow flaw was found in the way glibc&#039;s gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application or, potentially, execute arbitrary code with the permissions of the user running the application. 7342 7343 CVE-2015-1473: 7344 A stack overflow flaw was found in glibc&#039;s swscanf() function. An attacker able to make an application call the swscanf() function could use this flaw to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application. 7345 1209105: 7346 CVE-2015-1473 glibc: Stack-overflow in glibc swscanf 7347 7348 CVE-2015-1472: 7349 A heap-based buffer overflow flaw was found in glibc&#039;s swscanf() function. An attacker able to make an application call the swscanf() function could use this flaw to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application. 7350 1188235: 7351 CVE-2015-1472 glibc: heap buffer overflow in glibc swscanf 7352 7353 CVE-2013-7423: 7354 1187109: 7355 CVE-2013-7423 glibc: getaddrinfo() writes DNS queries to random file descriptors under high load 7356 It was discovered that, under certain circumstances, glibc&#039;s getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data. 7357 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1781" id="CVE-2015-1781" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5277" id="CVE-2015-5277" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7423" id="CVE-2013-7423" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1473" id="CVE-2015-1473" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472" id="CVE-2015-1472" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glibc-common" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-106.163.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-106.163.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-106.163.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-106.163.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-106.163.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-106.163.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-2.17-106.163.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-106.163.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="106.163.amzn1" version="2.17"><filename>Packages/nscd-2.17-106.163.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="106.163.amzn1" version="2.17"><filename>Packages/nscd-2.17-106.163.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-106.163.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-106.163.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-2.17-106.163.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-106.163.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-106.163.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-106.163.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-106.163.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="106.163.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-106.163.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-618</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-618: important priority package update for apache-commons-collections</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:19" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7358 CVE-2015-7501: 7359 It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. 7360 1279330: 7361 CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 7362 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501" id="CVE-2015-7501" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="apache-commons-collections-testframework-javadoc" release="11.9.amzn1" version="3.2.1"><filename>Packages/apache-commons-collections-testframework-javadoc-3.2.1-11.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="apache-commons-collections" release="11.9.amzn1" version="3.2.1"><filename>Packages/apache-commons-collections-3.2.1-11.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="apache-commons-collections-javadoc" release="11.9.amzn1" version="3.2.1"><filename>Packages/apache-commons-collections-javadoc-3.2.1-11.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="apache-commons-collections-testframework" release="11.9.amzn1" version="3.2.1"><filename>Packages/apache-commons-collections-testframework-3.2.1-11.9.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-619</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-619: medium priority package update for postgresql8</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:20" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7363 CVE-2015-5288: 7364 A memory leak error was discovered in the crypt() function of the pgCrypto extension. An authenticated attacker could possibly use this flaw to disclose a limited amount of the server memory. 7365 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5288" id="CVE-2015-5288" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:2081.html" id="RHSA-2015:2081" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql8" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-docs" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-docs-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-libs" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-libs-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-devel" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-devel-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-test" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-test-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-pltcl" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-pltcl-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-contrib" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-contrib-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-server" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-server-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plpython" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-plpython-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-debuginfo" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-debuginfo-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plperl" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-plperl-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plperl" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-plperl-8.4.20-4.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-test" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-test-8.4.20-4.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plpython" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-plpython-8.4.20-4.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-8.4.20-4.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-libs" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-libs-8.4.20-4.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-devel" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-devel-8.4.20-4.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-debuginfo" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-debuginfo-8.4.20-4.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-contrib" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-contrib-8.4.20-4.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-server" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-server-8.4.20-4.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-docs" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-docs-8.4.20-4.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-pltcl" release="4.51.amzn1" version="8.4.20"><filename>Packages/postgresql8-pltcl-8.4.20-4.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-620</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-620: medium priority package update for binutils</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:21" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7366 CVE-2014-8738: 7367 A heap-based buffer overflow flaw was found in the way certain binutils utilities processed archive files. If a user were tricked into processing a specially crafted archive file, it could cause the utility used to process that archive to crash or, potentially, execute arbitrary code with the privileges of the user running that utility. 7368 1162666: 7369 CVE-2014-8738 binutils: out of bounds memory write 7370 7371 CVE-2014-8737: 7372 1162655: 7373 CVE-2014-8737 binutils: directory traversal vulnerability 7374 A directory traversal flaw was found in the strip and objcopy utilities. A specially crafted file could cause strip or objdump to overwrite an arbitrary file writable by the user running either of these utilities. 7375 7376 CVE-2014-8504: 7377 1162621: 7378 CVE-2014-8504 binutils: stack overflow in the SREC parser 7379 A stack-based buffer overflow flaw was found in the SREC parser of the libbfd library. A specially crafted file could cause an application using the libbfd library to crash or, potentially, execute arbitrary code with the privileges of the user running that application. 7380 7381 CVE-2014-8503: 7382 1162607: 7383 CVE-2014-8503 binutils: stack overflow in objdump when parsing specially crafted ihex file 7384 A stack-based buffer overflow flaw was found in the way objdump processed IHEX files. A specially crafted IHEX file could cause objdump to crash or, potentially, execute arbitrary code with the privileges of the user running objdump. 7385 7386 CVE-2014-8502: 7387 1162594: 7388 CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485) 7389 It was found that the fix for the CVE-2014-8485 issue was incomplete: a heap-based buffer overflow in the objdump utility could cause it to crash or, potentially, execute arbitrary code with the privileges of the user running objdump when processing specially crafted files. 7390 7391 CVE-2014-8501: 7392 A stack-based buffer overflow flaw was found in the way various binutils utilities processed certain files. If a user were tricked into processing a specially crafted file, it could cause the utility used to process that file to crash or, potentially, execute arbitrary code with the privileges of the user running that utility. 7393 1162570: 7394 CVE-2014-8501 binutils: out-of-bounds write when parsing specially crafted PE executable 7395 7396 CVE-2014-8485: 7397 A buffer overflow flaw was found in the way various binutils utilities processed certain files. If a user were tricked into processing a specially crafted file, it could cause the utility used to process that file to crash or, potentially, execute arbitrary code with the privileges of the user running that utility. 7398 1157276: 7399 CVE-2014-8485 binutils: lack of range checking leading to controlled write in _bfd_elf_setup_sections() 7400 7401 CVE-2014-8484: 7402 An integer overflow flaw was found in the way the strings utility processed certain files. If a user were tricked into running the strings utility on a specially crafted file, it could cause the strings executable to crash. 7403 1156272: 7404 CVE-2014-8484 binutils: invalid read flaw in libbfd 7405 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8737" id="CVE-2014-8737" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8485" id="CVE-2014-8485" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8484" id="CVE-2014-8484" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8504" id="CVE-2014-8504" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8738" id="CVE-2014-8738" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8501" id="CVE-2014-8501" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8503" id="CVE-2014-8503" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8502" id="CVE-2014-8502" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="binutils-debuginfo" release="55.65.amzn1" version="2.23.52.0.1"><filename>Packages/binutils-debuginfo-2.23.52.0.1-55.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="binutils-devel" release="55.65.amzn1" version="2.23.52.0.1"><filename>Packages/binutils-devel-2.23.52.0.1-55.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="binutils" release="55.65.amzn1" version="2.23.52.0.1"><filename>Packages/binutils-2.23.52.0.1-55.65.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="binutils-devel" release="55.65.amzn1" version="2.23.52.0.1"><filename>Packages/binutils-devel-2.23.52.0.1-55.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="binutils-debuginfo" release="55.65.amzn1" version="2.23.52.0.1"><filename>Packages/binutils-debuginfo-2.23.52.0.1-55.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="binutils" release="55.65.amzn1" version="2.23.52.0.1"><filename>Packages/binutils-2.23.52.0.1-55.65.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-621</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-621: medium priority package update for python26</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:22" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7406 CVE-2014-7185: 7407 Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function. 7408 An integer overflow flaw was found in the way the buffer() function handled its offset and size arguments. An attacker able to control those arguments could use this flaw to disclose portions of the application memory or cause it to crash. 7409 1146026: 7410 CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read 7411 7412 CVE-2014-4650: 7413 It was discovered that the CGIHTTPServer module incorrectly handled URL encoded paths. A remote attacker could use this flaw to execute scripts outside of the cgi-bin directory, or disclose source of scripts in the cgi-bin directory. 7414 1113527: 7415 CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs 7416 7417 CVE-2013-1752: 7418 It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory. 7419 1046174: 7420 CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib 7421 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7185" id="CVE-2014-7185" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752" id="CVE-2013-1752" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650" id="CVE-2014-4650" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python26-devel" release="2.83.amzn1" version="2.6.9"><filename>Packages/python26-devel-2.6.9-2.83.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-libs" release="2.83.amzn1" version="2.6.9"><filename>Packages/python26-libs-2.6.9-2.83.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-tools" release="2.83.amzn1" version="2.6.9"><filename>Packages/python26-tools-2.6.9-2.83.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26" release="2.83.amzn1" version="2.6.9"><filename>Packages/python26-2.6.9-2.83.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-test" release="2.83.amzn1" version="2.6.9"><filename>Packages/python26-test-2.6.9-2.83.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-debuginfo" release="2.83.amzn1" version="2.6.9"><filename>Packages/python26-debuginfo-2.6.9-2.83.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python26-test" release="2.83.amzn1" version="2.6.9"><filename>Packages/python26-test-2.6.9-2.83.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-tools" release="2.83.amzn1" version="2.6.9"><filename>Packages/python26-tools-2.6.9-2.83.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-debuginfo" release="2.83.amzn1" version="2.6.9"><filename>Packages/python26-debuginfo-2.6.9-2.83.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-libs" release="2.83.amzn1" version="2.6.9"><filename>Packages/python26-libs-2.6.9-2.83.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-devel" release="2.83.amzn1" version="2.6.9"><filename>Packages/python26-devel-2.6.9-2.83.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26" release="2.83.amzn1" version="2.6.9"><filename>Packages/python26-2.6.9-2.83.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-622</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-622: low priority package update for xfsprogs</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:22" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7422 CVE-2012-2150: 7423 It was discovered that the xfs_metadump tool of the xfsprogs suite did not fully adhere to the standards of obfuscation described in its man page. In case a user with the necessary privileges used xfs_metadump and relied on the advertised obfuscation, the generated data could contain unexpected traces of potentially sensitive information. 7424 817696: 7425 CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw 7426 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150" id="CVE-2012-2150" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="xfsprogs-debuginfo" release="2.20.amzn1" version="3.2.2"><filename>Packages/xfsprogs-debuginfo-3.2.2-2.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xfsprogs" release="2.20.amzn1" version="3.2.2"><filename>Packages/xfsprogs-3.2.2-2.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xfsprogs-devel" release="2.20.amzn1" version="3.2.2"><filename>Packages/xfsprogs-devel-3.2.2-2.20.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="xfsprogs" release="2.20.amzn1" version="3.2.2"><filename>Packages/xfsprogs-3.2.2-2.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xfsprogs-devel" release="2.20.amzn1" version="3.2.2"><filename>Packages/xfsprogs-devel-3.2.2-2.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xfsprogs-debuginfo" release="2.20.amzn1" version="3.2.2"><filename>Packages/xfsprogs-debuginfo-3.2.2-2.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-623</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-623: medium priority package update for tigervnc</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:23" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7427 CVE-2014-8241: 7428 1151312: 7429 CVE-2014-8241 tigervnc: NULL pointer dereference flaw in XRegion 7430 A NULL pointer dereference flaw was found in TigerVNC&#039;s XRegion. A malicious VNC server could use this flaw to cause a client to crash. 7431 7432 CVE-2014-8240: 7433 1151307: 7434 CVE-2014-8240 tigervnc: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling 7435 An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way TigerVNC handled screen sizes. A malicious VNC server could use this flaw to cause a client to crash or, potentially, execute arbitrary code on the client. 7436 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8240" id="CVE-2014-8240" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8241" id="CVE-2014-8241" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="tigervnc-server-module" release="3.31.amzn1" version="1.3.1"><filename>Packages/tigervnc-server-module-1.3.1-3.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="tigervnc-server" release="3.31.amzn1" version="1.3.1"><filename>Packages/tigervnc-server-1.3.1-3.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="tigervnc-debuginfo" release="3.31.amzn1" version="1.3.1"><filename>Packages/tigervnc-debuginfo-1.3.1-3.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="tigervnc" release="3.31.amzn1" version="1.3.1"><filename>Packages/tigervnc-1.3.1-3.31.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="tigervnc-debuginfo" release="3.31.amzn1" version="1.3.1"><filename>Packages/tigervnc-debuginfo-1.3.1-3.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="tigervnc-server" release="3.31.amzn1" version="1.3.1"><filename>Packages/tigervnc-server-1.3.1-3.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="tigervnc-server-module" release="3.31.amzn1" version="1.3.1"><filename>Packages/tigervnc-server-module-1.3.1-3.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="tigervnc" release="3.31.amzn1" version="1.3.1"><filename>Packages/tigervnc-1.3.1-3.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-624</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-624: medium priority package update for krb5</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:23" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7437 CVE-2015-2694: 7438 1216133: 7439 CVE-2015-2694 krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass 7440 A flaw was found in the OTP kdcpreauth module of MIT Kerberos. A remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal&#039;s long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user&#039;s password. 7441 7442 CVE-2014-5355: 7443 1193939: 7444 CVE-2014-5355 krb5: unauthenticated denial of service in recvauth_common() and others 7445 It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. 7446 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2694" id="CVE-2015-2694" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5355" id="CVE-2014-5355" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="krb5-devel" release="10.39.amzn1" version="1.13.2"><filename>Packages/krb5-devel-1.13.2-10.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-pkinit-openssl" release="10.39.amzn1" version="1.13.2"><filename>Packages/krb5-pkinit-openssl-1.13.2-10.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-debuginfo" release="10.39.amzn1" version="1.13.2"><filename>Packages/krb5-debuginfo-1.13.2-10.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server" release="10.39.amzn1" version="1.13.2"><filename>Packages/krb5-server-1.13.2-10.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-workstation" release="10.39.amzn1" version="1.13.2"><filename>Packages/krb5-workstation-1.13.2-10.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-libs" release="10.39.amzn1" version="1.13.2"><filename>Packages/krb5-libs-1.13.2-10.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server-ldap" release="10.39.amzn1" version="1.13.2"><filename>Packages/krb5-server-ldap-1.13.2-10.39.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server" release="10.39.amzn1" version="1.13.2"><filename>Packages/krb5-server-1.13.2-10.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-libs" release="10.39.amzn1" version="1.13.2"><filename>Packages/krb5-libs-1.13.2-10.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-debuginfo" release="10.39.amzn1" version="1.13.2"><filename>Packages/krb5-debuginfo-1.13.2-10.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-workstation" release="10.39.amzn1" version="1.13.2"><filename>Packages/krb5-workstation-1.13.2-10.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server-ldap" release="10.39.amzn1" version="1.13.2"><filename>Packages/krb5-server-ldap-1.13.2-10.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-devel" release="10.39.amzn1" version="1.13.2"><filename>Packages/krb5-devel-1.13.2-10.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-pkinit-openssl" release="10.39.amzn1" version="1.13.2"><filename>Packages/krb5-pkinit-openssl-1.13.2-10.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-625</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-625: medium priority package update for openssh</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:24" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7447 CVE-2015-6564: 7448 A use-after-free flaw was found in OpenSSH. An attacker able to fully compromise a non-privileged pre-authentication process using a different flaw could possibly cause sshd to crash or execute arbitrary code with root privileges. 7449 1252852: 7450 CVE-2015-6564 openssh: Use-after-free bug related to PAM support 7451 Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request. 7452 7453 CVE-2015-6563: 7454 The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c. 7455 1252844: 7456 CVE-2015-6563 openssh: Privilege separation weakness related to PAM support 7457 A flaw was found in the way OpenSSH handled PAM authentication when using privilege separation. An attacker with valid credentials on the system and able to fully compromise a non-privileged pre-authentication process using a different flaw could use this flaw to authenticate as other users. 7458 7459 CVE-2015-5600: 7460 It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks. 7461 1245969: 7462 CVE-2015-5600 openssh: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices 7463 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6563" id="CVE-2015-6563" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600" id="CVE-2015-5600" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6564" id="CVE-2015-6564" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openssh" release="22.58.amzn1" version="6.6.1p1"><filename>Packages/openssh-6.6.1p1-22.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-clients" release="22.58.amzn1" version="6.6.1p1"><filename>Packages/openssh-clients-6.6.1p1-22.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam_ssh_agent_auth" release="9.22.58.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.22.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-server" release="22.58.amzn1" version="6.6.1p1"><filename>Packages/openssh-server-6.6.1p1-22.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-debuginfo" release="22.58.amzn1" version="6.6.1p1"><filename>Packages/openssh-debuginfo-6.6.1p1-22.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-keycat" release="22.58.amzn1" version="6.6.1p1"><filename>Packages/openssh-keycat-6.6.1p1-22.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-ldap" release="22.58.amzn1" version="6.6.1p1"><filename>Packages/openssh-ldap-6.6.1p1-22.58.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssh" release="22.58.amzn1" version="6.6.1p1"><filename>Packages/openssh-6.6.1p1-22.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-server" release="22.58.amzn1" version="6.6.1p1"><filename>Packages/openssh-server-6.6.1p1-22.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam_ssh_agent_auth" release="9.22.58.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.22.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-keycat" release="22.58.amzn1" version="6.6.1p1"><filename>Packages/openssh-keycat-6.6.1p1-22.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-ldap" release="22.58.amzn1" version="6.6.1p1"><filename>Packages/openssh-ldap-6.6.1p1-22.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-debuginfo" release="22.58.amzn1" version="6.6.1p1"><filename>Packages/openssh-debuginfo-6.6.1p1-22.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-clients" release="22.58.amzn1" version="6.6.1p1"><filename>Packages/openssh-clients-6.6.1p1-22.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-626</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-626: medium priority package update for autofs</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7464 CVE-2014-8169: 7465 1192565: 7466 CVE-2014-8169 autofs: priv escalation via interpreter load path for program based automount maps 7467 It was found that program-based automounter maps that used interpreted languages such as Python would use standard environment variables to locate and load modules of those languages. A local attacker could potentially use this flaw to escalate their privileges on the system. 7468 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8169" id="CVE-2014-8169" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="autofs" release="54.22.amzn1" version="5.0.7"><filename>Packages/autofs-5.0.7-54.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="autofs-debuginfo" release="54.22.amzn1" version="5.0.7"><filename>Packages/autofs-debuginfo-5.0.7-54.22.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="autofs" release="54.22.amzn1" version="5.0.7"><filename>Packages/autofs-5.0.7-54.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="autofs-debuginfo" release="54.22.amzn1" version="5.0.7"><filename>Packages/autofs-debuginfo-5.0.7-54.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-627</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-627: low priority package update for perl-IPTables-Parse</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:25" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7469 CVE-2015-8326: 7470 1267962: 7471 CVE-2015-8326 perl-IPTables-Parse: Use of predictable names for temporary files 7472 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8326" id="CVE-2015-8326" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="perl-IPTables-Parse" release="2.3.amzn1" version="1.5"><filename>Packages/perl-IPTables-Parse-1.5-2.3.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-628</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-628: medium priority package update for libxml2</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:28" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7473 CVE-2015-8317: 7474 1281930: 7475 CVE-2015-8317 libxml2: Out-of-bounds heap read when parsing file with unfinished xml declaration 7476 7477 CVE-2015-8242: 7478 1281950: 7479 CVE-2015-8242 libxml2: Buffer overread with HTML parser in push mode in xmlSAX2TextNode 7480 7481 CVE-2015-8241: 7482 1281936: 7483 CVE-2015-8241 libxml2: Buffer overread with XML parser in xmlNextChar 7484 7485 CVE-2015-7942: 7486 1276297: 7487 CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections() 7488 The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941. 7489 7490 CVE-2015-7941: 7491 1274222: 7492 CVE-2015-7941 libxml2: Out-of-bounds memory access 7493 libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities. 7494 7495 CVE-2015-7500: 7496 1281943: 7497 CVE-2015-7500 libxml2: Heap buffer overflow in xmlParseMisc 7498 7499 CVE-2015-7499: 7500 1281925: 7501 CVE-2015-7499 libxml2: Heap-based buffer overflow in xmlGROW 7502 7503 CVE-2015-7498: 7504 1281879: 7505 CVE-2015-7498 libxml2: Heap-based buffer overflow in xmlParseXmlDecl 7506 7507 CVE-2015-7497: 7508 1281862: 7509 CVE-2015-7497 libxml2: Heap-based buffer overflow in xmlDictComputeFastQKey 7510 7511 CVE-2015-5312: 7512 1276693: 7513 CVE-2015-5312 libxml2: CPU exhaustion when processing specially crafted XML input 7514 7515 CVE-2015-1819: 7516 A denial of service flaw was found in the way the libxml2 library parsed certain XML files. An attacker could provide a specially crafted XML file that, when parsed by an application using libxml2, could cause that application to use an excessive amount of memory. 7517 1211278: 7518 CVE-2015-1819 libxml2: denial of service processing a crafted XML document 7519 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7497" id="CVE-2015-7497" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7500" id="CVE-2015-7500" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7499" id="CVE-2015-7499" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8241" id="CVE-2015-8241" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7498" id="CVE-2015-7498" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8242" id="CVE-2015-8242" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1819" id="CVE-2015-1819" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5312" id="CVE-2015-5312" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8317" id="CVE-2015-8317" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7942" id="CVE-2015-7942" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7941" id="CVE-2015-7941" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libxml2-static" release="6.2.50.amzn1" version="2.9.1"><filename>Packages/libxml2-static-2.9.1-6.2.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-python27" release="6.2.50.amzn1" version="2.9.1"><filename>Packages/libxml2-python27-2.9.1-6.2.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-debuginfo" release="6.2.50.amzn1" version="2.9.1"><filename>Packages/libxml2-debuginfo-2.9.1-6.2.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2" release="6.2.50.amzn1" version="2.9.1"><filename>Packages/libxml2-2.9.1-6.2.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-python26" release="6.2.50.amzn1" version="2.9.1"><filename>Packages/libxml2-python26-2.9.1-6.2.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-devel" release="6.2.50.amzn1" version="2.9.1"><filename>Packages/libxml2-devel-2.9.1-6.2.50.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libxml2" release="6.2.50.amzn1" version="2.9.1"><filename>Packages/libxml2-2.9.1-6.2.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-debuginfo" release="6.2.50.amzn1" version="2.9.1"><filename>Packages/libxml2-debuginfo-2.9.1-6.2.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-python26" release="6.2.50.amzn1" version="2.9.1"><filename>Packages/libxml2-python26-2.9.1-6.2.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-python27" release="6.2.50.amzn1" version="2.9.1"><filename>Packages/libxml2-python27-2.9.1-6.2.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-devel" release="6.2.50.amzn1" version="2.9.1"><filename>Packages/libxml2-devel-2.9.1-6.2.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-static" release="6.2.50.amzn1" version="2.9.1"><filename>Packages/libxml2-static-2.9.1-6.2.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-629</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-629: medium priority package update for perl-HTML-Scrubber</title><issued date="2015-12-14 10:00" /><updated date="2015-12-13 14:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7520 CVE-2015-5667: 7521 1276646: 7522 CVE-2015-5667 perl-HTML-Scrubber: XSS vulnerability when function "comment" is enabled 7523 Cross-site scripting (XSS) vulnerability in the HTML-Scrubber module before 0.15 for Perl, when the comment feature is enabled, allows remote attackers to inject arbitrary web script or HTML via a crafted comment. 7524 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5667" id="CVE-2015-5667" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="perl-HTML-Scrubber" release="1.5.amzn1" version="0.15"><filename>Packages/perl-HTML-Scrubber-0.15-1.5.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-630</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-630: important priority package update for python-pygments</title><issued date="2015-12-14 15:14" /><updated date="2015-12-14 15:14" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7525 CVE-2015-8557: 7526 CVE-2015-8557 7527 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8557" id="CVE-2015-8557" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python26-pygments" release="4.12.amzn1" version="1.4"><filename>Packages/python26-pygments-1.4-4.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="python27-pygments" release="4.12.amzn1" version="1.4"><filename>Packages/python27-pygments-1.4-4.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2015-631</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-631: critical priority package update for bind</title><issued date="2015-12-15 13:00" /><updated date="2015-12-16 20:25" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7528 CVE-2015-8000: 7529 Embargoed 7530 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8000" id="CVE-2015-8000" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:2655.html" id="RHSA-2015:2655" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-utils" release="0.37.rc1.42.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.37.rc1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.37.rc1.42.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.37.rc1.42.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.37.rc1.42.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.37.rc1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.37.rc1.42.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.37.rc1.42.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.37.rc1.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.37.rc1.42.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.37.rc1.42.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.37.rc1.42.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.37.rc1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.37.rc1.42.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.37.rc1.42.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.37.rc1.42.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.37.rc1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.37.rc1.42.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.37.rc1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.37.rc1.42.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.37.rc1.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.37.rc1.42.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-632</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-632: low priority package update for ruby19 ruby20 ruby21 ruby22</title><issued date="2016-01-18 11:00" /><updated date="2016-01-18 11:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7531 CVE-2015-7551: 7532 1248935: 7533 CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name 7534 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7551" id="CVE-2015-7551" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ruby22-devel" release="1.8.amzn1" version="2.2.4"><filename>Packages/ruby22-devel-2.2.4-1.8.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby22-irb" release="1.8.amzn1" version="2.2.4"><filename>Packages/ruby22-irb-2.2.4-1.8.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-libs" release="1.8.amzn1" version="2.2.4"><filename>Packages/ruby22-libs-2.2.4-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-io-console" release="1.8.amzn1" version="0.4.3"><filename>Packages/rubygem22-io-console-0.4.3-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-debuginfo" release="1.8.amzn1" version="2.2.4"><filename>Packages/ruby22-debuginfo-2.2.4-1.8.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems22-devel" release="1.8.amzn1" version="2.4.5.1"><filename>Packages/rubygems22-devel-2.4.5.1-1.8.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-psych" release="1.8.amzn1" version="2.0.8"><filename>Packages/rubygem22-psych-2.0.8-1.8.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby22-doc" release="1.8.amzn1" version="2.2.4"><filename>Packages/ruby22-doc-2.2.4-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems22" release="1.8.amzn1" version="2.4.5.1"><filename>Packages/rubygems22-2.4.5.1-1.8.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-bigdecimal" release="1.8.amzn1" version="1.2.6"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22" release="1.8.amzn1" version="2.2.4"><filename>Packages/ruby22-2.2.4-1.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-psych" release="1.8.amzn1" version="2.0.8"><filename>Packages/rubygem22-psych-2.0.8-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-debuginfo" release="1.8.amzn1" version="2.2.4"><filename>Packages/ruby22-debuginfo-2.2.4-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22" release="1.8.amzn1" version="2.2.4"><filename>Packages/ruby22-2.2.4-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-io-console" release="1.8.amzn1" version="0.4.3"><filename>Packages/rubygem22-io-console-0.4.3-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-devel" release="1.8.amzn1" version="2.2.4"><filename>Packages/ruby22-devel-2.2.4-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-libs" release="1.8.amzn1" version="2.2.4"><filename>Packages/ruby22-libs-2.2.4-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-bigdecimal" release="1.8.amzn1" version="1.2.6"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.8.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-bigdecimal" release="1.19.amzn1" version="1.2.4"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.19.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby21-doc" release="1.19.amzn1" version="2.1.8"><filename>Packages/ruby21-doc-2.1.8-1.19.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby21-irb" release="1.19.amzn1" version="2.1.8"><filename>Packages/ruby21-irb-2.1.8-1.19.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems21-devel" release="1.19.amzn1" version="2.2.5"><filename>Packages/rubygems21-devel-2.2.5-1.19.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21" release="1.19.amzn1" version="2.1.8"><filename>Packages/ruby21-2.1.8-1.19.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems21" release="1.19.amzn1" version="2.2.5"><filename>Packages/rubygems21-2.2.5-1.19.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-psych" release="1.19.amzn1" version="2.0.5"><filename>Packages/rubygem21-psych-2.0.5-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-debuginfo" release="1.19.amzn1" version="2.1.8"><filename>Packages/ruby21-debuginfo-2.1.8-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-devel" release="1.19.amzn1" version="2.1.8"><filename>Packages/ruby21-devel-2.1.8-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-libs" release="1.19.amzn1" version="2.1.8"><filename>Packages/ruby21-libs-2.1.8-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-io-console" release="1.19.amzn1" version="0.4.3"><filename>Packages/rubygem21-io-console-0.4.3-1.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-libs" release="1.19.amzn1" version="2.1.8"><filename>Packages/ruby21-libs-2.1.8-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-io-console" release="1.19.amzn1" version="0.4.3"><filename>Packages/rubygem21-io-console-0.4.3-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-devel" release="1.19.amzn1" version="2.1.8"><filename>Packages/ruby21-devel-2.1.8-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-debuginfo" release="1.19.amzn1" version="2.1.8"><filename>Packages/ruby21-debuginfo-2.1.8-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-psych" release="1.19.amzn1" version="2.0.5"><filename>Packages/rubygem21-psych-2.0.5-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-bigdecimal" release="1.19.amzn1" version="1.2.4"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21" release="1.19.amzn1" version="2.1.8"><filename>Packages/ruby21-2.1.8-1.19.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems19" release="32.70.amzn1" version="1.8.23.2"><filename>Packages/rubygems19-1.8.23.2-32.70.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-devel" release="32.70.amzn1" version="1.9.3.551"><filename>Packages/ruby19-devel-1.9.3.551-32.70.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems19-devel" release="32.70.amzn1" version="1.8.23.2"><filename>Packages/rubygems19-devel-1.8.23.2-32.70.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-rake" release="32.70.amzn1" version="0.9.2.2"><filename>Packages/rubygem19-rake-0.9.2.2-32.70.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby19-irb" release="32.70.amzn1" version="1.9.3.551"><filename>Packages/ruby19-irb-1.9.3.551-32.70.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-bigdecimal" release="32.70.amzn1" version="1.1.0"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-libs" release="32.70.amzn1" version="1.9.3.551"><filename>Packages/ruby19-libs-1.9.3.551-32.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-io-console" release="32.70.amzn1" version="0.3"><filename>Packages/rubygem19-io-console-0.3-32.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-doc" release="32.70.amzn1" version="1.9.3.551"><filename>Packages/ruby19-doc-1.9.3.551-32.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19-debuginfo" release="32.70.amzn1" version="1.9.3.551"><filename>Packages/ruby19-debuginfo-1.9.3.551-32.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby19" release="32.70.amzn1" version="1.9.3.551"><filename>Packages/ruby19-1.9.3.551-32.70.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-minitest" release="32.70.amzn1" version="2.5.1"><filename>Packages/rubygem19-minitest-2.5.1-32.70.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem19-rdoc" release="32.70.amzn1" version="3.9.5"><filename>Packages/rubygem19-rdoc-3.9.5-32.70.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem19-json" release="32.70.amzn1" version="1.5.5"><filename>Packages/rubygem19-json-1.5.5-32.70.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-io-console" release="32.70.amzn1" version="0.3"><filename>Packages/rubygem19-io-console-0.3-32.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-libs" release="32.70.amzn1" version="1.9.3.551"><filename>Packages/ruby19-libs-1.9.3.551-32.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-bigdecimal" release="32.70.amzn1" version="1.1.0"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-devel" release="32.70.amzn1" version="1.9.3.551"><filename>Packages/ruby19-devel-1.9.3.551-32.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19" release="32.70.amzn1" version="1.9.3.551"><filename>Packages/ruby19-1.9.3.551-32.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-doc" release="32.70.amzn1" version="1.9.3.551"><filename>Packages/ruby19-doc-1.9.3.551-32.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem19-json" release="32.70.amzn1" version="1.5.5"><filename>Packages/rubygem19-json-1.5.5-32.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby19-debuginfo" release="32.70.amzn1" version="1.9.3.551"><filename>Packages/ruby19-debuginfo-1.9.3.551-32.70.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-debuginfo" release="1.29.amzn1" version="2.0.0.648"><filename>Packages/ruby20-debuginfo-2.0.0.648-1.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems20" release="1.29.amzn1" version="2.0.14.1"><filename>Packages/rubygems20-2.0.14.1-1.29.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-bigdecimal" release="1.29.amzn1" version="1.2.0"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20" release="1.29.amzn1" version="2.0.0.648"><filename>Packages/ruby20-2.0.0.648-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-libs" release="1.29.amzn1" version="2.0.0.648"><filename>Packages/ruby20-libs-2.0.0.648-1.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby20-doc" release="1.29.amzn1" version="2.0.0.648"><filename>Packages/ruby20-doc-2.0.0.648-1.29.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-psych" release="1.29.amzn1" version="2.0.0"><filename>Packages/rubygem20-psych-2.0.0-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-devel" release="1.29.amzn1" version="2.0.0.648"><filename>Packages/ruby20-devel-2.0.0.648-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-io-console" release="1.29.amzn1" version="0.4.2"><filename>Packages/rubygem20-io-console-0.4.2-1.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems20-devel" release="1.29.amzn1" version="2.0.14.1"><filename>Packages/rubygems20-devel-2.0.14.1-1.29.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby20-irb" release="1.29.amzn1" version="2.0.0.648"><filename>Packages/ruby20-irb-2.0.0.648-1.29.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ruby20" release="1.29.amzn1" version="2.0.0.648"><filename>Packages/ruby20-2.0.0.648-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-io-console" release="1.29.amzn1" version="0.4.2"><filename>Packages/rubygem20-io-console-0.4.2-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-libs" release="1.29.amzn1" version="2.0.0.648"><filename>Packages/ruby20-libs-2.0.0.648-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-debuginfo" release="1.29.amzn1" version="2.0.0.648"><filename>Packages/ruby20-debuginfo-2.0.0.648-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-bigdecimal" release="1.29.amzn1" version="1.2.0"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-devel" release="1.29.amzn1" version="2.0.0.648"><filename>Packages/ruby20-devel-2.0.0.648-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-psych" release="1.29.amzn1" version="2.0.0"><filename>Packages/rubygem20-psych-2.0.0-1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-633</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-633: medium priority package update for libldb</title><issued date="2016-01-18 11:00" /><updated date="2016-01-18 11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7535 CVE-2015-5330: 7536 1281326: 7537 CVE-2015-5330 samba, libldb: remote memory read in the Samba LDAP server 7538 A memory-read flaw was found in the way the libldb library processed LDB DN records with a null byte. An authenticated, remote attacker could use this flaw to read heap-memory pages from the server. 7539 7540 CVE-2015-3223: 7541 A denial of service flaw was found in the ldb_wildcard_compare() function of libldb. A remote attacker could send a specially crafted packet that, when processed by an application using libldb (for example the AD LDAP server in Samba), would cause that application to consume an excessive amount of memory and crash. 7542 1290287: 7543 CVE-2015-3223 libldb: Remote DoS in Samba (AD) LDAP server 7544 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3223" id="CVE-2015-3223" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5330" id="CVE-2015-5330" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="pyldb" release="1.7.amzn1" version="1.1.20"><filename>Packages/pyldb-1.1.20-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ldb-tools" release="1.7.amzn1" version="1.1.20"><filename>Packages/ldb-tools-1.1.20-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libldb" release="1.7.amzn1" version="1.1.20"><filename>Packages/libldb-1.1.20-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pyldb-devel" release="1.7.amzn1" version="1.1.20"><filename>Packages/pyldb-devel-1.1.20-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libldb-debuginfo" release="1.7.amzn1" version="1.1.20"><filename>Packages/libldb-debuginfo-1.1.20-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libldb-devel" release="1.7.amzn1" version="1.1.20"><filename>Packages/libldb-devel-1.1.20-1.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="pyldb" release="1.7.amzn1" version="1.1.20"><filename>Packages/pyldb-1.1.20-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pyldb-devel" release="1.7.amzn1" version="1.1.20"><filename>Packages/pyldb-devel-1.1.20-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libldb-devel" release="1.7.amzn1" version="1.1.20"><filename>Packages/libldb-devel-1.1.20-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libldb-debuginfo" release="1.7.amzn1" version="1.1.20"><filename>Packages/libldb-debuginfo-1.1.20-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ldb-tools" release="1.7.amzn1" version="1.1.20"><filename>Packages/ldb-tools-1.1.20-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libldb" release="1.7.amzn1" version="1.1.20"><filename>Packages/libldb-1.1.20-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-634</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-634: medium priority package update for samba</title><issued date="2016-01-18 11:00" /><updated date="2016-01-18 11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7545 CVE-2015-5330: 7546 1281326: 7547 CVE-2015-5330 samba, libldb: remote memory read in the Samba LDAP server 7548 A memory-read flaw was found in the way the libldb library processed LDB DN records with a null byte. An authenticated, remote attacker could use this flaw to read heap-memory pages from the server. 7549 7550 CVE-2015-5299: 7551 1276126: 7552 CVE-2015-5299 Samba: Missing access control check in shadow copy code 7553 A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights. 7554 7555 CVE-2015-5296: 7556 A man-in-the-middle vulnerability was found in the way &quot;connection signing&quot; was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text. 7557 1290292: 7558 CVE-2015-5296 samba: client requesting encryption vulnerable to downgrade attack 7559 7560 CVE-2015-5252: 7561 An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba&#039;s share path. 7562 1290288: 7563 CVE-2015-5252 samba: Insufficient symlink verification in smbd 7564 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5299" id="CVE-2015-5299" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5252" id="CVE-2015-5252" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5330" id="CVE-2015-5330" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5296" id="CVE-2015-5296" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="samba-libs" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-libs-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient" release="11.28.amzn1" version="4.2.3"><filename>Packages/libsmbclient-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-pidl" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-pidl-4.2.3-11.28.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-winbind-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test-libs" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-test-libs-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-libs" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-common-libs-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-debuginfo" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-debuginfo-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-devel" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-devel-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb-devel" release="11.28.amzn1" version="4.2.3"><filename>Packages/ctdb-devel-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-modules" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-winbind-modules-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-client-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb-tests" release="11.28.amzn1" version="4.2.3"><filename>Packages/ctdb-tests-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-tools" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-common-tools-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb" release="11.28.amzn1" version="4.2.3"><filename>Packages/ctdb-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-python" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-python-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-krb5-locator" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-winbind-krb5-locator-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test-devel" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-test-devel-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-clients" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-winbind-clients-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client-libs" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-client-libs-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient-devel" release="11.28.amzn1" version="4.2.3"><filename>Packages/libsmbclient-devel-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-common" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-common-4.2.3-11.28.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-test-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwbclient-devel" release="11.28.amzn1" version="4.2.3"><filename>Packages/libwbclient-devel-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwbclient" release="11.28.amzn1" version="4.2.3"><filename>Packages/libwbclient-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="samba-devel" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-devel-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient-devel" release="11.28.amzn1" version="4.2.3"><filename>Packages/libsmbclient-devel-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-modules" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-winbind-modules-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb-tests" release="11.28.amzn1" version="4.2.3"><filename>Packages/ctdb-tests-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-client-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-debuginfo" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-debuginfo-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-libs" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-libs-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-winbind-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-test-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client-libs" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-client-libs-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-libs" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-common-libs-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient-devel" release="11.28.amzn1" version="4.2.3"><filename>Packages/libwbclient-devel-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb" release="11.28.amzn1" version="4.2.3"><filename>Packages/ctdb-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test-libs" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-test-libs-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test-devel" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-test-devel-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-krb5-locator" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-winbind-krb5-locator-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-tools" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-common-tools-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-clients" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-winbind-clients-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient" release="11.28.amzn1" version="4.2.3"><filename>Packages/libsmbclient-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-python" release="11.28.amzn1" version="4.2.3"><filename>Packages/samba-python-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient" release="11.28.amzn1" version="4.2.3"><filename>Packages/libwbclient-4.2.3-11.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb-devel" release="11.28.amzn1" version="4.2.3"><filename>Packages/ctdb-devel-4.2.3-11.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-635</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-635: low priority package update for sssd</title><issued date="2016-01-18 11:00" /><updated date="2016-01-18 11:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7565 CVE-2015-5292: 7566 1267580: 7567 CVE-2015-5292 sssd: memory leak in the sssd_pac_plugin 7568 It was found that SSSD&#039;s Privilege Attribute Certificate (PAC) responder plug-in would leak a small amount of memory on each authentication request. A remote attacker could potentially use this flaw to exhaust all available memory on the system by making repeated requests to a Kerberized daemon application configured to authenticate using the PAC responder plug-in. 7569 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5292" id="CVE-2015-5292" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libsss_nss_idmap-devel" release="40.6.amzn1" version="1.13.0"><filename>Packages/libsss_nss_idmap-devel-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-debuginfo" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-debuginfo-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-krb5-common" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-krb5-common-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_idmap" release="40.6.amzn1" version="1.13.0"><filename>Packages/libsss_idmap-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_simpleifp-devel" release="40.6.amzn1" version="1.13.0"><filename>Packages/libsss_simpleifp-devel-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-ipa" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-ipa-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-client" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-client-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-libwbclient" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-libwbclient-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="python27-sssdconfig" release="40.6.amzn1" version="1.13.0"><filename>Packages/python27-sssdconfig-1.13.0-40.6.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="libipa_hbac" release="40.6.amzn1" version="1.13.0"><filename>Packages/libipa_hbac-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_simpleifp" release="40.6.amzn1" version="1.13.0"><filename>Packages/libsss_simpleifp-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libsss_nss_idmap" release="40.6.amzn1" version="1.13.0"><filename>Packages/python27-libsss_nss_idmap-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-ldap" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-ldap-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-common" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-common-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-tools" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-tools-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-ad" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-ad-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-libwbclient-devel" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-libwbclient-devel-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_idmap-devel" release="40.6.amzn1" version="1.13.0"><filename>Packages/libsss_idmap-devel-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-sss" release="40.6.amzn1" version="1.13.0"><filename>Packages/python27-sss-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-dbus" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-dbus-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-common-pac" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-common-pac-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-proxy" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-proxy-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libipa_hbac-devel" release="40.6.amzn1" version="1.13.0"><filename>Packages/libipa_hbac-devel-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-sss-murmur" release="40.6.amzn1" version="1.13.0"><filename>Packages/python27-sss-murmur-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-krb5" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-krb5-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_nss_idmap" release="40.6.amzn1" version="1.13.0"><filename>Packages/libsss_nss_idmap-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libipa_hbac" release="40.6.amzn1" version="1.13.0"><filename>Packages/python27-libipa_hbac-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="sssd-libwbclient" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-libwbclient-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libipa_hbac-devel" release="40.6.amzn1" version="1.13.0"><filename>Packages/libipa_hbac-devel-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_simpleifp" release="40.6.amzn1" version="1.13.0"><filename>Packages/libsss_simpleifp-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-common-pac" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-common-pac-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-ldap" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-ldap-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-dbus" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-dbus-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-ad" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-ad-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-proxy" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-proxy-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-sss" release="40.6.amzn1" version="1.13.0"><filename>Packages/python27-sss-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libsss_nss_idmap" release="40.6.amzn1" version="1.13.0"><filename>Packages/python27-libsss_nss_idmap-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_idmap" release="40.6.amzn1" version="1.13.0"><filename>Packages/libsss_idmap-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-ipa" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-ipa-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-tools" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-tools-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libipa_hbac" release="40.6.amzn1" version="1.13.0"><filename>Packages/python27-libipa_hbac-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-krb5-common" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-krb5-common-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-common" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-common-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_simpleifp-devel" release="40.6.amzn1" version="1.13.0"><filename>Packages/libsss_simpleifp-devel-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-debuginfo" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-debuginfo-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-krb5" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-krb5-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_nss_idmap" release="40.6.amzn1" version="1.13.0"><filename>Packages/libsss_nss_idmap-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_nss_idmap-devel" release="40.6.amzn1" version="1.13.0"><filename>Packages/libsss_nss_idmap-devel-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_idmap-devel" release="40.6.amzn1" version="1.13.0"><filename>Packages/libsss_idmap-devel-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libipa_hbac" release="40.6.amzn1" version="1.13.0"><filename>Packages/libipa_hbac-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-sss-murmur" release="40.6.amzn1" version="1.13.0"><filename>Packages/python27-sss-murmur-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-libwbclient-devel" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-libwbclient-devel-1.13.0-40.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-client" release="40.6.amzn1" version="1.13.0"><filename>Packages/sssd-client-1.13.0-40.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-636</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-636: medium priority package update for realmd</title><issued date="2016-01-18 11:00" /><updated date="2016-01-18 11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7570 CVE-2015-2704: 7571 1205752: 7572 CVE-2015-2704 realmd: untrusted data is used when configuring sssd.conf and/or smb.conf 7573 A flaw was found in the way realmd parsed certain input when writing configuration into the sssd.conf or smb.conf file. A remote attacker could use this flaw to inject arbitrary configurations into these files via a newline character in an LDAP response. 7574 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2704" id="CVE-2015-2704" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="realmd-devel-docs" release="5.5.amzn1" version="0.16.1"><filename>Packages/realmd-devel-docs-0.16.1-5.5.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="realmd-debuginfo" release="5.5.amzn1" version="0.16.1"><filename>Packages/realmd-debuginfo-0.16.1-5.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="realmd" release="5.5.amzn1" version="0.16.1"><filename>Packages/realmd-0.16.1-5.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="realmd-debuginfo" release="5.5.amzn1" version="0.16.1"><filename>Packages/realmd-debuginfo-0.16.1-5.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="realmd" release="5.5.amzn1" version="0.16.1"><filename>Packages/realmd-0.16.1-5.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-637</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-637: medium priority package update for dhcp</title><issued date="2016-01-18 11:00" /><updated date="2016-01-18 11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7575 CVE-2015-8605: 7576 1297314: 7577 CVE-2015-8605 dhcp: UDP payload length not properly checked 7578 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8605" id="CVE-2015-8605" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="12" name="dhcp-common" release="43.P1.22.amzn1" version="4.1.1"><filename>Packages/dhcp-common-4.1.1-43.P1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhclient" release="43.P1.22.amzn1" version="4.1.1"><filename>Packages/dhclient-4.1.1-43.P1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp-devel" release="43.P1.22.amzn1" version="4.1.1"><filename>Packages/dhcp-devel-4.1.1-43.P1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp" release="43.P1.22.amzn1" version="4.1.1"><filename>Packages/dhcp-4.1.1-43.P1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp-debuginfo" release="43.P1.22.amzn1" version="4.1.1"><filename>Packages/dhcp-debuginfo-4.1.1-43.P1.22.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-debuginfo" release="43.P1.22.amzn1" version="4.1.1"><filename>Packages/dhcp-debuginfo-4.1.1-43.P1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-devel" release="43.P1.22.amzn1" version="4.1.1"><filename>Packages/dhcp-devel-4.1.1-43.P1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-common" release="43.P1.22.amzn1" version="4.1.1"><filename>Packages/dhcp-common-4.1.1-43.P1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp" release="43.P1.22.amzn1" version="4.1.1"><filename>Packages/dhcp-4.1.1-43.P1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhclient" release="43.P1.22.amzn1" version="4.1.1"><filename>Packages/dhclient-4.1.1-43.P1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-638</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-638: medium priority package update for openssh</title><issued date="2016-01-18 11:00" /><updated date="2016-01-18 11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7579 CVE-2016-0778: 7580 1298033: 7581 CVE-2016-0778 OpenSSH: Client buffer-overflow when using roaming connections 7582 A buffer overflow flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to execute arbitrary code on a successfully authenticated OpenSSH client if that client used certain non-default configuration options. 7583 7584 CVE-2016-0777: 7585 An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client. 7586 1298032: 7587 CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature 7588 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777" id="CVE-2016-0777" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0778" id="CVE-2016-0778" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="pam_ssh_agent_auth" release="9.23.59.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.23.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-keycat" release="23.59.amzn1" version="6.6.1p1"><filename>Packages/openssh-keycat-6.6.1p1-23.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-server" release="23.59.amzn1" version="6.6.1p1"><filename>Packages/openssh-server-6.6.1p1-23.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-debuginfo" release="23.59.amzn1" version="6.6.1p1"><filename>Packages/openssh-debuginfo-6.6.1p1-23.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-clients" release="23.59.amzn1" version="6.6.1p1"><filename>Packages/openssh-clients-6.6.1p1-23.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-ldap" release="23.59.amzn1" version="6.6.1p1"><filename>Packages/openssh-ldap-6.6.1p1-23.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh" release="23.59.amzn1" version="6.6.1p1"><filename>Packages/openssh-6.6.1p1-23.59.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssh-server" release="23.59.amzn1" version="6.6.1p1"><filename>Packages/openssh-server-6.6.1p1-23.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh" release="23.59.amzn1" version="6.6.1p1"><filename>Packages/openssh-6.6.1p1-23.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-ldap" release="23.59.amzn1" version="6.6.1p1"><filename>Packages/openssh-ldap-6.6.1p1-23.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam_ssh_agent_auth" release="9.23.59.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.23.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-debuginfo" release="23.59.amzn1" version="6.6.1p1"><filename>Packages/openssh-debuginfo-6.6.1p1-23.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-clients" release="23.59.amzn1" version="6.6.1p1"><filename>Packages/openssh-clients-6.6.1p1-23.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-keycat" release="23.59.amzn1" version="6.6.1p1"><filename>Packages/openssh-keycat-6.6.1p1-23.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-639</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-639: low priority package update for grep</title><issued date="2016-01-18 11:00" /><updated date="2016-01-18 11:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7589 CVE-2015-1345: 7590 1183651: 7591 CVE-2015-1345 grep: heap buffer overrun 7592 A heap-based buffer overflow flaw was found in the way grep processed certain pattern and text combinations. An attacker able to trick a user into running grep on specially crafted input could use this flaw to crash grep or, potentially, read from uninitialized memory. 7593 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1345" id="CVE-2015-1345" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="grep-debuginfo" release="1.16.amzn1" version="2.20"><filename>Packages/grep-debuginfo-2.20-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="grep" release="1.16.amzn1" version="2.20"><filename>Packages/grep-2.20-1.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="grep-debuginfo" release="1.16.amzn1" version="2.20"><filename>Packages/grep-debuginfo-2.20-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="grep" release="1.16.amzn1" version="2.20"><filename>Packages/grep-2.20-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-640</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-640: medium priority package update for php56 php55</title><issued date="2016-01-18 11:00" /><updated date="2016-01-18 11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7594 CVE-2016-1903: 7595 1297717: 7596 CVE-2016-1903 php: Out-of-bounds memory read via gdImageRotateInterpolated 7597 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1903" id="CVE-2016-1903" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-mbstring-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-dba-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-odbc-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-ldap-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-gd-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-mssql-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-common-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-mbstring-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-fpm-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-mysqlnd-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-soap-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-opcache-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-mcrypt-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-recode-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-xml-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-process-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-embedded-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-dba-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-gmp-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-debuginfo-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-opcache-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-imap-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-cli-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-mysqlnd-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-xmlrpc-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-intl-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-pgsql-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-pdo-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-fpm-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-dbg-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-devel-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-imap-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-gmp-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-intl-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-bcmath-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-process-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-xmlrpc-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-enchant-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-enchant-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-bcmath-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-devel-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-pspell-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-pgsql-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-embedded-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-cli-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-common-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-recode-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-xml-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-snmp-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-gd-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-pspell-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-pdo-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-tidy-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-mssql-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-debuginfo-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-mssql-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-ldap-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-tidy-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-process-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-snmp-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-xml-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-soap-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-devel-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-mcrypt-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-gd-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-odbc-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-bcmath-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-xmlrpc-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-mcrypt-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-ldap-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-tidy-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-xml-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-enchant-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-mssql-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-dba-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-bcmath-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-snmp-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-odbc-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-xmlrpc-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-devel-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-ldap-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-mysqlnd-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-opcache-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-embedded-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-cli-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-opcache-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-process-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-intl-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-gmp-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-common-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-tidy-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-debuginfo-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-pgsql-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-imap-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-soap-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-mbstring-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-pdo-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-fpm-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-cli-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-pspell-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-dbg-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-intl-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-enchant-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-odbc-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-recode-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-dba-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-gmp-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-common-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-mbstring-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-snmp-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-pspell-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-gd-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-fpm-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-embedded-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-recode-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-imap-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.120.amzn1" version="5.6.17"><filename>Packages/php56-pgsql-5.6.17-1.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-mcrypt-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-pdo-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-mysqlnd-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-soap-5.5.31-1.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.111.amzn1" version="5.5.31"><filename>Packages/php55-debuginfo-5.5.31-1.111.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-641</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-641: medium priority package update for bind</title><issued date="2016-01-19 12:00" /><updated date="2016-01-19 12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7598 CVE-2015-8704: 7599 Embargoed 7600 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8704" id="CVE-2015-8704" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-sdb" release="0.37.rc1.43.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.37.rc1.43.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.37.rc1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.37.rc1.43.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.37.rc1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.37.rc1.43.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.37.rc1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.37.rc1.43.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.37.rc1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.37.rc1.43.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.37.rc1.43.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.43.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.37.rc1.43.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.37.rc1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.37.rc1.43.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.37.rc1.43.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.37.rc1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.37.rc1.43.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.37.rc1.43.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.37.rc1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.37.rc1.43.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.37.rc1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.37.rc1.43.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-642</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-642: medium priority package update for kernel</title><issued date="2016-01-19 17:07" /><updated date="2016-01-19 19:08" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7601 CVE-2016-0728: 7602 1297475: 7603 CVE-2016-0728 kernel: Possible use-after-free vulnerability in keyring facility 7604 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0728" id="CVE-2016-0728" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-tools-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="19.31.amzn1" version="4.1.13"><filename>Packages/perf-debuginfo-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-headers-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-tools-devel-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-debuginfo-common-x86_64-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-tools-debuginfo-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-debuginfo-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-devel-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="19.31.amzn1" version="4.1.13"><filename>Packages/perf-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-tools-debuginfo-4.1.13-19.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-devel-4.1.13-19.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-headers-4.1.13-19.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="19.31.amzn1" version="4.1.13"><filename>Packages/perf-debuginfo-4.1.13-19.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-tools-4.1.13-19.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-4.1.13-19.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-tools-devel-4.1.13-19.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="19.31.amzn1" version="4.1.13"><filename>Packages/perf-4.1.13-19.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-debuginfo-common-i686-4.1.13-19.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-debuginfo-4.1.13-19.31.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="19.31.amzn1" version="4.1.13"><filename>Packages/kernel-doc-4.1.13-19.31.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-643</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-643: important priority package update for java-1.7.0-openjdk</title><issued date="2016-02-09 13:30" /><updated date="2016-02-09 13:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7605 CVE-2016-0494: 7606 An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. 7607 7608 CVE-2016-0483: 7609 An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. 7610 7611 CVE-2016-0466: 7612 It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. 7613 7614 CVE-2016-0448: 7615 Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7616 7617 CVE-2016-0402: 7618 Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7619 7620 CVE-2015-7575: 7621 A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. 7622 7623 CVE-2015-4871: 7624 Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7625 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483" id="CVE-2016-0483" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575" id="CVE-2015-7575" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494" id="CVE-2016-0494" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4871" id="CVE-2015-4871" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402" id="CVE-2016-0402" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466" id="CVE-2016-0466" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448" id="CVE-2016-0448" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2016:0053.html" id="RHSA-2016:0053" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.4.0.65.amzn1" version="1.7.0.95"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.95-2.6.4.0.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.4.0.65.amzn1" version="1.7.0.95"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.95-2.6.4.0.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.4.0.65.amzn1" version="1.7.0.95"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.95-2.6.4.0.65.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.4.0.65.amzn1" version="1.7.0.95"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.95-2.6.4.0.65.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.4.0.65.amzn1" version="1.7.0.95"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.95-2.6.4.0.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.4.0.65.amzn1" version="1.7.0.95"><filename>Packages/java-1.7.0-openjdk-1.7.0.95-2.6.4.0.65.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.4.0.65.amzn1" version="1.7.0.95"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.95-2.6.4.0.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.4.0.65.amzn1" version="1.7.0.95"><filename>Packages/java-1.7.0-openjdk-1.7.0.95-2.6.4.0.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.4.0.65.amzn1" version="1.7.0.95"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.95-2.6.4.0.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.4.0.65.amzn1" version="1.7.0.95"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.95-2.6.4.0.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.4.0.65.amzn1" version="1.7.0.95"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.95-2.6.4.0.65.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-644</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-644: medium priority package update for python-rsa</title><issued date="2016-02-09 13:30" /><updated date="2016-02-09 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7626 CVE-2016-1494: 7627 1295869: 7628 CVE-2016-1494 python-rsa: Signature forgery using Bleichenbacher'06 attack 7629 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1494" id="CVE-2016-1494" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python26-rsa" release="2.7.amzn1" version="3.3"><filename>Packages/python26-rsa-3.3-2.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="python27-rsa" release="2.7.amzn1" version="3.3"><filename>Packages/python27-rsa-3.3-2.7.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-645</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-645: medium priority package update for nss</title><issued date="2016-02-09 13:30" /><updated date="2016-02-09 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7630 CVE-2015-7575: 7631 A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. 7632 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575" id="CVE-2015-7575" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2016:0007.html" id="RHSA-2016:0007" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-tools" release="19.75.amzn1" version="3.19.1"><filename>Packages/nss-tools-3.19.1-19.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="19.75.amzn1" version="3.19.1"><filename>Packages/nss-debuginfo-3.19.1-19.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="19.75.amzn1" version="3.19.1"><filename>Packages/nss-sysinit-3.19.1-19.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="19.75.amzn1" version="3.19.1"><filename>Packages/nss-pkcs11-devel-3.19.1-19.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="19.75.amzn1" version="3.19.1"><filename>Packages/nss-devel-3.19.1-19.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="19.75.amzn1" version="3.19.1"><filename>Packages/nss-3.19.1-19.75.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="19.75.amzn1" version="3.19.1"><filename>Packages/nss-debuginfo-3.19.1-19.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="19.75.amzn1" version="3.19.1"><filename>Packages/nss-pkcs11-devel-3.19.1-19.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="19.75.amzn1" version="3.19.1"><filename>Packages/nss-sysinit-3.19.1-19.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="19.75.amzn1" version="3.19.1"><filename>Packages/nss-tools-3.19.1-19.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="19.75.amzn1" version="3.19.1"><filename>Packages/nss-3.19.1-19.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="19.75.amzn1" version="3.19.1"><filename>Packages/nss-devel-3.19.1-19.75.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-646</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-646: low priority package update for pngcrush</title><issued date="2016-02-09 13:30" /><updated date="2016-02-09 13:30" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7633 CVE-2015-7700: 7634 A double-free bug was discovered in pngcrush's handling of the sPLT chunk. 7635 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7700" id="CVE-2015-7700" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="pngcrush-debuginfo" release="1.11.amzn1" version="1.7.92"><filename>Packages/pngcrush-debuginfo-1.7.92-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pngcrush" release="1.11.amzn1" version="1.7.92"><filename>Packages/pngcrush-1.7.92-1.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="pngcrush" release="1.11.amzn1" version="1.7.92"><filename>Packages/pngcrush-1.7.92-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pngcrush-debuginfo" release="1.11.amzn1" version="1.7.92"><filename>Packages/pngcrush-debuginfo-1.7.92-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-647</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-647: important priority package update for java-1.8.0-openjdk</title><issued date="2016-02-09 13:30" /><updated date="2016-02-09 13:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7636 CVE-2016-0494: 7637 1298906: 7638 CVE-2016-0494 ICU: integer signedness issue in IndicRearrangementProcessor (OpenJDK 2D, 8140543) 7639 Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. 7640 7641 CVE-2016-0483: 7642 1299441: 7643 CVE-2016-0483 OpenJDK: incorrect boundary check in JPEG decoder (AWT, 8139017) 7644 An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. 7645 7646 CVE-2016-0475: 7647 It was discovered that the password-based encryption (PBE) implementation in the Libraries component in OpenJDK used an incorrect key length. This could, in certain cases, lead to generation of keys that were weaker than expected. 7648 1298949: 7649 CVE-2016-0475 OpenJDK: PBE incorrect key lengths (Libraries, 8138589) 7650 7651 CVE-2016-0466: 7652 It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. 7653 1299385: 7654 CVE-2016-0466 OpenJDK: insufficient enforcement of totalEntitySizeLimit (JAXP, 8133962) 7655 7656 CVE-2016-0448: 7657 1299073: 7658 CVE-2016-0448 OpenJDK: logging of RMI connection secrets (JMX, 8130710) 7659 Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE Embedded 8u65 allows remote authenticated users to affect confidentiality via vectors related to JMX. 7660 7661 CVE-2016-0402: 7662 1298957: 7663 CVE-2016-0402 OpenJDK: URL deserialization inconsistencies (Networking, 8059054) 7664 Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect integrity via unknown vectors related to Networking. 7665 7666 CVE-2015-7575: 7667 A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. 7668 1289841: 7669 CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH) 7670 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483" id="CVE-2016-0483" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575" id="CVE-2015-7575" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494" id="CVE-2016-0494" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0475" id="CVE-2016-0475" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402" id="CVE-2016-0402" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466" id="CVE-2016-0466" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448" id="CVE-2016-0448" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="2.b15.8.amzn1" version="1.8.0.71"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.71-2.b15.8.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="2.b15.8.amzn1" version="1.8.0.71"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.71-2.b15.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="2.b15.8.amzn1" version="1.8.0.71"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.71-2.b15.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="2.b15.8.amzn1" version="1.8.0.71"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.71-2.b15.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="2.b15.8.amzn1" version="1.8.0.71"><filename>Packages/java-1.8.0-openjdk-1.8.0.71-2.b15.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="2.b15.8.amzn1" version="1.8.0.71"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.71-2.b15.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="2.b15.8.amzn1" version="1.8.0.71"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.71-2.b15.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="2.b15.8.amzn1" version="1.8.0.71"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.71-2.b15.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="2.b15.8.amzn1" version="1.8.0.71"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.71-2.b15.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="2.b15.8.amzn1" version="1.8.0.71"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.71-2.b15.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="2.b15.8.amzn1" version="1.8.0.71"><filename>Packages/java-1.8.0-openjdk-1.8.0.71-2.b15.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="2.b15.8.amzn1" version="1.8.0.71"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.71-2.b15.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="2.b15.8.amzn1" version="1.8.0.71"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.71-2.b15.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-648</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-648: medium priority package update for kernel</title><issued date="2016-02-09 13:30" /><updated date="2016-02-09 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7671 CVE-2016-0723: 7672 1296253: 7673 CVE-2016-0723 kernel: Kernel memory disclosure and crash in tty layer 7674 7675 CVE-2015-8767: 7676 1297389: 7677 CVE-2015-8767 kernel: SCTP denial of service during timeout 7678 7679 CVE-2015-8709: 7680 A privilege-escalation vulnerability was discovered in the Linux kernel built with User Namespace (CONFIG_USER_NS) support. The flaw occurred when the ptrace() system call was used on a root-owned process to enter a user namespace. A privileged namespace user could exploit this flaw to potentially escalate their privileges on the system, outside the original namespace. 7681 1295287: 7682 CVE-2015-8709 Kernel: ptrace: potential privilege escalation in user namespaces 7683 7684 CVE-2013-4312: 7685 1297813: 7686 CVE-2013-4312 kernel: File descriptors passed over unix sockets are not properly accounted 7687 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4312" id="CVE-2013-4312" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0723" id="CVE-2016-0723" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8709" id="CVE-2015-8709" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8767" id="CVE-2015-8767" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-debuginfo-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-devel-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-tools-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="22.30.amzn1" version="4.1.17"><filename>Packages/perf-debuginfo-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-tools-devel-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-debuginfo-common-x86_64-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-tools-debuginfo-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="22.30.amzn1" version="4.1.17"><filename>Packages/perf-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-headers-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-tools-debuginfo-4.1.17-22.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-devel-4.1.17-22.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="22.30.amzn1" version="4.1.17"><filename>Packages/perf-4.1.17-22.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="22.30.amzn1" version="4.1.17"><filename>Packages/perf-debuginfo-4.1.17-22.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-tools-4.1.17-22.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-headers-4.1.17-22.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-debuginfo-common-i686-4.1.17-22.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-debuginfo-4.1.17-22.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-4.1.17-22.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-tools-devel-4.1.17-22.30.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="22.30.amzn1" version="4.1.17"><filename>Packages/kernel-doc-4.1.17-22.30.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-649</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-649: important priority package update for ntp</title><issued date="2016-02-09 13:30" /><updated date="2016-10-18 12:15" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7688 CVE-2016-4953: 7689 1340852: 7690 CVE-2016-4953 ntp: bad authentication demobilizes ephemeral associations 7691 ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time. 7692 7693 CVE-2015-8158: 7694 1300273: 7695 CVE-2015-8158 ntp: potential infinite loop in ntpq 7696 7697 CVE-2015-8138: 7698 1299442: 7699 CVE-2015-8138 ntp: missing check for zero originate timestamp 7700 It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client. 7701 7702 CVE-2015-7979: 7703 1300271: 7704 CVE-2015-7979 ntp: off-path denial of service on authenticated broadcast mode 7705 7706 CVE-2015-7978: 7707 1300270: 7708 CVE-2015-7978 ntp: stack exhaustion in recursive traversal of restriction list 7709 7710 CVE-2015-7977: 7711 1300269: 7712 CVE-2015-7977 ntp: restriction list NULL pointer dereference 7713 7714 CVE-2015-7974: 7715 NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a &quot;skeleton key.&quot; 7716 1297471: 7717 CVE-2015-7974 ntp: missing key check allows impersonation between authenticated peers (VU#357792) 7718 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953" id="CVE-2016-4953" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977" id="CVE-2015-7977" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974" id="CVE-2015-7974" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978" id="CVE-2015-7978" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979" id="CVE-2015-7979" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158" id="CVE-2015-8158" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138" id="CVE-2015-8138" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ntpdate" release="36.29.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-36.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp" release="36.29.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-36.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-doc" release="36.29.amzn1" version="4.2.6p5"><filename>Packages/ntp-doc-4.2.6p5-36.29.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp-debuginfo" release="36.29.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-36.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-perl" release="36.29.amzn1" version="4.2.6p5"><filename>Packages/ntp-perl-4.2.6p5-36.29.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ntp" release="36.29.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-36.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntpdate" release="36.29.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-36.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp-debuginfo" release="36.29.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-36.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-650</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-650: medium priority package update for mod24_nss</title><issued date="2016-02-09 13:30" /><updated date="2016-02-09 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7719 CVE-2015-5244: 7720 1259216: 7721 CVE-2015-5244 mod_nss: incorrect ciphersuite parsing 7722 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5244" id="CVE-2015-5244" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod24_nss" release="1.21.amzn1" version="1.0.12"><filename>Packages/mod24_nss-1.0.12-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_nss-debuginfo" release="1.21.amzn1" version="1.0.12"><filename>Packages/mod24_nss-debuginfo-1.0.12-1.21.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod24_nss-debuginfo" release="1.21.amzn1" version="1.0.12"><filename>Packages/mod24_nss-debuginfo-1.0.12-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_nss" release="1.21.amzn1" version="1.0.12"><filename>Packages/mod24_nss-1.0.12-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-651</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-651: medium priority package update for gnutls</title><issued date="2016-02-09 13:30" /><updated date="2016-02-09 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7723 CVE-2015-7575: 7724 A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. 7725 1289841: 7726 CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH) 7727 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575" id="CVE-2015-7575" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnutls-guile" release="19.15.amzn1" version="2.8.5"><filename>Packages/gnutls-guile-2.8.5-19.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-devel" release="19.15.amzn1" version="2.8.5"><filename>Packages/gnutls-devel-2.8.5-19.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls" release="19.15.amzn1" version="2.8.5"><filename>Packages/gnutls-2.8.5-19.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-debuginfo" release="19.15.amzn1" version="2.8.5"><filename>Packages/gnutls-debuginfo-2.8.5-19.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-utils" release="19.15.amzn1" version="2.8.5"><filename>Packages/gnutls-utils-2.8.5-19.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-debuginfo" release="19.15.amzn1" version="2.8.5"><filename>Packages/gnutls-debuginfo-2.8.5-19.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-guile" release="19.15.amzn1" version="2.8.5"><filename>Packages/gnutls-guile-2.8.5-19.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls" release="19.15.amzn1" version="2.8.5"><filename>Packages/gnutls-2.8.5-19.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-utils" release="19.15.amzn1" version="2.8.5"><filename>Packages/gnutls-utils-2.8.5-19.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-devel" release="19.15.amzn1" version="2.8.5"><filename>Packages/gnutls-devel-2.8.5-19.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-652</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-652: low priority package update for curl</title><issued date="2016-02-09 13:30" /><updated date="2016-02-09 13:30" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7728 CVE-2016-0755: 7729 1302263: 7730 CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use 7731 The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015. 7732 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0755" id="CVE-2016-0755" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libcurl-devel" release="8.54.amzn1" version="7.40.0"><filename>Packages/libcurl-devel-7.40.0-8.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="8.54.amzn1" version="7.40.0"><filename>Packages/libcurl-7.40.0-8.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="8.54.amzn1" version="7.40.0"><filename>Packages/curl-debuginfo-7.40.0-8.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl" release="8.54.amzn1" version="7.40.0"><filename>Packages/curl-7.40.0-8.54.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="8.54.amzn1" version="7.40.0"><filename>Packages/libcurl-devel-7.40.0-8.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="8.54.amzn1" version="7.40.0"><filename>Packages/curl-7.40.0-8.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="8.54.amzn1" version="7.40.0"><filename>Packages/curl-debuginfo-7.40.0-8.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="8.54.amzn1" version="7.40.0"><filename>Packages/libcurl-7.40.0-8.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-653</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-653: critical priority package update for glibc</title><issued date="2016-02-16 06:00" /><updated date="2016-02-16 06:45" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7733 CVE-2015-7547: 7734 A stack-based buffer overflow flaw was found in the send_dg() and send_vc() functions, used by getaddrinfo() and other higher-level interfaces of glibc. A remote attacker able to cause an application to call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. 7735 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547" id="CVE-2015-7547" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glibc-devel" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-106.166.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-106.166.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-2.17-106.166.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="106.166.amzn1" version="2.17"><filename>Packages/nscd-2.17-106.166.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-106.166.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-106.166.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-106.166.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-106.166.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-106.166.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-106.166.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-106.166.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-106.166.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-106.166.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-2.17-106.166.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-106.166.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-106.166.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="106.166.amzn1" version="2.17"><filename>Packages/nscd-2.17-106.166.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="106.166.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-106.166.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-654</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-654: important priority package update for java-1.6.0-openjdk</title><issued date="2016-02-19 15:48" /><updated date="2016-02-19 15:48" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7736 CVE-2016-0494: 7737 An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. 7738 7739 CVE-2016-0483: 7740 An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. 7741 7742 CVE-2016-0466: 7743 It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory. 7744 7745 CVE-2016-0448: 7746 Multiple flaws were discovered in the Networking and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7747 7748 CVE-2016-0402: 7749 Multiple flaws were discovered in the Networking and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. 7750 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402" id="CVE-2016-0402" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483" id="CVE-2016-0483" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466" id="CVE-2016-0466" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494" id="CVE-2016-0494" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448" id="CVE-2016-0448" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2016:0067.html" id="RHSA-2016:0067" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="1.13.10.0.73.amzn1" version="1.6.0.38"><filename>Packages/java-1.6.0-openjdk-1.6.0.38-1.13.10.0.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="1.13.10.0.73.amzn1" version="1.6.0.38"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.38-1.13.10.0.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="1.13.10.0.73.amzn1" version="1.6.0.38"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.38-1.13.10.0.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="1.13.10.0.73.amzn1" version="1.6.0.38"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.38-1.13.10.0.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="1.13.10.0.73.amzn1" version="1.6.0.38"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.38-1.13.10.0.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="1.13.10.0.73.amzn1" version="1.6.0.38"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.38-1.13.10.0.73.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="1.13.10.0.73.amzn1" version="1.6.0.38"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.38-1.13.10.0.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="1.13.10.0.73.amzn1" version="1.6.0.38"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.38-1.13.10.0.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="1.13.10.0.73.amzn1" version="1.6.0.38"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.38-1.13.10.0.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="1.13.10.0.73.amzn1" version="1.6.0.38"><filename>Packages/java-1.6.0-openjdk-1.6.0.38-1.13.10.0.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="1.13.10.0.73.amzn1" version="1.6.0.38"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.38-1.13.10.0.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="1.13.10.0.73.amzn1" version="1.6.0.38"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.38-1.13.10.0.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-655</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-655: medium priority package update for nginx</title><issued date="2016-02-19 15:50" /><updated date="2016-02-19 15:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7751 CVE-2016-0747: 7752 1302589: 7753 CVE-2016-0747 nginx: Insufficient limits of CNAME resolution in resolver 7754 It was discovered that nginx did not limit recursion when resolving CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to use an excessive amount of resources if nginx enabled the resolver in its configuration. 7755 7756 CVE-2016-0746: 7757 1302588: 7758 CVE-2016-0746 nginx: use-after-free during CNAME response processing in resolver 7759 A use-after-free flaw was found in the way nginx resolved certain CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to crash or, possibly, execute arbitrary code if nginx enabled the resolver in its configuration. 7760 7761 CVE-2016-0742: 7762 1302587: 7763 CVE-2016-0742 nginx: invalid pointer dereference in resolver 7764 It was discovered that nginx could perform an out of bound read and dereference an invalid pointer when resolving CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to crash if nginx enabled the resolver in its configuration. 7765 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0747" id="CVE-2016-0747" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0746" id="CVE-2016-0746" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0742" id="CVE-2016-0742" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="nginx-debuginfo" release="1.26.amzn1" version="1.8.1"><filename>Packages/nginx-debuginfo-1.8.1-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx" release="1.26.amzn1" version="1.8.1"><filename>Packages/nginx-1.8.1-1.26.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="nginx" release="1.26.amzn1" version="1.8.1"><filename>Packages/nginx-1.8.1-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-debuginfo" release="1.26.amzn1" version="1.8.1"><filename>Packages/nginx-debuginfo-1.8.1-1.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-656</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-656: medium priority package update for tomcat6</title><issued date="2016-03-10 16:30" /><updated date="2016-03-10 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7766 CVE-2014-7810: 7767 It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. 7768 1222573: 7769 CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions 7770 7771 CVE-2014-0230: 7772 It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. 7773 1191200: 7774 CVE-2014-0230 tomcat: non-persistent DoS attack by feeding data by aborting an upload 7775 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810" id="CVE-2014-7810" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0230" id="CVE-2014-0230" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat6-el-2.1-api" release="1.3.amzn1" version="6.0.44"><filename>Packages/tomcat6-el-2.1-api-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6" release="1.3.amzn1" version="6.0.44"><filename>Packages/tomcat6-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-lib" release="1.3.amzn1" version="6.0.44"><filename>Packages/tomcat6-lib-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-servlet-2.5-api" release="1.3.amzn1" version="6.0.44"><filename>Packages/tomcat6-servlet-2.5-api-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-admin-webapps" release="1.3.amzn1" version="6.0.44"><filename>Packages/tomcat6-admin-webapps-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-javadoc" release="1.3.amzn1" version="6.0.44"><filename>Packages/tomcat6-javadoc-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-jsp-2.1-api" release="1.3.amzn1" version="6.0.44"><filename>Packages/tomcat6-jsp-2.1-api-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-webapps" release="1.3.amzn1" version="6.0.44"><filename>Packages/tomcat6-webapps-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-docs-webapp" release="1.3.amzn1" version="6.0.44"><filename>Packages/tomcat6-docs-webapp-6.0.44-1.3.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-657</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-657: medium priority package update for tomcat7</title><issued date="2016-03-10 16:30" /><updated date="2016-03-10 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7776 CVE-2015-5346: 7777 Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. 7778 1311085: 7779 CVE-2015-5346 tomcat: Session fixation 7780 7781 CVE-2015-5174: 7782 Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. 7783 1265698: 7784 CVE-2015-5174 tomcat: URL Normalization issue 7785 7786 CVE-2014-7810: 7787 It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. 7788 1222573: 7789 CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions 7790 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174" id="CVE-2015-5174" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5346" id="CVE-2015-5346" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810" id="CVE-2014-7810" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.13.amzn1" version="7.0.67"><filename>Packages/tomcat7-el-2.2-api-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.13.amzn1" version="7.0.67"><filename>Packages/tomcat7-log4j-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.13.amzn1" version="7.0.67"><filename>Packages/tomcat7-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.13.amzn1" version="7.0.67"><filename>Packages/tomcat7-docs-webapp-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.13.amzn1" version="7.0.67"><filename>Packages/tomcat7-webapps-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.13.amzn1" version="7.0.67"><filename>Packages/tomcat7-admin-webapps-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.13.amzn1" version="7.0.67"><filename>Packages/tomcat7-lib-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.13.amzn1" version="7.0.67"><filename>Packages/tomcat7-jsp-2.2-api-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.13.amzn1" version="7.0.67"><filename>Packages/tomcat7-servlet-3.0-api-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.13.amzn1" version="7.0.67"><filename>Packages/tomcat7-javadoc-7.0.67-1.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-658</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-658: medium priority package update for tomcat8</title><issued date="2016-03-10 16:30" /><updated date="2016-03-10 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7791 CVE-2015-5345: 7792 The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. 7793 1311089: 7794 CVE-2015-5345 tomcat: directory disclosure 7795 7796 CVE-2015-5174: 7797 Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. 7798 1265698: 7799 CVE-2015-5174 tomcat: URL Normalization issue 7800 7801 CVE-2014-7810: 7802 It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. 7803 1222573: 7804 CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions 7805 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174" id="CVE-2015-5174" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345" id="CVE-2015-5345" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810" id="CVE-2014-7810" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat8" release="1.57.amzn1" version="8.0.30"><filename>Packages/tomcat8-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.57.amzn1" version="8.0.30"><filename>Packages/tomcat8-log4j-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.57.amzn1" version="8.0.30"><filename>Packages/tomcat8-lib-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.57.amzn1" version="8.0.30"><filename>Packages/tomcat8-admin-webapps-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.57.amzn1" version="8.0.30"><filename>Packages/tomcat8-javadoc-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.57.amzn1" version="8.0.30"><filename>Packages/tomcat8-servlet-3.1-api-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.57.amzn1" version="8.0.30"><filename>Packages/tomcat8-el-3.0-api-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.57.amzn1" version="8.0.30"><filename>Packages/tomcat8-docs-webapp-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.57.amzn1" version="8.0.30"><filename>Packages/tomcat8-jsp-2.3-api-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.57.amzn1" version="8.0.30"><filename>Packages/tomcat8-webapps-8.0.30-1.57.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-659</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-659: medium priority package update for rpcbind</title><issued date="2016-03-10 16:30" /><updated date="2016-03-10 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7806 CVE-2015-7236: 7807 1264345: 7808 CVE-2015-7236 rpcbind: Use-after-free vulnerability in PMAP_CALLIT 7809 A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote, unauthenticated attacker could possibly exploit this flaw to crash the rpcbind service (denial of service) by performing a series of UDP and TCP calls. 7810 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7236" id="CVE-2015-7236" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="rpcbind-debuginfo" release="11.8.amzn1" version="0.2.0"><filename>Packages/rpcbind-debuginfo-0.2.0-11.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpcbind" release="11.8.amzn1" version="0.2.0"><filename>Packages/rpcbind-0.2.0-11.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rpcbind" release="11.8.amzn1" version="0.2.0"><filename>Packages/rpcbind-0.2.0-11.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpcbind-debuginfo" release="11.8.amzn1" version="0.2.0"><filename>Packages/rpcbind-debuginfo-0.2.0-11.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-660</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-660: low priority package update for glibc</title><issued date="2016-03-10 16:30" /><updated date="2016-03-10 16:30" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7811 CVE-2015-5229: 7812 1256285: 7813 CVE-2015-5229 glibc: calloc may return non-zero memory 7814 It was discovered that the calloc implementation in glibc could return memory areas which contain non-zero bytes. This could result in unexpected application behavior such as hangs or crashes. 7815 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5229" id="CVE-2015-5229" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glibc" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-2.17-106.167.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-106.167.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-106.167.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-106.167.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-106.167.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-106.167.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-106.167.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="106.167.amzn1" version="2.17"><filename>Packages/nscd-2.17-106.167.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-106.167.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-106.167.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-106.167.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-106.167.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-106.167.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="106.167.amzn1" version="2.17"><filename>Packages/nscd-2.17-106.167.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-106.167.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-2.17-106.167.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-106.167.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="106.167.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-106.167.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-661</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-661: important priority package update for openssl</title><issued date="2016-03-10 16:30" /><updated date="2016-04-28 14:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7816 CVE-2016-2842: 7817 1314757: 7818 CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds 7819 The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799. 7820 7821 CVE-2016-0800: 7822 1310593: 7823 CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN) 7824 A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. 7825 A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. 7826 7827 CVE-2016-0799: 7828 The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842. 7829 1312219: 7830 CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions 7831 7832 CVE-2016-0797: 7833 1311880: 7834 CVE-2016-0797 OpenSSL: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption 7835 An integer overflow flaw, leading to a NULL pointer dereference or a heap-based memory corruption, was found in the way some BIGNUM functions of OpenSSL were implemented. Applications that use these functions with large untrusted input could crash or, potentially, execute arbitrary code. 7836 7837 CVE-2016-0705: 7838 A double-free flaw was found in the way OpenSSL parsed certain malformed DSA (Digital Signature Algorithm) private keys. An attacker could create specially crafted DSA private keys that, when processed by an application compiled against OpenSSL, could cause the application to crash. 7839 1310596: 7840 CVE-2016-0705 OpenSSL: Double-free in DSA code 7841 7842 CVE-2016-0702: 7843 A side-channel attack was found that makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture. An attacker who has the ability to control code in a thread running on the same hyper-threaded core as the victim&#039;s thread that is performing decryption, could use this flaw to recover RSA private keys. 7844 1310599: 7845 CVE-2016-0702 OpenSSL: Side channel attack on modular exponentiation 7846 7847 CVE-2015-7575: 7848 A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client. 7849 1289841: 7850 CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH) 7851 7852 CVE-2015-3197: 7853 A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2 ciphers that have been disabled on the server. This could result in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to man-in-the-middle attacks. 7854 A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2 ciphers that were disabled on the server. This could result in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to man-in-the-middle attacks. 7855 1301846: 7856 CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers 7857 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800" id="CVE-2016-0800" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197" id="CVE-2015-3197" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0702" id="CVE-2016-0702" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2842" id="CVE-2016-2842" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575" id="CVE-2015-7575" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705" id="CVE-2016-0705" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0799" id="CVE-2016-0799" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0797" id="CVE-2016-0797" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-perl" release="14.89.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-14.89.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="14.89.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-14.89.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="14.89.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-14.89.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="14.89.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-14.89.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="14.89.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-14.89.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="14.89.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-14.89.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="14.89.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-14.89.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="14.89.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-14.89.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="14.89.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-14.89.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="14.89.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-14.89.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-662</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-662: important priority package update for postgresql94 postgresql93 postgresql92</title><issued date="2016-03-10 16:30" /><updated date="2016-03-10 16:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7858 CVE-2016-0773: 7859 1303832: 7860 CVE-2016-0773 postgresql: case insensitive range handling integer overflow leading to buffer overflow 7861 An integer overflow flaw, leading to a heap-based buffer overflow, was found in the PostgreSQL handling code for regular expressions. A remote attacker could use a specially crafted regular expression to cause PostgreSQL to crash or possibly execute arbitrary code. 7862 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0773" id="CVE-2016-0773" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql93-test" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-test-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-docs" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-docs-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-devel" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-devel-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython26" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-plpython26-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-pltcl" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-pltcl-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plperl" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-plperl-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-contrib" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-contrib-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-server" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-server-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-debuginfo" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-debuginfo-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-libs" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-libs-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython27" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-plpython27-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-contrib" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-contrib-9.3.11-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-debuginfo" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-debuginfo-9.3.11-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-server" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-server-9.3.11-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-9.3.11-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-pltcl" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-pltcl-9.3.11-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-docs" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-docs-9.3.11-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plperl" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-plperl-9.3.11-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-devel" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-devel-9.3.11-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-test" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-test-9.3.11-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-libs" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-libs-9.3.11-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython27" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-plpython27-9.3.11-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython26" release="1.61.amzn1" version="9.3.11"><filename>Packages/postgresql93-plpython26-9.3.11-1.61.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server-compat" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-server-compat-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-contrib" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-contrib-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-devel" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-devel-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-server-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plperl" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-plperl-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-pltcl" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-pltcl-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-libs" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-libs-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython26" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-plpython26-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-debuginfo" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-debuginfo-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-test" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-test-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-docs" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-docs-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython27" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-plpython27-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython27" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-plpython27-9.2.15-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-server-9.2.15-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython26" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-plpython26-9.2.15-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-pltcl" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-pltcl-9.2.15-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-docs" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-docs-9.2.15-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-contrib" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-contrib-9.2.15-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-test" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-test-9.2.15-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-9.2.15-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-devel" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-devel-9.2.15-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plperl" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-plperl-9.2.15-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-libs" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-libs-9.2.15-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server-compat" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-server-compat-9.2.15-1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-debuginfo" release="1.57.amzn1" version="9.2.15"><filename>Packages/postgresql92-debuginfo-9.2.15-1.57.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-libs" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-libs-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython27" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-plpython27-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-server" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-server-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-test" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-test-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython26" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-plpython26-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plperl" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-plperl-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-contrib" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-contrib-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-debuginfo" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-debuginfo-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-devel" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-devel-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-docs" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-docs-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-server" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-server-9.4.6-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plperl" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-plperl-9.4.6-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-devel" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-devel-9.4.6-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-libs" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-libs-9.4.6-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython26" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-plpython26-9.4.6-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython27" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-plpython27-9.4.6-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-contrib" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-contrib-9.4.6-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-9.4.6-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-test" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-test-9.4.6-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-docs" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-docs-9.4.6-1.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-debuginfo" release="1.66.amzn1" version="9.4.6"><filename>Packages/postgresql94-debuginfo-9.4.6-1.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-663</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-663: medium priority package update for privoxy</title><issued date="2016-03-10 16:30" /><updated date="2016-03-10 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7863 CVE-2016-1983: 7864 The client_host function in parsers.c in Privoxy before 3.0.24 allows remote attackers to cause a denial of service (invalid read and crash) via an empty HTTP Host header. 7865 1300972: 7866 CVE-2016-1983 privoxy: invalid read via empty host header in client request 7867 7868 CVE-2016-1982: 7869 The remove_chunked_transfer_coding function in filters.c in Privoxy before 3.0.24 allows remote attackers to cause a denial of service (invalid read and crash) via crafted chunk-encoded content. 7870 1300966: 7871 CVE-2016-1982 privoxy: invalid reads in case of corrupt chunk-encoded content 7872 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1982" id="CVE-2016-1982" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1983" id="CVE-2016-1983" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="privoxy" release="2.7.amzn1" version="3.0.23"><filename>Packages/privoxy-3.0.23-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="privoxy-debuginfo" release="2.7.amzn1" version="3.0.23"><filename>Packages/privoxy-debuginfo-3.0.23-2.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="privoxy" release="2.7.amzn1" version="3.0.23"><filename>Packages/privoxy-3.0.23-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="privoxy-debuginfo" release="2.7.amzn1" version="3.0.23"><filename>Packages/privoxy-debuginfo-3.0.23-2.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-664</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-664: important priority package update for 389-ds-base</title><issued date="2016-03-10 16:30" /><updated date="2016-03-10 16:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7873 CVE-2016-0741: 7874 1299416: 7875 CVE-2016-0741 389-ds-base: worker threads do not detect abnormally closed connections causing DoS 7876 An infinite-loop vulnerability was discovered in the 389 directory server, where the server failed to correctly handle unexpectedly closed client connections. A remote attacker able to connect to the server could use this flaw to make the directory server consume an excessive amount of CPU and stop accepting connections (denial of service). 7877 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0741" id="CVE-2016-0741" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base" release="26.47.amzn1" version="1.3.4.0"><filename>Packages/389-ds-base-1.3.4.0-26.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="26.47.amzn1" version="1.3.4.0"><filename>Packages/389-ds-base-devel-1.3.4.0-26.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="26.47.amzn1" version="1.3.4.0"><filename>Packages/389-ds-base-debuginfo-1.3.4.0-26.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="26.47.amzn1" version="1.3.4.0"><filename>Packages/389-ds-base-libs-1.3.4.0-26.47.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="26.47.amzn1" version="1.3.4.0"><filename>Packages/389-ds-base-devel-1.3.4.0-26.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="26.47.amzn1" version="1.3.4.0"><filename>Packages/389-ds-base-1.3.4.0-26.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="26.47.amzn1" version="1.3.4.0"><filename>Packages/389-ds-base-libs-1.3.4.0-26.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="26.47.amzn1" version="1.3.4.0"><filename>Packages/389-ds-base-debuginfo-1.3.4.0-26.47.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-665</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-665: important priority package update for bind</title><issued date="2016-03-10 16:30" /><updated date="2016-03-10 16:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7878 CVE-2016-1286: 7879 An error when parsing signature records for DNAME records having specific properties can lead to named exiting due to an assertion failure in resolver.c or db.c. An attacker able to cause a server to make a query deliberately chosen to generate a malicious response can cause named to stop execution with an assertion failure, resulting in denial of service to clients. 7880 7881 CVE-2016-1285: 7882 A defect in control channel input handling was discovered which can cause named to exit due to an assertion failure in sexpr.c or alist.c when a malformed packet is sent to named's control channel. If control channel input is accepted from the network (limited to localhost by default), an unauthenticated attacker could cause named to crash. 7883 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286" id="CVE-2016-1286" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285" id="CVE-2016-1285" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-devel" release="0.37.rc1.45.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.37.rc1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.37.rc1.45.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.37.rc1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.37.rc1.45.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.37.rc1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.37.rc1.45.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.37.rc1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.37.rc1.45.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.37.rc1.45.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.37.rc1.45.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.45.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.37.rc1.45.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.37.rc1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.37.rc1.45.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.37.rc1.45.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.37.rc1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.37.rc1.45.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.37.rc1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.37.rc1.45.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.37.rc1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.37.rc1.45.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.37.rc1.45.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-666</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-666: medium priority package update for sos</title><issued date="2016-03-10 16:30" /><updated date="2016-03-10 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7884 CVE-2015-7529: 7885 An insecure temporary file use flaw was found in the way sos created certain sosreport files. A local attacker could possibly use this flaw to perform a symbolic link attack to reveal the contents of sosreport files, or in some cases modify arbitrary files and escalate their privileges on the system. 7886 1282542: 7887 CVE-2015-7529 sos: Usage of predictable temporary files allows privilege escalation 7888 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7529" id="CVE-2015-7529" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="sos" release="28.17.amzn1" version="3.2"><filename>Packages/sos-3.2-28.17.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-667</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-667: critical priority package update for nss-util</title><issued date="2016-03-10 16:30" /><updated date="2016-03-10 16:30" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7889 CVE-2016-1950: 7890 1310509: 7891 CVE-2016-1950 nss: Heap buffer overflow vulnerability in ASN1 certificate parsing (MFSA 2016-35) 7892 A heap-based buffer overflow flaw was found in the way NSS parsed certain ASN.1 structures. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash, or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. 7893 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950" id="CVE-2016-1950" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-util" release="9.49.amzn1" version="3.19.1"><filename>Packages/nss-util-3.19.1-9.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util-devel" release="9.49.amzn1" version="3.19.1"><filename>Packages/nss-util-devel-3.19.1-9.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util-debuginfo" release="9.49.amzn1" version="3.19.1"><filename>Packages/nss-util-debuginfo-3.19.1-9.49.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-util" release="9.49.amzn1" version="3.19.1"><filename>Packages/nss-util-3.19.1-9.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-util-devel" release="9.49.amzn1" version="3.19.1"><filename>Packages/nss-util-devel-3.19.1-9.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-util-debuginfo" release="9.49.amzn1" version="3.19.1"><filename>Packages/nss-util-debuginfo-3.19.1-9.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-668</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-668: medium priority package update for openssh</title><issued date="2016-03-16 16:30" /><updated date="2016-03-16 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7894 CVE-2016-3115: 7895 1316829: 7896 CVE-2016-3115 openssh: missing sanitisation of input for X11 forwarding 7897 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3115" id="CVE-2016-3115" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openssh-keycat" release="23.60.amzn1" version="6.6.1p1"><filename>Packages/openssh-keycat-6.6.1p1-23.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam_ssh_agent_auth" release="9.23.60.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.23.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-clients" release="23.60.amzn1" version="6.6.1p1"><filename>Packages/openssh-clients-6.6.1p1-23.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-ldap" release="23.60.amzn1" version="6.6.1p1"><filename>Packages/openssh-ldap-6.6.1p1-23.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh" release="23.60.amzn1" version="6.6.1p1"><filename>Packages/openssh-6.6.1p1-23.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-server" release="23.60.amzn1" version="6.6.1p1"><filename>Packages/openssh-server-6.6.1p1-23.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-debuginfo" release="23.60.amzn1" version="6.6.1p1"><filename>Packages/openssh-debuginfo-6.6.1p1-23.60.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssh-server" release="23.60.amzn1" version="6.6.1p1"><filename>Packages/openssh-server-6.6.1p1-23.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-keycat" release="23.60.amzn1" version="6.6.1p1"><filename>Packages/openssh-keycat-6.6.1p1-23.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-debuginfo" release="23.60.amzn1" version="6.6.1p1"><filename>Packages/openssh-debuginfo-6.6.1p1-23.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh" release="23.60.amzn1" version="6.6.1p1"><filename>Packages/openssh-6.6.1p1-23.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam_ssh_agent_auth" release="9.23.60.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.23.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-ldap" release="23.60.amzn1" version="6.6.1p1"><filename>Packages/openssh-ldap-6.6.1p1-23.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-clients" release="23.60.amzn1" version="6.6.1p1"><filename>Packages/openssh-clients-6.6.1p1-23.60.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-669</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-669: medium priority package update for kernel</title><issued date="2016-03-16 16:30" /><updated date="2016-12-23 21:35" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7898 CVE-2016-3157: 7899 An issue was discovered in the kernel, running as a Xen 64-bit PV guest, where user mode processes to be granted permission to I/O ports, resulting in local privilege escalation, crashes, or information leaks. 7900 7901 CVE-2016-2847: 7902 1313428: 7903 CVE-2016-2847 kernel: pipe: limit the per-user amount of pages allocated in pipes 7904 7905 CVE-2016-2550: 7906 1311517: 7907 CVE-2016-2550 kernel: incorrectly accounted in-flight fds 7908 A resource-exhaustion vulnerability was found in the kernel, where an unprivileged process could allocate and accumulate far more file descriptors than the process&#039; limit. A local, unauthenticated user could exploit this flaw by sending file descriptors over a Unix socket and then closing them to keep the process&#039; fd count low, thereby creating kernel-memory or file-descriptors exhaustion (denial of service). 7909 7910 CVE-2016-2383: 7911 1308452: 7912 CVE-2016-2383 kernel: incorrect branch fixups for eBPG allow arbitrary read 7913 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3157" id="CVE-2016-3157" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2383" id="CVE-2016-2383" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2550" id="CVE-2016-2550" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2847" id="CVE-2016-2847" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-tools-debuginfo-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-tools-devel-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-devel-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-headers-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-debuginfo-common-x86_64-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-tools-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="24.31.amzn1" version="4.1.19"><filename>Packages/perf-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="24.31.amzn1" version="4.1.19"><filename>Packages/perf-debuginfo-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-debuginfo-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="24.31.amzn1" version="4.1.19"><filename>Packages/perf-debuginfo-4.1.19-24.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-headers-4.1.19-24.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-devel-4.1.19-24.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-debuginfo-common-i686-4.1.19-24.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-tools-devel-4.1.19-24.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-tools-debuginfo-4.1.19-24.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-tools-4.1.19-24.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-4.1.19-24.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-debuginfo-4.1.19-24.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="24.31.amzn1" version="4.1.19"><filename>Packages/perf-4.1.19-24.31.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="24.31.amzn1" version="4.1.19"><filename>Packages/kernel-doc-4.1.19-24.31.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-670</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-670: low priority package update for php54</title><issued date="2016-03-16 16:30" /><updated date="2016-03-16 16:30" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7914 CVE-2015-6838: 7915 1260711: 7916 CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class 7917 A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets. 7918 7919 CVE-2015-6837: 7920 1260711: 7921 CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class 7922 A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets. 7923 7924 CVE-2015-6836: 7925 1260683: 7926 CVE-2015-6836 php: SOAP serialize_function_call() type confusion 7927 A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. 7928 7929 CVE-2015-6835: 7930 1260647: 7931 CVE-2015-6835 php: use-after-free vulnerability in session deserializer 7932 7933 CVE-2015-6834: 7934 1260642: 7935 CVE-2015-6834 php: multiple unserialization use-after-free issues 7936 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6838" id="CVE-2015-6838" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6834" id="CVE-2015-6834" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6835" id="CVE-2015-6835" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6836" id="CVE-2015-6836" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6837" id="CVE-2015-6837" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-debuginfo" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-debuginfo-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-recode" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-recode-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-dba" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-dba-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pspell" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-pspell-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-process" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-process-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-devel" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-devel-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-enchant" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-enchant-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-imap" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-imap-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-intl" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-intl-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mssql" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-mssql-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysql" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-mysql-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pdo" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-pdo-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-common" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-common-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mysqlnd" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-mysqlnd-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mcrypt" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-mcrypt-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-snmp" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-snmp-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xml" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-xml-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-embedded" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-embedded-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-gd" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-gd-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-mbstring" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-mbstring-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-tidy" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-tidy-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-bcmath" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-bcmath-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-soap" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-soap-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-odbc" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-odbc-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-ldap" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-ldap-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-fpm" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-fpm-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-cli" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-cli-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pgsql" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-pgsql-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-xmlrpc" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-xmlrpc-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-xml" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-xml-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-enchant" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-enchant-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-recode" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-recode-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysqlnd" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-mysqlnd-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-tidy" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-tidy-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-bcmath" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-bcmath-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mcrypt" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-mcrypt-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-cli" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-cli-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-xmlrpc" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-xmlrpc-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-dba" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-dba-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-devel" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-devel-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-intl" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-intl-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pgsql" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-pgsql-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mbstring" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-mbstring-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-process" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-process-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-gd" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-gd-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pdo" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-pdo-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-embedded" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-embedded-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mssql" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-mssql-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-soap" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-soap-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-debuginfo" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-debuginfo-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-mysql" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-mysql-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-snmp" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-snmp-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-fpm" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-fpm-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pspell" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-pspell-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-imap" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-imap-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-odbc" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-odbc-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-ldap" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-ldap-5.4.45-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-common" release="1.75.amzn1" version="5.4.45"><filename>Packages/php54-common-5.4.45-1.75.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-671</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-671: low priority package update for nmap</title><issued date="2016-03-22 11:00" /><updated date="2016-03-22 11:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7937 CVE-2013-4885: 7938 The http-domino-enum-passwords.nse script in NMap before 6.40, when domino-enum-passwords.idpath is set, allows remote servers to upload &quot;arbitrarily named&quot; files via a crafted FullName parameter in a response, as demonstrated using directory traversal sequences. 7939 995634: 7940 CVE-2013-4885 nmap: arbitrary file upload flaw in http-domino-enum-passwords NSE script 7941 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4885" id="CVE-2013-4885" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="2" name="nmap-ncat" release="7.19.amzn1" version="6.40"><filename>Packages/nmap-ncat-6.40-7.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="nmap-debuginfo" release="7.19.amzn1" version="6.40"><filename>Packages/nmap-debuginfo-6.40-7.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="nmap" release="7.19.amzn1" version="6.40"><filename>Packages/nmap-6.40-7.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="2" name="nmap-debuginfo" release="7.19.amzn1" version="6.40"><filename>Packages/nmap-debuginfo-6.40-7.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="nmap" release="7.19.amzn1" version="6.40"><filename>Packages/nmap-6.40-7.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="nmap-ncat" release="7.19.amzn1" version="6.40"><filename>Packages/nmap-ncat-6.40-7.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-672</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-672: important priority package update for git</title><issued date="2016-03-24 12:00" /><updated date="2016-03-24 12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7942 CVE-2016-2324: 7943 1317981: 7944 CVE-2016-2315 CVE-2016-2324 git: path_name() integer truncation and overflow leading to buffer overflow 7945 An integer truncation flaw and an integer overflow flaw, both leading to a heap-based buffer overflow, were found in the way Git processed certain path information. A remote attacker could create a specially crafted Git repository that would cause a Git client or server to crash or, possibly, execute arbitrary code. 7946 7947 CVE-2016-2315: 7948 1317981: 7949 CVE-2016-2315 CVE-2016-2324 git: path_name() integer truncation and overflow leading to buffer overflow 7950 An integer truncation flaw and an integer overflow flaw, both leading to a heap-based buffer overflow, were found in the way Git processed certain path information. A remote attacker could create a specially crafted Git repository that would cause a Git client or server to crash or, possibly, execute arbitrary code. 7951 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315" id="CVE-2016-2315" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324" id="CVE-2016-2324" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="emacs-git-el" release="1.47.amzn1" version="2.7.4"><filename>Packages/emacs-git-el-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-svn" release="1.47.amzn1" version="2.7.4"><filename>Packages/git-svn-2.7.4-1.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="git-debuginfo" release="1.47.amzn1" version="2.7.4"><filename>Packages/git-debuginfo-2.7.4-1.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="git" release="1.47.amzn1" version="2.7.4"><filename>Packages/git-2.7.4-1.47.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-all" release="1.47.amzn1" version="2.7.4"><filename>Packages/git-all-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git" release="1.47.amzn1" version="2.7.4"><filename>Packages/emacs-git-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-daemon" release="1.47.amzn1" version="2.7.4"><filename>Packages/git-daemon-2.7.4-1.47.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="gitweb" release="1.47.amzn1" version="2.7.4"><filename>Packages/gitweb-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-bzr" release="1.47.amzn1" version="2.7.4"><filename>Packages/git-bzr-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-p4" release="1.47.amzn1" version="2.7.4"><filename>Packages/git-p4-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git" release="1.47.amzn1" version="2.7.4"><filename>Packages/perl-Git-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git-SVN" release="1.47.amzn1" version="2.7.4"><filename>Packages/perl-Git-SVN-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-hg" release="1.47.amzn1" version="2.7.4"><filename>Packages/git-hg-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-email" release="1.47.amzn1" version="2.7.4"><filename>Packages/git-email-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-cvs" release="1.47.amzn1" version="2.7.4"><filename>Packages/git-cvs-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="git" release="1.47.amzn1" version="2.7.4"><filename>Packages/git-2.7.4-1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-svn" release="1.47.amzn1" version="2.7.4"><filename>Packages/git-svn-2.7.4-1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-daemon" release="1.47.amzn1" version="2.7.4"><filename>Packages/git-daemon-2.7.4-1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-debuginfo" release="1.47.amzn1" version="2.7.4"><filename>Packages/git-debuginfo-2.7.4-1.47.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-673</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-673: medium priority package update for cacti</title><issued date="2016-03-24 12:00" /><updated date="2016-06-03 18:39" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7952 CVE-2015-8604: 7953 7954 7955 CVE-2015-8377: 7956 7957 7958 CVE-2015-4634: 7959 7960 7961 CVE-2015-4454: 7962 7963 7964 CVE-2015-4342: 7965 7966 7967 CVE-2015-2665: 7968 7969 7970 CVE-2014-5026: 7971 7972 7973 CVE-2014-5025: 7974 7975 7976 CVE-2013-5589: 7977 1000860: 7978 CVE-2013-5588 CVE-2013-5589 cacti: XSS and SQL injection flaws 7979 SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 7980 7981 CVE-2013-5588: 7982 1000860: 7983 CVE-2013-5588 CVE-2013-5589 cacti: XSS and SQL injection flaws 7984 Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2) the id parameter to cacti/host.php. 7985 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5025" id="CVE-2014-5025" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8604" id="CVE-2015-8604" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5026" id="CVE-2014-5026" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2665" id="CVE-2015-2665" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8377" id="CVE-2015-8377" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4454" id="CVE-2015-4454" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5589" id="CVE-2013-5589" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5588" id="CVE-2013-5588" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4634" id="CVE-2015-4634" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4342" id="CVE-2015-4342" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="cacti" release="7.6.amzn1" version="0.8.8g"><filename>Packages/cacti-0.8.8g-7.6.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-674</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-674: medium priority package update for samba</title><issued date="2016-03-29 15:30" /><updated date="2016-03-29 15:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7986 CVE-2015-7560: 7987 1309992: 7988 CVE-2015-7560 samba: Incorrect ACL get/set allowed on symlink path 7989 A flaw was found in the way Samba handled ACLs on symbolic links. An authenticated user could use this flaw to gain access to an arbitrary file or directory by overwriting its ACL. 7990 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7560" id="CVE-2015-7560" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="samba-libs" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-libs-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-modules" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-winbind-modules-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-winbind-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-krb5-locator" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-winbind-krb5-locator-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwbclient" release="12.31.amzn1" version="4.2.3"><filename>Packages/libwbclient-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-devel" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-devel-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwbclient-devel" release="12.31.amzn1" version="4.2.3"><filename>Packages/libwbclient-devel-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb" release="12.31.amzn1" version="4.2.3"><filename>Packages/ctdb-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient-devel" release="12.31.amzn1" version="4.2.3"><filename>Packages/libsmbclient-devel-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-clients" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-winbind-clients-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-pidl" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-pidl-4.2.3-12.31.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-python" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-python-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb-tests" release="12.31.amzn1" version="4.2.3"><filename>Packages/ctdb-tests-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient" release="12.31.amzn1" version="4.2.3"><filename>Packages/libsmbclient-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-test-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-libs" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-common-libs-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test-devel" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-test-devel-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb-devel" release="12.31.amzn1" version="4.2.3"><filename>Packages/ctdb-devel-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-common" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-common-4.2.3-12.31.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client-libs" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-client-libs-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-tools" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-common-tools-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-client-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test-libs" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-test-libs-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-debuginfo" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-debuginfo-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="samba-test" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-test-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test-libs" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-test-libs-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test-devel" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-test-devel-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-libs" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-common-libs-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-winbind-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-libs" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-libs-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-devel" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-devel-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb-devel" release="12.31.amzn1" version="4.2.3"><filename>Packages/ctdb-devel-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb-tests" release="12.31.amzn1" version="4.2.3"><filename>Packages/ctdb-tests-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient" release="12.31.amzn1" version="4.2.3"><filename>Packages/libsmbclient-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-clients" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-winbind-clients-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-modules" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-winbind-modules-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-python" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-python-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client-libs" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-client-libs-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-debuginfo" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-debuginfo-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient" release="12.31.amzn1" version="4.2.3"><filename>Packages/libwbclient-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-client-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-krb5-locator" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-winbind-krb5-locator-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-tools" release="12.31.amzn1" version="4.2.3"><filename>Packages/samba-common-tools-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient-devel" release="12.31.amzn1" version="4.2.3"><filename>Packages/libwbclient-devel-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb" release="12.31.amzn1" version="4.2.3"><filename>Packages/ctdb-4.2.3-12.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient-devel" release="12.31.amzn1" version="4.2.3"><filename>Packages/libsmbclient-devel-4.2.3-12.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-675</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-675: medium priority package update for openssh</title><issued date="2016-03-29 15:30" /><updated date="2016-03-29 15:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7991 CVE-2016-1908: 7992 An access flaw was discovered in OpenSSH&amp;#59; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested. 7993 1298741: 7994 CVE-2016-1908 openssh: possible fallback from untrusted to trusted X11 forwarding 7995 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1908" id="CVE-2016-1908" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openssh-debuginfo" release="25.61.amzn1" version="6.6.1p1"><filename>Packages/openssh-debuginfo-6.6.1p1-25.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh" release="25.61.amzn1" version="6.6.1p1"><filename>Packages/openssh-6.6.1p1-25.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam_ssh_agent_auth" release="9.25.61.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.25.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-ldap" release="25.61.amzn1" version="6.6.1p1"><filename>Packages/openssh-ldap-6.6.1p1-25.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-clients" release="25.61.amzn1" version="6.6.1p1"><filename>Packages/openssh-clients-6.6.1p1-25.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-keycat" release="25.61.amzn1" version="6.6.1p1"><filename>Packages/openssh-keycat-6.6.1p1-25.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-server" release="25.61.amzn1" version="6.6.1p1"><filename>Packages/openssh-server-6.6.1p1-25.61.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssh-clients" release="25.61.amzn1" version="6.6.1p1"><filename>Packages/openssh-clients-6.6.1p1-25.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-ldap" release="25.61.amzn1" version="6.6.1p1"><filename>Packages/openssh-ldap-6.6.1p1-25.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh" release="25.61.amzn1" version="6.6.1p1"><filename>Packages/openssh-6.6.1p1-25.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-debuginfo" release="25.61.amzn1" version="6.6.1p1"><filename>Packages/openssh-debuginfo-6.6.1p1-25.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam_ssh_agent_auth" release="9.25.61.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.25.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-keycat" release="25.61.amzn1" version="6.6.1p1"><filename>Packages/openssh-keycat-6.6.1p1-25.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-server" release="25.61.amzn1" version="6.6.1p1"><filename>Packages/openssh-server-6.6.1p1-25.61.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-676</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-676: important priority package update for mod_dav_svn subversion</title><issued date="2016-03-29 15:30" /><updated date="2016-03-29 15:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 7996 CVE-2015-5343: 7997 1289959: 7998 CVE-2015-5343 subversion: (mod_dav_svn) integer overflow when parsing skel-encoded request bodies 7999 8000 CVE-2015-5259: 8001 Integer overflow in the read_string function in libsvn_ra_svn/marshal.c in Apache Subversion 1.9.x before 1.9.3 allows remote attackers to execute arbitrary code via an svn:// protocol string, which triggers a heap-based buffer overflow and an out-of-bounds read. 8002 1289958: 8003 CVE-2015-5259 subversion: integer overflow in the svn:// protocol parser 8004 8005 CVE-2015-3187: 8006 It was found that when an SVN server (both svnserve and httpd with the mod_dav_svn module) searched the history of a file or a directory, it would disclose its location in the repository if that file or directory was not readable (for example, if it had been moved). 8007 1247252: 8008 CVE-2015-3187 subversion: svn_repos_trace_node_locations() reveals paths hidden by authz 8009 8010 CVE-2015-3184: 8011 1247249: 8012 CVE-2015-3184 subversion: Mixed anonymous/authenticated path-based authz with httpd 2.4 8013 It was found that the mod_authz_svn module did not properly restrict anonymous access to Subversion repositories under certain configurations when used with Apache httpd 2.4.x. This could allow a user to anonymously access files in a Subversion repository, which should only be accessible to authenticated users. 8014 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3187" id="CVE-2015-3187" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5259" id="CVE-2015-5259" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3184" id="CVE-2015-3184" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5343" id="CVE-2015-5343" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod_dav_svn" release="1.52.amzn1" version="1.8.15"><filename>Packages/mod_dav_svn-1.8.15-1.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_dav_svn-debuginfo" release="1.52.amzn1" version="1.8.15"><filename>Packages/mod_dav_svn-debuginfo-1.8.15-1.52.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn" release="1.52.amzn1" version="1.8.15"><filename>Packages/mod_dav_svn-1.8.15-1.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn-debuginfo" release="1.52.amzn1" version="1.8.15"><filename>Packages/mod_dav_svn-debuginfo-1.8.15-1.52.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-debuginfo" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-debuginfo-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-devel" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-devel-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-libs" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-libs-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-javahl" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-javahl-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-tools" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-tools-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_dav_svn" release="1.54.amzn1" version="1.8.15"><filename>Packages/mod24_dav_svn-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python26" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-python26-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python27" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-python27-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-ruby" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-ruby-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-perl" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-perl-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod24_dav_svn" release="1.54.amzn1" version="1.8.15"><filename>Packages/mod24_dav_svn-1.8.15-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-tools" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-tools-1.8.15-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-1.8.15-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python27" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-python27-1.8.15-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-javahl" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-javahl-1.8.15-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-ruby" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-ruby-1.8.15-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-perl" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-perl-1.8.15-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-debuginfo" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-debuginfo-1.8.15-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-devel" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-devel-1.8.15-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-libs" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-libs-1.8.15-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python26" release="1.54.amzn1" version="1.8.15"><filename>Packages/subversion-python26-1.8.15-1.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-677</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-677: critical priority package update for java-1.8.0-openjdk java-1.7.0-openjdk</title><issued date="2016-03-29 15:30" /><updated date="2016-03-29 15:30" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8015 CVE-2016-0636: 8016 1320650: 8017 CVE-2016-0636 OpenJDK: out-of-band urgent security fix (Hotspot, 8151666) 8018 An improper type safety check was discovered in the Hotspot component. An untrusted Java application or applet could use this flaw to bypass Java Sandbox restrictions. 8019 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0636" id="CVE-2016-0636" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="0.b03.9.amzn1" version="1.8.0.77"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.77-0.b03.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="0.b03.9.amzn1" version="1.8.0.77"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.77-0.b03.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="0.b03.9.amzn1" version="1.8.0.77"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.77-0.b03.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="0.b03.9.amzn1" version="1.8.0.77"><filename>Packages/java-1.8.0-openjdk-1.8.0.77-0.b03.9.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="0.b03.9.amzn1" version="1.8.0.77"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.77-0.b03.9.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.b03.9.amzn1" version="1.8.0.77"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.77-0.b03.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="0.b03.9.amzn1" version="1.8.0.77"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.77-0.b03.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="0.b03.9.amzn1" version="1.8.0.77"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.77-0.b03.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="0.b03.9.amzn1" version="1.8.0.77"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.77-0.b03.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.b03.9.amzn1" version="1.8.0.77"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.77-0.b03.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="0.b03.9.amzn1" version="1.8.0.77"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.77-0.b03.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="0.b03.9.amzn1" version="1.8.0.77"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.77-0.b03.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="0.b03.9.amzn1" version="1.8.0.77"><filename>Packages/java-1.8.0-openjdk-1.8.0.77-0.b03.9.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.5.0.66.amzn1" version="1.7.0.99"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.99-2.6.5.0.66.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.5.0.66.amzn1" version="1.7.0.99"><filename>Packages/java-1.7.0-openjdk-1.7.0.99-2.6.5.0.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.5.0.66.amzn1" version="1.7.0.99"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.99-2.6.5.0.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.5.0.66.amzn1" version="1.7.0.99"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.99-2.6.5.0.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.5.0.66.amzn1" version="1.7.0.99"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.99-2.6.5.0.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.5.0.66.amzn1" version="1.7.0.99"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.99-2.6.5.0.66.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.5.0.66.amzn1" version="1.7.0.99"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.99-2.6.5.0.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.5.0.66.amzn1" version="1.7.0.99"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.99-2.6.5.0.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.5.0.66.amzn1" version="1.7.0.99"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.99-2.6.5.0.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.5.0.66.amzn1" version="1.7.0.99"><filename>Packages/java-1.7.0-openjdk-1.7.0.99-2.6.5.0.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.5.0.66.amzn1" version="1.7.0.99"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.99-2.6.5.0.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-678</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-678: medium priority package update for GraphicsMagick</title><issued date="2016-03-30 17:45" /><updated date="2016-03-30 17:45" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8020 CVE-2015-8808: 8021 An out-of-bounds read flaw was found in the parsing of GIF files using GraphicsMagick. 8022 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8808" id="CVE-2015-8808" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="GraphicsMagick-perl" release="5.7.amzn1" version="1.3.23"><filename>Packages/GraphicsMagick-perl-1.3.23-5.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++" release="5.7.amzn1" version="1.3.23"><filename>Packages/GraphicsMagick-c++-1.3.23-5.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++-devel" release="5.7.amzn1" version="1.3.23"><filename>Packages/GraphicsMagick-c++-devel-1.3.23-5.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-devel" release="5.7.amzn1" version="1.3.23"><filename>Packages/GraphicsMagick-devel-1.3.23-5.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick" release="5.7.amzn1" version="1.3.23"><filename>Packages/GraphicsMagick-1.3.23-5.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-debuginfo" release="5.7.amzn1" version="1.3.23"><filename>Packages/GraphicsMagick-debuginfo-1.3.23-5.7.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="GraphicsMagick-doc" release="5.7.amzn1" version="1.3.23"><filename>Packages/GraphicsMagick-doc-1.3.23-5.7.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++" release="5.7.amzn1" version="1.3.23"><filename>Packages/GraphicsMagick-c++-1.3.23-5.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-devel" release="5.7.amzn1" version="1.3.23"><filename>Packages/GraphicsMagick-devel-1.3.23-5.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick" release="5.7.amzn1" version="1.3.23"><filename>Packages/GraphicsMagick-1.3.23-5.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-debuginfo" release="5.7.amzn1" version="1.3.23"><filename>Packages/GraphicsMagick-debuginfo-1.3.23-5.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++-devel" release="5.7.amzn1" version="1.3.23"><filename>Packages/GraphicsMagick-c++-devel-1.3.23-5.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-perl" release="5.7.amzn1" version="1.3.23"><filename>Packages/GraphicsMagick-perl-1.3.23-5.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-679</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-679: medium priority package update for tomcat8</title><issued date="2016-03-29 15:30" /><updated date="2016-03-29 15:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8023 CVE-2016-0763: 8024 1311093: 8025 CVE-2016-0763 tomcat: security manager bypass via setGlobalContext() 8026 The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. 8027 8028 CVE-2016-0714: 8029 The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. 8030 1311082: 8031 CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms 8032 8033 CVE-2016-0706: 8034 Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. 8035 1311087: 8036 CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet 8037 8038 CVE-2015-5351: 8039 The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. 8040 1311076: 8041 CVE-2015-5351 tomcat: CSRF token leak 8042 8043 CVE-2015-5346: 8044 Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. 8045 1311085: 8046 CVE-2015-5346 tomcat: Session fixation 8047 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763" id="CVE-2016-0763" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5346" id="CVE-2015-5346" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351" id="CVE-2015-5351" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714" id="CVE-2016-0714" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706" id="CVE-2016-0706" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat8" release="1.59.amzn1" version="8.0.32"><filename>Packages/tomcat8-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.59.amzn1" version="8.0.32"><filename>Packages/tomcat8-javadoc-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.59.amzn1" version="8.0.32"><filename>Packages/tomcat8-docs-webapp-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.59.amzn1" version="8.0.32"><filename>Packages/tomcat8-servlet-3.1-api-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.59.amzn1" version="8.0.32"><filename>Packages/tomcat8-admin-webapps-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.59.amzn1" version="8.0.32"><filename>Packages/tomcat8-lib-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.59.amzn1" version="8.0.32"><filename>Packages/tomcat8-jsp-2.3-api-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.59.amzn1" version="8.0.32"><filename>Packages/tomcat8-webapps-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.59.amzn1" version="8.0.32"><filename>Packages/tomcat8-log4j-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.59.amzn1" version="8.0.32"><filename>Packages/tomcat8-el-3.0-api-8.0.32-1.59.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-680</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-680: medium priority package update for tomcat7</title><issued date="2016-03-29 15:30" /><updated date="2016-03-29 15:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8048 CVE-2016-0763: 8049 1311093: 8050 CVE-2016-0763 tomcat: security manager bypass via setGlobalContext() 8051 The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. 8052 8053 CVE-2016-0714: 8054 The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. 8055 1311082: 8056 CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms 8057 8058 CVE-2016-0706: 8059 Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. 8060 1311087: 8061 CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet 8062 8063 CVE-2015-5351: 8064 The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. 8065 1311076: 8066 CVE-2015-5351 tomcat: CSRF token leak 8067 8068 CVE-2015-5345: 8069 The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. 8070 1311089: 8071 CVE-2015-5345 tomcat: directory disclosure 8072 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763" id="CVE-2016-0763" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351" id="CVE-2015-5351" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345" id="CVE-2015-5345" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714" id="CVE-2016-0714" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706" id="CVE-2016-0706" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.15.amzn1" version="7.0.68"><filename>Packages/tomcat7-servlet-3.0-api-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.15.amzn1" version="7.0.68"><filename>Packages/tomcat7-jsp-2.2-api-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.15.amzn1" version="7.0.68"><filename>Packages/tomcat7-admin-webapps-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.15.amzn1" version="7.0.68"><filename>Packages/tomcat7-lib-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.15.amzn1" version="7.0.68"><filename>Packages/tomcat7-docs-webapp-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.15.amzn1" version="7.0.68"><filename>Packages/tomcat7-webapps-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.15.amzn1" version="7.0.68"><filename>Packages/tomcat7-log4j-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.15.amzn1" version="7.0.68"><filename>Packages/tomcat7-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.15.amzn1" version="7.0.68"><filename>Packages/tomcat7-javadoc-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.15.amzn1" version="7.0.68"><filename>Packages/tomcat7-el-2.2-api-7.0.68-1.15.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-681</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-681: medium priority package update for tomcat6</title><issued date="2016-03-29 15:30" /><updated date="2016-03-29 15:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8073 CVE-2016-0714: 8074 The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. 8075 1311082: 8076 CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms 8077 8078 CVE-2016-0706: 8079 Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. 8080 1311087: 8081 CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet 8082 8083 CVE-2015-5345: 8084 The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. 8085 1311089: 8086 CVE-2015-5345 tomcat: directory disclosure 8087 8088 CVE-2015-5174: 8089 Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. 8090 1265698: 8091 CVE-2015-5174 tomcat: URL Normalization issue 8092 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174" id="CVE-2015-5174" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345" id="CVE-2015-5345" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714" id="CVE-2016-0714" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706" id="CVE-2016-0706" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat6-jsp-2.1-api" release="1.4.amzn1" version="6.0.45"><filename>Packages/tomcat6-jsp-2.1-api-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6" release="1.4.amzn1" version="6.0.45"><filename>Packages/tomcat6-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-admin-webapps" release="1.4.amzn1" version="6.0.45"><filename>Packages/tomcat6-admin-webapps-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-servlet-2.5-api" release="1.4.amzn1" version="6.0.45"><filename>Packages/tomcat6-servlet-2.5-api-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-docs-webapp" release="1.4.amzn1" version="6.0.45"><filename>Packages/tomcat6-docs-webapp-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-el-2.1-api" release="1.4.amzn1" version="6.0.45"><filename>Packages/tomcat6-el-2.1-api-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-webapps" release="1.4.amzn1" version="6.0.45"><filename>Packages/tomcat6-webapps-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-lib" release="1.4.amzn1" version="6.0.45"><filename>Packages/tomcat6-lib-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-javadoc" release="1.4.amzn1" version="6.0.45"><filename>Packages/tomcat6-javadoc-6.0.45-1.4.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-682</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-682: important priority package update for openssl098e</title><issued date="2016-04-06 14:40" /><updated date="2016-04-06 14:40" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8093 CVE-2016-0800: 8094 1310593: 8095 CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN) 8096 A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. 8097 A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. 8098 8099 CVE-2016-0704: 8100 It was discovered that the SSLv2 protocol implementation in OpenSSL did not properly implement the Bleichenbacher protection for export cipher suites. An attacker could use a SSLv2 server using OpenSSL as a Bleichenbacher oracle. 8101 1310814: 8102 CVE-2016-0704 openssl: SSLv2 Bleichenbacher protection overwrites wrong bytes for export ciphers 8103 8104 CVE-2016-0703: 8105 1310811: 8106 CVE-2016-0703 openssl: Divide-and-conquer session key recovery in SSLv2 8107 It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle. 8108 8109 CVE-2015-3197: 8110 A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2 ciphers that have been disabled on the server. This could result in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to man-in-the-middle attacks. 8111 A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2 ciphers that were disabled on the server. This could result in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to man-in-the-middle attacks. 8112 1301846: 8113 CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers 8114 8115 CVE-2015-0293: 8116 A denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled. 8117 A denial of service flaw was found in the way OpenSSL handled certain SSLv2 messages. A malicious client could send a specially crafted SSLv2 CLIENT-MASTER-KEY message that would cause an OpenSSL server that both supports SSLv2 and enables EXPORT-grade cipher suites to crash. 8118 1202404: 8119 CVE-2015-0293 openssl: assertion failure in SSLv2 servers 8120 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293" id="CVE-2015-0293" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0703" id="CVE-2016-0703" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0704" id="CVE-2016-0704" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800" id="CVE-2016-0800" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197" id="CVE-2015-3197" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openssl098e" release="29.19.amzn1" version="0.9.8e"><filename>Packages/openssl098e-0.9.8e-29.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssl098e-debuginfo" release="29.19.amzn1" version="0.9.8e"><filename>Packages/openssl098e-debuginfo-0.9.8e-29.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssl098e" release="29.19.amzn1" version="0.9.8e"><filename>Packages/openssl098e-0.9.8e-29.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssl098e-debuginfo" release="29.19.amzn1" version="0.9.8e"><filename>Packages/openssl098e-debuginfo-0.9.8e-29.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-683</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-683: medium priority package update for libssh2</title><issued date="2016-04-06 14:40" /><updated date="2016-04-06 14:40" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8121 CVE-2016-0787: 8122 1306021: 8123 CVE-2016-0787 libssh2: bits/bytes confusion resulting in truncated Diffie-Hellman secret length 8124 A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters. 8125 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0787" id="CVE-2016-0787" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libssh2-docs" release="2.13.amzn1" version="1.4.2"><filename>Packages/libssh2-docs-1.4.2-2.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libssh2" release="2.13.amzn1" version="1.4.2"><filename>Packages/libssh2-1.4.2-2.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libssh2-devel" release="2.13.amzn1" version="1.4.2"><filename>Packages/libssh2-devel-1.4.2-2.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libssh2-debuginfo" release="2.13.amzn1" version="1.4.2"><filename>Packages/libssh2-debuginfo-1.4.2-2.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libssh2" release="2.13.amzn1" version="1.4.2"><filename>Packages/libssh2-1.4.2-2.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libssh2-devel" release="2.13.amzn1" version="1.4.2"><filename>Packages/libssh2-devel-1.4.2-2.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libssh2-debuginfo" release="2.13.amzn1" version="1.4.2"><filename>Packages/libssh2-debuginfo-1.4.2-2.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libssh2-docs" release="2.13.amzn1" version="1.4.2"><filename>Packages/libssh2-docs-1.4.2-2.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-684</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-684: important priority package update for mysql56</title><issued date="2016-04-06 14:40" /><updated date="2016-04-06 14:40" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8126 CVE-2016-0616: 8127 1301510: 8128 CVE-2016-0616 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016) 8129 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. 8130 8131 CVE-2016-0611: 8132 1301509: 8133 CVE-2016-0611 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016) 8134 Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. 8135 8136 CVE-2016-0610: 8137 Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and MariaDB before 10.0.22 and 10.1.x before 10.1.9 allows remote authenticated users to affect availability via unknown vectors related to InnoDB. 8138 1301508: 8139 CVE-2016-0610 mysql: unspecified vulnerability in subcomponent: Server: InnoDB (CPU January 2016) 8140 8141 CVE-2016-0609: 8142 1301507: 8143 CVE-2016-0609 mysql: unspecified vulnerability in subcomponent: Server: Security: Privileges (CPU January 2016) 8144 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to privileges. 8145 8146 CVE-2016-0608: 8147 1301506: 8148 CVE-2016-0608 mysql: unspecified vulnerability in subcomponent: Server: UDF (CPU January 2016) 8149 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to UDF. 8150 8151 CVE-2016-0607: 8152 1301505: 8153 CVE-2016-0607 mysql: unspecified vulnerability in subcomponent: Server: Replication (CPU January 2016) 8154 Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to replication. 8155 8156 CVE-2016-0606: 8157 1301504: 8158 CVE-2016-0606 mysql: unspecified vulnerability in subcomponent: Server: Security: Encryption (CPU January 2016) 8159 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect integrity via unknown vectors related to encryption. 8160 8161 CVE-2016-0605: 8162 Unspecified vulnerability in Oracle MySQL 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors. 8163 1301503: 8164 CVE-2016-0605 mysql: unspecified vulnerability in subcomponent: Server: General (CPU January 2016) 8165 8166 CVE-2016-0601: 8167 Unspecified vulnerability in Oracle MySQL 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Partition. 8168 1301502: 8169 CVE-2016-0601 mysql: unspecified vulnerability in subcomponent: Server: Partition (CPU January 2016) 8170 8171 CVE-2016-0600: 8172 1301501: 8173 CVE-2016-0600 mysql: unspecified vulnerability in subcomponent: Server: InnoDB (CPU January 2016) 8174 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to InnoDB. 8175 8176 CVE-2016-0599: 8177 1301500: 8178 CVE-2016-0599 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016) 8179 Unspecified vulnerability in Oracle MySQL 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. 8180 8181 CVE-2016-0598: 8182 1301498: 8183 CVE-2016-0598 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016) 8184 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML. 8185 8186 CVE-2016-0597: 8187 1301497: 8188 CVE-2016-0597 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016) 8189 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. 8190 8191 CVE-2016-0596: 8192 1301496: 8193 CVE-2016-0596 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016) 8194 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and 5.6.27 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML. 8195 8196 CVE-2016-0595: 8197 1301495: 8198 CVE-2016-0595 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016) 8199 Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via vectors related to DML. 8200 8201 CVE-2016-0594: 8202 1301494: 8203 CVE-2016-0594 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016) 8204 Unspecified vulnerability in Oracle MySQL 5.6.21 and earlier allows remote authenticated users to affect availability via vectors related to DML. 8205 8206 CVE-2016-0546: 8207 1301493: 8208 CVE-2016-0546 mysql: unspecified vulnerability in subcomponent: Client (CPU January 2016) 8209 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client. 8210 8211 CVE-2016-0505: 8212 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Options. 8213 1301492: 8214 CVE-2016-0505 mysql: unspecified vulnerability in subcomponent: Server: Options (CPU January 2016) 8215 8216 CVE-2016-0504: 8217 1301491: 8218 CVE-2016-0504 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016) 8219 Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2016-0503. 8220 8221 CVE-2016-0503: 8222 1301490: 8223 CVE-2016-0503 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016) 8224 Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2016-0504. 8225 8226 CVE-2016-0502: 8227 1301489: 8228 CVE-2016-0502 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016) 8229 Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. 8230 8231 CVE-2015-7744: 8232 1301488: 8233 CVE-2015-7744 yaSSL, wolfSSL: insufficient hardening of RSA-CRT implementation (Oracle MySQL CPU Jan 2016) 8234 wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CRT) process when allowing ephemeral key exchange without low memory optimizations on a server, which makes it easier for remote attackers to obtain private RSA keys by capturing TLS handshakes, aka a Lenstra attack. 8235 8236 CVE-2015-4913: 8237 1274794: 8238 CVE-2015-4913 mysql: unspecified vulnerability related to Server:DML (CPU October 2015) 8239 Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to Server : DML, a different vulnerability than CVE-2015-4858. 8240 8241 CVE-2015-4910: 8242 1274792: 8243 CVE-2015-4910 mysql: unspecified vulnerability related to Server:Memcached (CPU October 2015) 8244 Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Memcached. 8245 8246 CVE-2015-4905: 8247 1274790: 8248 CVE-2015-4905 mysql: unspecified vulnerability related to Server:DML (CPU October 2015) 8249 Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via vectors related to Server : DML. 8250 8251 CVE-2015-4904: 8252 Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to libmysqld. 8253 1274787: 8254 CVE-2015-4904 mysql: unspecified vulnerability related to libmysqld (CPU October 2015) 8255 8256 CVE-2015-4895: 8257 1274786: 8258 CVE-2015-4895 mysql: unspecified vulnerability related to Server:InnoDB (CPU October 2015) 8259 Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB. 8260 8261 CVE-2015-4890: 8262 Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Replication. 8263 1274785: 8264 CVE-2015-4890 mysql: unspecified vulnerability related to Server:Replication (CPU October 2015) 8265 8266 CVE-2015-4879: 8267 Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML. 8268 1274783: 8269 CVE-2015-4879 mysql: unspecified vulnerability related to Server:DML (CPU October 2015) 8270 8271 CVE-2015-4870: 8272 1274781: 8273 CVE-2015-4870 mysql: unspecified vulnerability related to Server:Parser (CPU October 2015) 8274 Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Parser. 8275 8276 CVE-2015-4866: 8277 Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB. 8278 1274780: 8279 CVE-2015-4866 mysql: unspecified vulnerability related to Server:InnoDB (CPU October 2015) 8280 8281 CVE-2015-4864: 8282 Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server : Security : Privileges. 8283 1274779: 8284 CVE-2015-4864 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU October 2015) 8285 8286 CVE-2015-4862: 8287 1274778: 8288 CVE-2015-4862 mysql: unspecified vulnerability related to Server:DML (CPU October 2015) 8289 Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to DML. 8290 8291 CVE-2015-4861: 8292 1274776: 8293 CVE-2015-4861 mysql: unspecified vulnerability related to Server:InnoDB (CPU October 2015) 8294 Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB. 8295 8296 CVE-2015-4858: 8297 Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2015-4913. 8298 1274773: 8299 CVE-2015-4858 mysql: unspecified vulnerability related to Server:DML (CPU October 2015) 8300 8301 CVE-2015-4836: 8302 1274771: 8303 CVE-2015-4836 mysql: unspecified vulnerability related to Server:SP (CPU October 2015) 8304 Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : SP. 8305 8306 CVE-2015-4833: 8307 1274770: 8308 CVE-2015-4833 mysql: unspecified vulnerability related to Server:Partition (CPU October 2015) 8309 Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition. 8310 8311 CVE-2015-4830: 8312 Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server : Security : Privileges. 8313 1274767: 8314 CVE-2015-4830 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU October 2015) 8315 8316 CVE-2015-4826: 8317 1274766: 8318 CVE-2015-4826 mysql: unspecified vulnerability related to Server:Types (CPU October 2015) 8319 Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Types. 8320 8321 CVE-2015-4819: 8322 1274764: 8323 CVE-2015-4819 mysql: unspecified vulnerability related to Client programs (CPU October 2015) 8324 Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client programs. 8325 8326 CVE-2015-4815: 8327 1274759: 8328 CVE-2015-4815 mysql: unspecified vulnerability related to Server:DDL (CPU October 2015) 8329 Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to Server : DDL. 8330 8331 CVE-2015-4807: 8332 Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier, when running on Windows, allows remote authenticated users to affect availability via unknown vectors related to Server : Query Cache. 8333 1274758: 8334 CVE-2015-4807 mysql: unspecified vulnerability related to Server:Query Cache (CPU October 2015) 8335 8336 CVE-2015-4802: 8337 1274756: 8338 CVE-2015-4802 mysql: unspecified vulnerability related to Server:Partition (CPU October 2015) 8339 Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition, a different vulnerability than CVE-2015-4792. 8340 8341 CVE-2015-4800: 8342 Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Optimizer. 8343 1274754: 8344 CVE-2015-4800 mysql: unspecified vulnerability related to Server:Optimizer (CPU October 2015) 8345 8346 CVE-2015-4792: 8347 1274752: 8348 CVE-2015-4792 mysql: unspecified vulnerability related to Server:Partition (CPU October 2015) 8349 Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition, a different vulnerability than CVE-2015-4802. 8350 8351 CVE-2015-4791: 8352 Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Privileges. 8353 1274749: 8354 CVE-2015-4791 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU October 2015) 8355 8356 CVE-2015-4766: 8357 1274748: 8358 CVE-2015-4766 mysql: unspecified vulnerability related to Server:Security:Firewall (CPU October 2015) 8359 Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows local users to affect availability via unknown vectors related to Server : Security : Firewall. 8360 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4864" id="CVE-2015-4864" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4866" id="CVE-2015-4866" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4861" id="CVE-2015-4861" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4862" id="CVE-2015-4862" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0616" id="CVE-2016-0616" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4910" id="CVE-2015-4910" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4913" id="CVE-2015-4913" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0610" id="CVE-2016-0610" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0594" id="CVE-2016-0594" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0595" id="CVE-2016-0595" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0596" id="CVE-2016-0596" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0597" id="CVE-2016-0597" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0598" id="CVE-2016-0598" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4792" id="CVE-2015-4792" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4791" id="CVE-2015-4791" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4807" id="CVE-2015-4807" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4870" id="CVE-2015-4870" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0599" id="CVE-2016-0599" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0546" id="CVE-2016-0546" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4858" id="CVE-2015-4858" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4815" id="CVE-2015-4815" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4833" id="CVE-2015-4833" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4830" id="CVE-2015-4830" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4836" id="CVE-2015-4836" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0608" id="CVE-2016-0608" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0609" id="CVE-2016-0609" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0505" id="CVE-2016-0505" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0504" id="CVE-2016-0504" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4890" id="CVE-2015-4890" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0601" id="CVE-2016-0601" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4904" id="CVE-2015-4904" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4905" id="CVE-2015-4905" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0605" id="CVE-2016-0605" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0606" id="CVE-2016-0606" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7744" id="CVE-2015-7744" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4766" id="CVE-2015-4766" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0611" id="CVE-2016-0611" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0607" id="CVE-2016-0607" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4819" id="CVE-2015-4819" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4879" id="CVE-2015-4879" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0502" id="CVE-2016-0502" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4895" id="CVE-2015-4895" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0503" id="CVE-2016-0503" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0600" id="CVE-2016-0600" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4802" id="CVE-2015-4802" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4800" id="CVE-2015-4800" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4826" id="CVE-2015-4826" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql56-test" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-test-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-bench" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-bench-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-server" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-server-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-devel" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-devel-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-errmsg" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-errmsg-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-embedded-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-debuginfo" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-debuginfo-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-libs" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-libs-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-common" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-common-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded-devel" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-embedded-devel-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-debuginfo" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-debuginfo-5.6.29-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-common" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-common-5.6.29-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-test" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-test-5.6.29-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-errmsg" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-errmsg-5.6.29-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-server" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-server-5.6.29-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-devel" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-devel-5.6.29-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-5.6.29-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-libs" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-libs-5.6.29-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-bench" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-bench-5.6.29-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded-devel" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-embedded-devel-5.6.29-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded" release="1.14.amzn1" version="5.6.29"><filename>Packages/mysql56-embedded-5.6.29-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-685</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-685: medium priority package update for php56 php55</title><issued date="2016-04-13 11:45" /><updated date="2016-04-13 11:45" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8361 CVE-2016-2554: 8362 1305543: 8363 CVE-2016-2554 php: Stack overflow vulnerability when decompressing tar phar archives 8364 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2554" id="CVE-2016-2554" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-tidy" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-tidy-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-gmp-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-odbc-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-process-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-enchant-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-common-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-recode-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-recode-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-intl-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-intl-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-opcache-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-cli-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-cli-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-pspell-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-dbg-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-debuginfo-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-mcrypt-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-mbstring-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-mbstring-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-gd-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-enchant-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-pdo-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-pgsql-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-imap-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-pspell-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-mcrypt-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-mysqlnd-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-xml-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-mssql-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-soap-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-odbc-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-dba-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-snmp-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-process-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-dba-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-snmp-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-embedded-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-ldap-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-tidy-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-xmlrpc-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-opcache-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-mysqlnd-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-imap-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-debuginfo-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-embedded-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-xml-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-fpm-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-soap-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-gmp-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-bcmath-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-devel-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-pdo-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-bcmath-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-ldap-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-pgsql-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-xmlrpc-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-mssql-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-fpm-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-common-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-gd-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-devel-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-dbg-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-mssql-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-mbstring-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-soap-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-debuginfo-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-cli-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-opcache-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-process-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-common-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-enchant-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-dba-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-xml-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-ldap-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-debuginfo-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-process-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-mysqlnd-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-soap-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-opcache-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-intl-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-snmp-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-enchant-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-gd-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-dba-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-imap-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-common-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-gmp-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-pgsql-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-tidy-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-embedded-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-snmp-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-pdo-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-cli-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-intl-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-pspell-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-mbstring-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-pdo-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-imap-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-mcrypt-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-pspell-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-recode-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-recode-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-xmlrpc-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-mssql-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-fpm-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-gd-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-odbc-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-fpm-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-embedded-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-odbc-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-xml-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-bcmath-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-mysqlnd-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-xmlrpc-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-bcmath-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-mcrypt-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-devel-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-devel-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.113.amzn1" version="5.5.33"><filename>Packages/php55-pgsql-5.5.33-1.113.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-gmp-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-tidy-5.6.19-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.123.amzn1" version="5.6.19"><filename>Packages/php56-ldap-5.6.19-1.123.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-686</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-686: critical priority package update for samba</title><issued date="2016-04-13 11:45" /><updated date="2016-04-13 11:45" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8365 CVE-2016-2118: 8366 A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database. 8367 1317990: 8368 CVE-2016-2118 samba: SAMR and LSA man in the middle attacks 8369 8370 CVE-2016-2115: 8371 1312084: 8372 CVE-2016-2115 samba: Smb signing not required by default when smb client connection is used for ipc usage 8373 It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. 8374 8375 CVE-2016-2114: 8376 It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server. 8377 1312082: 8378 CVE-2016-2114 samba: Samba based active directory domain controller does not enforce smb signing 8379 8380 CVE-2016-2113: 8381 1311910: 8382 CVE-2016-2113 samba: Server certificates not validated at client side 8383 It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. 8384 8385 CVE-2016-2112: 8386 1311903: 8387 CVE-2016-2112 samba: Missing downgrade detection 8388 It was found that Samba&#039;s LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. 8389 8390 CVE-2016-2111: 8391 It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine. 8392 1311902: 8393 CVE-2016-2111 samba: Spoofing vulnerability when domain controller is configured 8394 8395 CVE-2016-2110: 8396 Several flaws were found in Samba&#039;s implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. 8397 1311893: 8398 CVE-2016-2110 samba: Man-in-the-middle attacks possible with NTLMSSP authentication 8399 8400 CVE-2015-5370: 8401 1309987: 8402 CVE-2015-5370 samba: crash in dcesrv_auth_bind_ack due to missing error check 8403 Multiple flaws were found in Samba&#039;s DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). 8404 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2118" id="CVE-2016-2118" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2114" id="CVE-2016-2114" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2115" id="CVE-2016-2115" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2112" id="CVE-2016-2112" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2113" id="CVE-2016-2113" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2110" id="CVE-2016-2110" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2111" id="CVE-2016-2111" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5370" id="CVE-2015-5370" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libwbclient" release="6.33.amzn1" version="4.2.10"><filename>Packages/libwbclient-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test-devel" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-test-devel-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-client-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test-libs" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-test-libs-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-pidl" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-pidl-4.2.10-6.33.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="libwbclient-devel" release="6.33.amzn1" version="4.2.10"><filename>Packages/libwbclient-devel-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb" release="6.33.amzn1" version="4.2.10"><filename>Packages/ctdb-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-common" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-common-4.2.10-6.33.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-krb5-locator" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-winbind-krb5-locator-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-libs" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-common-libs-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb-devel" release="6.33.amzn1" version="4.2.10"><filename>Packages/ctdb-devel-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient-devel" release="6.33.amzn1" version="4.2.10"><filename>Packages/libsmbclient-devel-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-python" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-python-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client-libs" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-client-libs-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-modules" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-winbind-modules-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-libs" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-libs-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-devel" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-devel-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-clients" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-winbind-clients-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient" release="6.33.amzn1" version="4.2.10"><filename>Packages/libsmbclient-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-winbind-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-tools" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-common-tools-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-debuginfo" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-debuginfo-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb-tests" release="6.33.amzn1" version="4.2.10"><filename>Packages/ctdb-tests-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-test-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ctdb-tests" release="6.33.amzn1" version="4.2.10"><filename>Packages/ctdb-tests-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient-devel" release="6.33.amzn1" version="4.2.10"><filename>Packages/libsmbclient-devel-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-tools" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-common-tools-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-client-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-winbind-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb-devel" release="6.33.amzn1" version="4.2.10"><filename>Packages/ctdb-devel-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-krb5-locator" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-winbind-krb5-locator-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient" release="6.33.amzn1" version="4.2.10"><filename>Packages/libsmbclient-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client-libs" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-client-libs-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-libs" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-libs-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-libs" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-common-libs-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-devel" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-devel-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test-devel" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-test-devel-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-modules" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-winbind-modules-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test-libs" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-test-libs-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-debuginfo" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-debuginfo-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-python" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-python-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb" release="6.33.amzn1" version="4.2.10"><filename>Packages/ctdb-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient-devel" release="6.33.amzn1" version="4.2.10"><filename>Packages/libwbclient-devel-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-clients" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-winbind-clients-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient" release="6.33.amzn1" version="4.2.10"><filename>Packages/libwbclient-4.2.10-6.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test" release="6.33.amzn1" version="4.2.10"><filename>Packages/samba-test-4.2.10-6.33.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-687</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-687: medium priority package update for golang</title><issued date="2016-04-21 16:00" /><updated date="2016-04-21 16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8405 CVE-2016-3959: 8406 1324343: 8407 CVE-2016-3959 golang: infinite loop in several big integer routines 8408 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3959" id="CVE-2016-3959" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="golang-bin" release="1.21.amzn1" version="1.5.3"><filename>Packages/golang-bin-1.5.3-1.21.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-src" release="1.21.amzn1" version="1.5.3"><filename>Packages/golang-src-1.5.3-1.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-tests" release="1.21.amzn1" version="1.5.3"><filename>Packages/golang-tests-1.5.3-1.21.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang" release="1.21.amzn1" version="1.5.3"><filename>Packages/golang-1.5.3-1.21.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-misc" release="1.21.amzn1" version="1.5.3"><filename>Packages/golang-misc-1.5.3-1.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-docs" release="1.21.amzn1" version="1.5.3"><filename>Packages/golang-docs-1.5.3-1.21.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="golang" release="1.21.amzn1" version="1.5.3"><filename>Packages/golang-1.5.3-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="golang-bin" release="1.21.amzn1" version="1.5.3"><filename>Packages/golang-bin-1.5.3-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-688</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-688: critical priority package update for java-1.8.0-openjdk</title><issued date="2016-04-21 16:00" /><updated date="2016-04-21 16:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8409 CVE-2016-3427: 8410 It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws. 8411 1328210: 8412 CVE-2016-3427 OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430) 8413 8414 CVE-2016-3426: 8415 1328059: 8416 CVE-2016-3426 OpenJDK: non-constant time GCM authentication tag comparison (JCE, 8143945) 8417 8418 CVE-2016-3425: 8419 1328040: 8420 CVE-2016-3425 OpenJDK: incorrect handling of surrogate pairs in XML attribute values (JAXP, 8143167) 8421 It was discovered that the JAXP component in OpenJDK failed to properly handle Unicode surrogate pairs used as part of the XML attribute values. Specially crafted XML input could cause a Java application to use an excessive amount of memory when parsed. 8422 8423 CVE-2016-0695: 8424 1328022: 8425 CVE-2016-0695 OpenJDK: insufficient DSA key parameters checks (Security, 8138593) 8426 It was discovered that the Security component in OpenJDK failed to check the digest algorithm strength when generating DSA signatures. The use of a digest weaker than the key strength could lead to the generation of signatures that were weaker than expected. 8427 8428 CVE-2016-0687: 8429 1327749: 8430 CVE-2016-0687 OpenJDK: insufficient byte type checks (Hotspot, 8132051) 8431 8432 CVE-2016-0686: 8433 1327743: 8434 CVE-2016-0686 OpenJDK: insufficient thread consistency checks in ObjectInputStream (Serialization, 8129952) 8435 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0695" id="CVE-2016-0695" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0686" id="CVE-2016-0686" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0687" id="CVE-2016-0687" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3425" id="CVE-2016-3425" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427" id="CVE-2016-3427" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3426" id="CVE-2016-3426" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="0.b14.10.amzn1" version="1.8.0.91"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.91-0.b14.10.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="0.b14.10.amzn1" version="1.8.0.91"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.91-0.b14.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="0.b14.10.amzn1" version="1.8.0.91"><filename>Packages/java-1.8.0-openjdk-1.8.0.91-0.b14.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="0.b14.10.amzn1" version="1.8.0.91"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.91-0.b14.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.b14.10.amzn1" version="1.8.0.91"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.91-0.b14.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="0.b14.10.amzn1" version="1.8.0.91"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.91-0.b14.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="0.b14.10.amzn1" version="1.8.0.91"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.91-0.b14.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="0.b14.10.amzn1" version="1.8.0.91"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.91-0.b14.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="0.b14.10.amzn1" version="1.8.0.91"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.91-0.b14.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.b14.10.amzn1" version="1.8.0.91"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.91-0.b14.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="0.b14.10.amzn1" version="1.8.0.91"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.91-0.b14.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="0.b14.10.amzn1" version="1.8.0.91"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.91-0.b14.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="0.b14.10.amzn1" version="1.8.0.91"><filename>Packages/java-1.8.0-openjdk-1.8.0.91-0.b14.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-689</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-689: important priority package update for postgresql8</title><issued date="2016-04-21 16:00" /><updated date="2016-04-21 16:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8436 CVE-2016-0773: 8437 1303832: 8438 CVE-2016-0773 postgresql: case insensitive range handling integer overflow leading to buffer overflow 8439 An integer overflow flaw, leading to a heap-based buffer overflow, was found in the PostgreSQL handling code for regular expressions. A remote attacker could use a specially crafted regular expression to cause PostgreSQL to crash or possibly execute arbitrary code. 8440 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0773" id="CVE-2016-0773" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql8-libs" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-libs-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-docs" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-docs-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plpython" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-plpython-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-server" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-server-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-devel" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-devel-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-debuginfo" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-debuginfo-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-contrib" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-contrib-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-pltcl" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-pltcl-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-plperl" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-plperl-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql8-test" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-test-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-devel" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-devel-8.4.20-5.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-8.4.20-5.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-pltcl" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-pltcl-8.4.20-5.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-debuginfo" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-debuginfo-8.4.20-5.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plpython" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-plpython-8.4.20-5.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-server" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-server-8.4.20-5.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-libs" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-libs-8.4.20-5.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-plperl" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-plperl-8.4.20-5.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-contrib" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-contrib-8.4.20-5.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-test" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-test-8.4.20-5.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql8-docs" release="5.52.amzn1" version="8.4.20"><filename>Packages/postgresql8-docs-8.4.20-5.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-690</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-690: medium priority package update for foomatic</title><issued date="2016-04-21 16:00" /><updated date="2016-04-21 16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8441 CVE-2015-8560: 8442 It was discovered that foomatic-rip failed to remove all shell special characters from inputs used to construct command lines for external programs run by the filter. An attacker could possibly use this flaw to execute arbitrary commands. 8443 1291227: 8444 CVE-2015-8560 cups-filters: foomatic-rip did not consider semicolon as illegal shell escape character 8445 8446 CVE-2010-5325: 8447 1218297: 8448 CVE-2010-5325 foomatic: potential remote arbitrary code execution 8449 It was discovered that the unhtmlify() function of foomatic-rip did not correctly calculate buffer sizes, possibly leading to a heap-based memory corruption. A malicious attacker could exploit this flaw to cause foomatic-rip to crash or, possibly, execute arbitrary code. 8450 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8560" id="CVE-2015-8560" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5325" id="CVE-2010-5325" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="foomatic" release="5.11.amzn1" version="4.0.4"><filename>Packages/foomatic-4.0.4-5.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="foomatic-debuginfo" release="5.11.amzn1" version="4.0.4"><filename>Packages/foomatic-debuginfo-4.0.4-5.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="foomatic-debuginfo" release="5.11.amzn1" version="4.0.4"><filename>Packages/foomatic-debuginfo-4.0.4-5.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="foomatic" release="5.11.amzn1" version="4.0.4"><filename>Packages/foomatic-4.0.4-5.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-691</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-691: medium priority package update for krb5</title><issued date="2016-04-21 16:00" /><updated date="2016-04-21 16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8451 CVE-2015-8631: 8452 1302642: 8453 CVE-2015-8631 krb5: Memory leak caused by supplying a null principal name in request 8454 A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion. 8455 8456 CVE-2015-8630: 8457 A NULL pointer dereference flaw was found in the procedure used by the MIT Kerberos kadmind service to store policies: the kadm5_create_principal_3() and kadm5_modify_principal() function did not ensure that a policy was given when KADM5_POLICY was set. An authenticated attacker with permissions to modify the database could use this flaw to add or modify a principal with a policy set to NULL, causing the kadmind service to crash. 8458 1302632: 8459 CVE-2015-8630 krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask 8460 8461 CVE-2015-8629: 8462 1302617: 8463 CVE-2015-8629 krb5: xdr_nullstring() doesn't check for terminating null character 8464 An out-of-bounds read flaw was found in the kadmind service of MIT Kerberos. An authenticated attacker could send a maliciously crafted message to force kadmind to read beyond the end of allocated memory, and write the memory contents to the KDC database if the attacker has write permission, leading to information disclosure. 8465 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8629" id="CVE-2015-8629" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8630" id="CVE-2015-8630" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8631" id="CVE-2015-8631" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="krb5-workstation" release="12.40.amzn1" version="1.13.2"><filename>Packages/krb5-workstation-1.13.2-12.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-debuginfo" release="12.40.amzn1" version="1.13.2"><filename>Packages/krb5-debuginfo-1.13.2-12.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-libs" release="12.40.amzn1" version="1.13.2"><filename>Packages/krb5-libs-1.13.2-12.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server" release="12.40.amzn1" version="1.13.2"><filename>Packages/krb5-server-1.13.2-12.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server-ldap" release="12.40.amzn1" version="1.13.2"><filename>Packages/krb5-server-ldap-1.13.2-12.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-devel" release="12.40.amzn1" version="1.13.2"><filename>Packages/krb5-devel-1.13.2-12.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-pkinit-openssl" release="12.40.amzn1" version="1.13.2"><filename>Packages/krb5-pkinit-openssl-1.13.2-12.40.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="krb5-debuginfo" release="12.40.amzn1" version="1.13.2"><filename>Packages/krb5-debuginfo-1.13.2-12.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-libs" release="12.40.amzn1" version="1.13.2"><filename>Packages/krb5-libs-1.13.2-12.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-devel" release="12.40.amzn1" version="1.13.2"><filename>Packages/krb5-devel-1.13.2-12.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-pkinit-openssl" release="12.40.amzn1" version="1.13.2"><filename>Packages/krb5-pkinit-openssl-1.13.2-12.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-workstation" release="12.40.amzn1" version="1.13.2"><filename>Packages/krb5-workstation-1.13.2-12.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server" release="12.40.amzn1" version="1.13.2"><filename>Packages/krb5-server-1.13.2-12.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server-ldap" release="12.40.amzn1" version="1.13.2"><filename>Packages/krb5-server-ldap-1.13.2-12.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-692</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-692: important priority package update for apache-commons-collections</title><issued date="2016-04-27 16:15" /><updated date="2016-04-27 16:15" /><severity>important</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="apache-commons-collections-javadoc" release="3.10.amzn1" version="3.2.2"><filename>Packages/apache-commons-collections-javadoc-3.2.2-3.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="apache-commons-collections" release="3.10.amzn1" version="3.2.2"><filename>Packages/apache-commons-collections-3.2.2-3.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="apache-commons-collections-testframework" release="3.10.amzn1" version="3.2.2"><filename>Packages/apache-commons-collections-testframework-3.2.2-3.10.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-693</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-693: critical priority package update for java-1.7.0-openjdk</title><issued date="2016-04-27 16:15" /><updated date="2016-04-27 16:15" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8466 CVE-2016-3427: 8467 It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws. 8468 1328210: 8469 CVE-2016-3427 OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430) 8470 8471 CVE-2016-3425: 8472 1328040: 8473 CVE-2016-3425 OpenJDK: incorrect handling of surrogate pairs in XML attribute values (JAXP, 8143167) 8474 It was discovered that the JAXP component in OpenJDK failed to properly handle Unicode surrogate pairs used as part of the XML attribute values. Specially crafted XML input could cause a Java application to use an excessive amount of memory when parsed. 8475 8476 CVE-2016-0695: 8477 1328022: 8478 CVE-2016-0695 OpenJDK: insufficient DSA key parameters checks (Security, 8138593) 8479 It was discovered that the Security component in OpenJDK failed to check the digest algorithm strength when generating DSA signatures. The use of a digest weaker than the key strength could lead to the generation of signatures that were weaker than expected. 8480 8481 CVE-2016-0687: 8482 1327749: 8483 CVE-2016-0687 OpenJDK: insufficient byte type checks (Hotspot, 8132051) 8484 8485 CVE-2016-0686: 8486 1327743: 8487 CVE-2016-0686 OpenJDK: insufficient thread consistency checks in ObjectInputStream (Serialization, 8129952) 8488 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0695" id="CVE-2016-0695" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3425" id="CVE-2016-3425" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0686" id="CVE-2016-0686" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427" id="CVE-2016-3427" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0687" id="CVE-2016-0687" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.6.1.67.amzn1" version="1.7.0.101"><filename>Packages/java-1.7.0-openjdk-1.7.0.101-2.6.6.1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.6.1.67.amzn1" version="1.7.0.101"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.101-2.6.6.1.67.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.6.1.67.amzn1" version="1.7.0.101"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.101-2.6.6.1.67.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.6.1.67.amzn1" version="1.7.0.101"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.101-2.6.6.1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.6.1.67.amzn1" version="1.7.0.101"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.101-2.6.6.1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.6.1.67.amzn1" version="1.7.0.101"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.101-2.6.6.1.67.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.6.1.67.amzn1" version="1.7.0.101"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.101-2.6.6.1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.6.1.67.amzn1" version="1.7.0.101"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.101-2.6.6.1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.6.1.67.amzn1" version="1.7.0.101"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.101-2.6.6.1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.6.1.67.amzn1" version="1.7.0.101"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.101-2.6.6.1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.6.1.67.amzn1" version="1.7.0.101"><filename>Packages/java-1.7.0-openjdk-1.7.0.101-2.6.6.1.67.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-694</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-694: medium priority package update for kernel</title><issued date="2016-04-27 16:15" /><updated date="2017-01-19 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8489 CVE-2016-7117: 8490 1382268: 8491 CVE-2016-7117 kernel: Use-after-free in the recvmmsg exit path 8492 A use-after-free vulnerability was found in the kernel&#039;s socket recvmmsg subsystem. This may allow remote attackers to corrupt memory and may allow execution of arbitrary code. This corruption takes place during the error handling routines within __sys_recvmmsg() function. 8493 8494 CVE-2016-3672: 8495 1324749: 8496 CVE-2016-3672 kernel: unlimiting the stack disables ASLR 8497 8498 CVE-2016-3156: 8499 1318172: 8500 CVE-2016-3156 kernel: ipv4: denial of service when destroying a network interface 8501 8502 CVE-2016-3135: 8503 1317386: 8504 CVE-2016-3135 kernel: netfilter: size overflow in x_tables 8505 8506 CVE-2016-3134: 8507 1317383: 8508 CVE-2016-3134 kernel: netfilter: missing bounds check in ipt_entry structure 8509 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7117" id="CVE-2016-7117" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3134" id="CVE-2016-3134" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3135" id="CVE-2016-3135" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3672" id="CVE-2016-3672" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3156" id="CVE-2016-3156" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="20.46.amzn1" version="4.4.8"><filename>Packages/perf-debuginfo-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-tools-debuginfo-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-tools-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-tools-devel-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-debuginfo-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="20.46.amzn1" version="4.4.8"><filename>Packages/perf-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-devel-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-headers-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="20.46.amzn1" version="4.4.8"><filename>Packages/perf-4.4.8-20.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-4.4.8-20.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-devel-4.4.8-20.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-tools-4.4.8-20.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="20.46.amzn1" version="4.4.8"><filename>Packages/perf-debuginfo-4.4.8-20.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-debuginfo-common-i686-4.4.8-20.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-tools-debuginfo-4.4.8-20.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-debuginfo-4.4.8-20.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-tools-devel-4.4.8-20.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-headers-4.4.8-20.46.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="20.46.amzn1" version="4.4.8"><filename>Packages/kernel-doc-4.4.8-20.46.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-695</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-695: important priority package update for openssl</title><issued date="2016-05-03 10:30" /><updated date="2016-05-03 10:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8510 CVE-2016-2109: 8511 1330101: 8512 CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data 8513 8514 CVE-2016-2108: 8515 8516 8517 CVE-2016-2107: 8518 8519 8520 CVE-2016-2106: 8521 8522 8523 CVE-2016-2105: 8524 8525 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2105" id="CVE-2016-2105" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107" id="CVE-2016-2107" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2106" id="CVE-2016-2106" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2109" id="CVE-2016-2109" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2108" id="CVE-2016-2108" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-perl" release="14.91.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-14.91.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="14.91.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-14.91.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="14.91.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-14.91.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="14.91.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-14.91.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="14.91.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-14.91.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="14.91.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-14.91.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="14.91.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-14.91.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="14.91.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-14.91.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="14.91.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-14.91.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="14.91.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-14.91.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-696</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-696: important priority package update for graphite2</title><issued date="2016-05-03 10:30" /><updated date="2016-05-03 10:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8526 CVE-2016-1526: 8527 1308590: 8528 CVE-2016-1526 graphite2: Out-of-bounds read vulnerability in TfUtil:LocaLookup 8529 A vulnerability has been discovered in Graphite2. An attacker able to trick an unsuspecting user into opening specially crafted font files in an application using Graphite2 could exploit these flaws to cause the application to crash or, potentially, execute arbitrary code with the privileges of the application. 8530 8531 CVE-2016-1523: 8532 1305813: 8533 CVE-2016-1523 graphite2: Heap-based buffer overflow in context item handling functionality 8534 A vulnerability has been discovered in Graphite2. An attacker able to trick an unsuspecting user into opening specially crafted font files in an application using Graphite2 could exploit these flaws to cause the application to crash or, potentially, execute arbitrary code with the privileges of the application. 8535 8536 CVE-2016-1522: 8537 1305810: 8538 CVE-2016-1522 graphite2: Null pointer dereference and out-of-bounds access vulnerabilities 8539 A vulnerability has been discovered in Graphite2. An attacker able to trick an unsuspecting user into opening specially crafted font files in an application using Graphite2 could exploit these flaws to cause the application to crash or, potentially, execute arbitrary code with the privileges of the application. 8540 8541 CVE-2016-1521: 8542 1305805: 8543 CVE-2016-1521 graphite2: Out-of-bound read vulnerability triggered by crafted fonts 8544 A vulnerability has been discovered in Graphite2. An attacker able to trick an unsuspecting user into opening specially crafted font files in an application using Graphite2 could exploit these flaws to cause the application to crash or, potentially, execute arbitrary code with the privileges of the application. 8545 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1522" id="CVE-2016-1522" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1523" id="CVE-2016-1523" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1521" id="CVE-2016-1521" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1526" id="CVE-2016-1526" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="graphite2-devel" release="1.9.amzn1" version="1.3.6"><filename>Packages/graphite2-devel-1.3.6-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphite2-debuginfo" release="1.9.amzn1" version="1.3.6"><filename>Packages/graphite2-debuginfo-1.3.6-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphite2" release="1.9.amzn1" version="1.3.6"><filename>Packages/graphite2-1.3.6-1.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="graphite2-debuginfo" release="1.9.amzn1" version="1.3.6"><filename>Packages/graphite2-debuginfo-1.3.6-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphite2" release="1.9.amzn1" version="1.3.6"><filename>Packages/graphite2-1.3.6-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphite2-devel" release="1.9.amzn1" version="1.3.6"><filename>Packages/graphite2-devel-1.3.6-1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-697</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-697: important priority package update for mercurial</title><issued date="2016-05-03 10:30" /><updated date="2016-05-03 10:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8546 CVE-2016-3630: 8547 The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records. 8548 1322264: 8549 CVE-2016-3630 mercurial: remote code execution in binary delta decoding 8550 8551 CVE-2016-3069: 8552 It was discovered that the Mercurial convert extension failed to sanitize special characters in Git repository names. A Git repository with a specially crafted name could cause Mercurial to execute arbitrary code when the Git repository was converted to a Mercurial repository. 8553 1320155: 8554 CVE-2016-3069 mercurial: convert extension command injection via git repository names 8555 8556 CVE-2016-3068: 8557 It was discovered that Mercurial failed to properly check Git sub-repository URLs. A Mercurial repository that includes a Git sub-repository with a specially crafted URL could cause Mercurial to execute arbitrary code. 8558 1319768: 8559 CVE-2016-3068 mercurial: command injection via git subrepository urls 8560 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3069" id="CVE-2016-3069" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3068" id="CVE-2016-3068" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3630" id="CVE-2016-3630" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mercurial-debuginfo" release="1.26.amzn1" version="3.5.2"><filename>Packages/mercurial-debuginfo-3.5.2-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mercurial-common" release="1.26.amzn1" version="3.5.2"><filename>Packages/mercurial-common-3.5.2-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mercurial-python27" release="1.26.amzn1" version="3.5.2"><filename>Packages/mercurial-python27-3.5.2-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="emacs-mercurial-el" release="1.26.amzn1" version="3.5.2"><filename>Packages/emacs-mercurial-el-3.5.2-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mercurial-python26" release="1.26.amzn1" version="3.5.2"><filename>Packages/mercurial-python26-3.5.2-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="emacs-mercurial" release="1.26.amzn1" version="3.5.2"><filename>Packages/emacs-mercurial-3.5.2-1.26.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="emacs-mercurial" release="1.26.amzn1" version="3.5.2"><filename>Packages/emacs-mercurial-3.5.2-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mercurial-python27" release="1.26.amzn1" version="3.5.2"><filename>Packages/mercurial-python27-3.5.2-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mercurial-common" release="1.26.amzn1" version="3.5.2"><filename>Packages/mercurial-common-3.5.2-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mercurial-python26" release="1.26.amzn1" version="3.5.2"><filename>Packages/mercurial-python26-3.5.2-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mercurial-debuginfo" release="1.26.amzn1" version="3.5.2"><filename>Packages/mercurial-debuginfo-3.5.2-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="emacs-mercurial-el" release="1.26.amzn1" version="3.5.2"><filename>Packages/emacs-mercurial-el-3.5.2-1.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-698</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-698: important priority package update for php56 php55</title><issued date="2016-05-03 10:30" /><updated date="2016-05-03 10:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8561 CVE-2016-4073: 8562 1323103: 8563 CVE-2016-4073 php: Negative size parameter in memcpy 8564 8565 CVE-2016-4072: 8566 1323106: 8567 CVE-2016-4072 php: Invalid memory write in phar on filename containing \\0 inside name 8568 8569 CVE-2016-4071: 8570 1323108: 8571 CVE-2016-4071 php: Format string vulnerability in php_snmp_error() 8572 8573 CVE-2016-4070: 8574 1323114: 8575 CVE-2016-4070 php: Integer overflow in php_raw_url_encode 8576 8577 CVE-2016-3074: 8578 1321893: 8579 CVE-2016-3074 php: Signedness vulnerability causing heap overflow in libgd 8580 Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow. 8581 8582 CVE-2015-8865: 8583 1323118: 8584 CVE-2015-8865 file: Buffer over-write in finfo_open with malformed magic file 8585 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8865" id="CVE-2015-8865" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4073" id="CVE-2016-4073" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4072" id="CVE-2016-4072" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4071" id="CVE-2016-4071" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4070" id="CVE-2016-4070" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074" id="CVE-2016-3074" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-devel" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-devel-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-gd-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-enchant-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-mysqlnd-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-intl-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-imap-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-pgsql-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-bcmath-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-dba-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-mssql-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-process-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-xml-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-pspell-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-recode-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-pdo-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-xmlrpc-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-snmp-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-fpm-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-ldap-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-gmp-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-embedded-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-mcrypt-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-odbc-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-common-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-tidy-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-mbstring-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-cli-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-opcache-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-debuginfo-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-soap-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-mbstring-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-intl-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-tidy-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-pdo-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-enchant-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-mcrypt-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-xmlrpc-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-pspell-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-snmp-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-debuginfo-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-xml-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-embedded-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-gd-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-gmp-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-recode-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-cli-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-devel-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-common-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-mssql-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-dba-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-bcmath-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-pgsql-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-fpm-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-opcache-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-imap-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-mysqlnd-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-odbc-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-process-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-soap-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.114.amzn1" version="5.5.35"><filename>Packages/php55-ldap-5.5.35-1.114.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-opcache-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-debuginfo-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-mcrypt-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-fpm-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-bcmath-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-ldap-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-xmlrpc-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-intl-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-dba-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-embedded-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-common-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-mysqlnd-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-tidy-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-gmp-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-recode-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-enchant-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-process-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-xml-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-devel-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-gd-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-cli-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-soap-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-odbc-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-snmp-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-mssql-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-imap-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-pspell-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-mbstring-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-pdo-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-pgsql-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-dbg-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-cli-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-embedded-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-ldap-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-common-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-intl-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-mcrypt-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-mysqlnd-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-xml-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-debuginfo-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-pgsql-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-fpm-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-bcmath-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-xmlrpc-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-dba-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-devel-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-pdo-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-snmp-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-opcache-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-mssql-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-recode-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-odbc-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-gmp-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-gd-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-pspell-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-soap-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-mbstring-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-process-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-tidy-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-imap-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-dbg-5.6.21-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.124.amzn1" version="5.6.21"><filename>Packages/php56-enchant-5.6.21-1.124.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-699</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-699: important priority package update for ImageMagick</title><issued date="2016-05-11 11:00" /><updated date="2016-05-11 11:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8586 CVE-2016-3718: 8587 A server-side request forgery flaw was discovered in the way ImageMagick processed certain images. A remote attacker could exploit this flaw to mislead an application using ImageMagick or an unsuspecting user using the ImageMagick utilities into, for example, performing HTTP(S) requests or opening FTP sessions via specially crafted images. 8588 1332802: 8589 CVE-2016-3718 ImageMagick: SSRF vulnerability 8590 8591 CVE-2016-3717: 8592 It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to disclose the contents of arbitrary files. 8593 1332505: 8594 CVE-2016-3717 ImageMagick: Local file read 8595 8596 CVE-2016-3716: 8597 It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to move arbitrary files. 8598 1332504: 8599 CVE-2016-3716 ImageMagick: File moving 8600 8601 CVE-2016-3715: 8602 It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to delete arbitrary files. 8603 1332500: 8604 CVE-2016-3715 ImageMagick: File deletion 8605 8606 CVE-2016-3714: 8607 It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. 8608 1332492: 8609 CVE-2016-3714 ImageMagick: Insufficient shell characters filtering 8610 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3718" id="CVE-2016-3718" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3717" id="CVE-2016-3717" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3716" id="CVE-2016-3716" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3715" id="CVE-2016-3715" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3714" id="CVE-2016-3714" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ImageMagick-debuginfo" release="13.19.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-debuginfo-6.7.8.9-13.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick" release="13.19.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-6.7.8.9-13.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-c++" release="13.19.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-c++-6.7.8.9-13.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-devel" release="13.19.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-devel-6.7.8.9-13.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-c++-devel" release="13.19.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-c++-devel-6.7.8.9-13.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-doc" release="13.19.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-doc-6.7.8.9-13.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-perl" release="13.19.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-perl-6.7.8.9-13.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-doc" release="13.19.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-doc-6.7.8.9-13.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-perl" release="13.19.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-perl-6.7.8.9-13.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-c++" release="13.19.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-c++-6.7.8.9-13.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick" release="13.19.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-6.7.8.9-13.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-debuginfo" release="13.19.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-debuginfo-6.7.8.9-13.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-devel" release="13.19.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-devel-6.7.8.9-13.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-c++-devel" release="13.19.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-c++-devel-6.7.8.9-13.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-700</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-700: critical priority package update for java-1.6.0-openjdk</title><issued date="2016-05-11 11:00" /><updated date="2016-05-11 11:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8611 CVE-2016-3427: 8612 It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws. 8613 1328210: 8614 CVE-2016-3427 OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430) 8615 8616 CVE-2016-3425: 8617 1328040: 8618 CVE-2016-3425 OpenJDK: incorrect handling of surrogate pairs in XML attribute values (JAXP, 8143167) 8619 It was discovered that the JAXP component in OpenJDK failed to properly handle Unicode surrogate pairs used as part of the XML attribute values. Specially crafted XML input could cause a Java application to use an excessive amount of memory when parsed. 8620 8621 CVE-2016-0695: 8622 1328022: 8623 CVE-2016-0695 OpenJDK: insufficient DSA key parameters checks (Security, 8138593) 8624 It was discovered that the Security component in OpenJDK failed to check the digest algorithm strength when generating DSA signatures. The use of a digest weaker than the key strength could lead to the generation of signatures that were weaker than expected. 8625 8626 CVE-2016-0687: 8627 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to the Hotspot sub-component. 8628 1327749: 8629 CVE-2016-0687 OpenJDK: insufficient byte type checks (Hotspot, 8132051) 8630 8631 CVE-2016-0686: 8632 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization. 8633 1327743: 8634 CVE-2016-0686 OpenJDK: insufficient thread consistency checks in ObjectInputStream (Serialization, 8129952) 8635 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0695" id="CVE-2016-0695" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3425" id="CVE-2016-3425" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0686" id="CVE-2016-0686" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427" id="CVE-2016-3427" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0687" id="CVE-2016-0687" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="1.13.11.1.74.amzn1" version="1.6.0.39"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.39-1.13.11.1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="1.13.11.1.74.amzn1" version="1.6.0.39"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.39-1.13.11.1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="1.13.11.1.74.amzn1" version="1.6.0.39"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.39-1.13.11.1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="1.13.11.1.74.amzn1" version="1.6.0.39"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.39-1.13.11.1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="1.13.11.1.74.amzn1" version="1.6.0.39"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.39-1.13.11.1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="1.13.11.1.74.amzn1" version="1.6.0.39"><filename>Packages/java-1.6.0-openjdk-1.6.0.39-1.13.11.1.74.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="1.13.11.1.74.amzn1" version="1.6.0.39"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.39-1.13.11.1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="1.13.11.1.74.amzn1" version="1.6.0.39"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.39-1.13.11.1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="1.13.11.1.74.amzn1" version="1.6.0.39"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.39-1.13.11.1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="1.13.11.1.74.amzn1" version="1.6.0.39"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.39-1.13.11.1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="1.13.11.1.74.amzn1" version="1.6.0.39"><filename>Packages/java-1.6.0-openjdk-1.6.0.39-1.13.11.1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="1.13.11.1.74.amzn1" version="1.6.0.39"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.39-1.13.11.1.74.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-701</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-701: critical priority package update for mysql56</title><issued date="2016-05-18 14:00" /><updated date="2016-05-18 14:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8636 CVE-2016-2047: 8637 The ssl_verify_server_cert function in sql-common/client.c in MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10; Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier; and Percona Server do not properly verify that the server hostname matches a domain name in the subject&#039;s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a &quot;/CN=&quot; string in a field in a certificate, as demonstrated by &quot;/OU=/CN=bar.com/CN=foo.com.&quot; 8638 1301874: 8639 CVE-2016-2047 mysql: ssl-validate-cert incorrect hostname check 8640 8641 CVE-2016-0705: 8642 A double-free flaw was found in the way OpenSSL parsed certain malformed DSA (Digital Signature Algorithm) private keys. An attacker could create specially crafted DSA private keys that, when processed by an application compiled against OpenSSL, could cause the application to crash. 8643 1310596: 8644 CVE-2016-0705 OpenSSL: Double-free in DSA code 8645 8646 CVE-2016-0666: 8647 1329270: 8648 CVE-2016-0666 mysql: unspecified vulnerability in subcomponent: Server: Security: Privileges (CPU April 2016) 8649 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to Security: Privileges. 8650 8651 CVE-2016-0655: 8652 1329259: 8653 CVE-2016-0655 mysql: unspecified vulnerability in subcomponent: Server: InnoDB (CPU April 2016) 8654 Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.11 and earlier allows local users to affect availability via vectors related to InnoDB. 8655 8656 CVE-2016-0648: 8657 1329251: 8658 CVE-2016-0648 mysql: unspecified vulnerability in subcomponent: Server: PS (CPU April 2016) 8659 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to PS. 8660 8661 CVE-2016-0647: 8662 1329249: 8663 CVE-2016-0647 mysql: unspecified vulnerability in subcomponent: Server: FTS (CPU April 2016) 8664 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to FTS. 8665 8666 CVE-2016-0643: 8667 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect confidentiality via vectors related to DML. 8668 1329245: 8669 CVE-2016-0643 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU April 2016) 8670 8671 CVE-2016-0642: 8672 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated. 8673 1329243: 8674 CVE-2016-0642 mysql: unspecified vulnerability in subcomponent: Server: Federated (CPU April 2016) 8675 8676 CVE-2016-0639: 8677 Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.11 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Pluggable Authentication. 8678 1329238: 8679 CVE-2016-0639 mysql: unspecified vulnerability in subcomponent: Server: Pluggable Authentication (CPU April 2016) 8680 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0639" id="CVE-2016-0639" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0647" id="CVE-2016-0647" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705" id="CVE-2016-0705" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0642" id="CVE-2016-0642" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0643" id="CVE-2016-0643" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0666" id="CVE-2016-0666" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0648" id="CVE-2016-0648" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0655" id="CVE-2016-0655" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2047" id="CVE-2016-2047" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql56-libs" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-libs-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-devel" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-devel-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-embedded-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-test" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-test-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded-devel" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-embedded-devel-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-debuginfo" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-debuginfo-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-bench" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-bench-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-common" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-common-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-server" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-server-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-errmsg" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-errmsg-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-embedded-5.6.30-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-test" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-test-5.6.30-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-errmsg" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-errmsg-5.6.30-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-devel" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-devel-5.6.30-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-5.6.30-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-server" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-server-5.6.30-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-debuginfo" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-debuginfo-5.6.30-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-libs" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-libs-5.6.30-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-common" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-common-5.6.30-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded-devel" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-embedded-devel-5.6.30-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-bench" release="1.15.amzn1" version="5.6.30"><filename>Packages/mysql56-bench-5.6.30-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-702</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-702: medium priority package update for nspr nss-util nss nss-softokn</title><issued date="2016-05-18 14:00" /><updated date="2016-05-18 14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8681 CVE-2016-1979: 8682 A use-after-free flaw was found in the way NSS processed certain DER (Distinguished Encoding Rules) encoded cryptographic keys. An attacker could use this flaw to create a specially crafted DER encoded certificate which, when parsed by an application compiled against the NSS library, could cause that application to crash, or execute arbitrary code using the permissions of the user running the application. 8683 1315202: 8684 CVE-2016-1979 nss: Use-after-free during processing of DER encoded keys in NSS (MFSA 2016-36) 8685 8686 CVE-2016-1978: 8687 A use-after-free flaw was found in the way NSS handled DHE (DiffieHellman key exchange) and ECDHE (Elliptic Curve Diffie-Hellman key exchange) handshake messages. A remote attacker could send a specially crafted handshake message that, when parsed by an application linked against NSS, would cause that application to crash or, under certain special conditions, execute arbitrary code using the permissions of the user running the application. 8688 1315565: 8689 CVE-2016-1978 nss: Use-after-free in NSS during SSL connections in low memory (MFSA 2016-15) 8690 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1979" id="CVE-2016-1979" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1978" id="CVE-2016-1978" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nspr-debuginfo" release="1.37.amzn1" version="4.11.0"><filename>Packages/nspr-debuginfo-4.11.0-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nspr" release="1.37.amzn1" version="4.11.0"><filename>Packages/nspr-4.11.0-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nspr-devel" release="1.37.amzn1" version="4.11.0"><filename>Packages/nspr-devel-4.11.0-1.37.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nspr-devel" release="1.37.amzn1" version="4.11.0"><filename>Packages/nspr-devel-4.11.0-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nspr" release="1.37.amzn1" version="4.11.0"><filename>Packages/nspr-4.11.0-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nspr-debuginfo" release="1.37.amzn1" version="4.11.0"><filename>Packages/nspr-debuginfo-4.11.0-1.37.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util-debuginfo" release="2.2.50.amzn1" version="3.21.0"><filename>Packages/nss-util-debuginfo-3.21.0-2.2.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util" release="2.2.50.amzn1" version="3.21.0"><filename>Packages/nss-util-3.21.0-2.2.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util-devel" release="2.2.50.amzn1" version="3.21.0"><filename>Packages/nss-util-devel-3.21.0-2.2.50.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-util-devel" release="2.2.50.amzn1" version="3.21.0"><filename>Packages/nss-util-devel-3.21.0-2.2.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-util-debuginfo" release="2.2.50.amzn1" version="3.21.0"><filename>Packages/nss-util-debuginfo-3.21.0-2.2.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-util" release="2.2.50.amzn1" version="3.21.0"><filename>Packages/nss-util-3.21.0-2.2.50.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn-freebl" release="14.2.38.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-freebl-3.16.2.3-14.2.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn" release="14.2.38.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-3.16.2.3-14.2.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn-debuginfo" release="14.2.38.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-debuginfo-3.16.2.3-14.2.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn-freebl-devel" release="14.2.38.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-freebl-devel-3.16.2.3-14.2.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn-devel" release="14.2.38.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-devel-3.16.2.3-14.2.38.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-debuginfo" release="14.2.38.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-debuginfo-3.16.2.3-14.2.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-devel" release="14.2.38.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-devel-3.16.2.3-14.2.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn" release="14.2.38.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-3.16.2.3-14.2.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-freebl-devel" release="14.2.38.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-freebl-devel-3.16.2.3-14.2.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-freebl" release="14.2.38.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-freebl-3.16.2.3-14.2.38.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="9.76.amzn1" version="3.21.0"><filename>Packages/nss-3.21.0-9.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="9.76.amzn1" version="3.21.0"><filename>Packages/nss-pkcs11-devel-3.21.0-9.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="9.76.amzn1" version="3.21.0"><filename>Packages/nss-sysinit-3.21.0-9.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="9.76.amzn1" version="3.21.0"><filename>Packages/nss-tools-3.21.0-9.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="9.76.amzn1" version="3.21.0"><filename>Packages/nss-debuginfo-3.21.0-9.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="9.76.amzn1" version="3.21.0"><filename>Packages/nss-devel-3.21.0-9.76.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="9.76.amzn1" version="3.21.0"><filename>Packages/nss-pkcs11-devel-3.21.0-9.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="9.76.amzn1" version="3.21.0"><filename>Packages/nss-tools-3.21.0-9.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="9.76.amzn1" version="3.21.0"><filename>Packages/nss-3.21.0-9.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="9.76.amzn1" version="3.21.0"><filename>Packages/nss-debuginfo-3.21.0-9.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="9.76.amzn1" version="3.21.0"><filename>Packages/nss-sysinit-3.21.0-9.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="9.76.amzn1" version="3.21.0"><filename>Packages/nss-devel-3.21.0-9.76.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-703</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-703: medium priority package update for kernel</title><issued date="2016-05-18 14:00" /><updated date="2016-05-18 14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8691 CVE-2016-4581: 8692 1333712: 8693 CVE-2016-4581 kernel: Slave being first propagated copy causes oops in propagate_mnt 8694 8695 CVE-2016-4565: 8696 1310570: 8697 CVE-2016-4565 kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko 8698 8699 CVE-2016-4558: 8700 1334303: 8701 CVE-2016-4558 kernel: bpf: refcnt overflow 8702 8703 CVE-2016-4557: 8704 1334307: 8705 CVE-2016-4557 kernel: Use after free vulnerability via double fdput 8706 8707 CVE-2016-4486: 8708 1333316: 8709 CVE-2016-4486 kernel: Information leak in rtnetlink 8710 8711 CVE-2016-4485: 8712 1333309: 8713 CVE-2016-4485 kernel: Information leak in llc module 8714 8715 CVE-2016-3961: 8716 Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs support in x86 PV guests, which allows local PV guest users to cause a denial of service (guest OS crash) by attempting to access a hugetlbfs mapped area. 8717 1323956: 8718 CVE-2016-3961 xsa174 xen: hugetlbfs use may crash PV Linux guests (XSA-174) 8719 8720 CVE-2016-0758: 8721 1300257: 8722 CVE-2016-0758 kernel: tags with indefinite length can corrupt pointers in asn1_find_indefinite_length() 8723 A flaw was found in the way the Linux kernel&#039;s ASN.1 DER decoder processed certain certificate files with tags of indefinite length. A local, unprivileged user could use a specially crafted X.509 certificate DER file to crash the system or, potentially, escalate their privileges on the system. 8724 8725 CVE-2015-8839: 8726 Multiple race conditions in the ext4 filesystem implementation in the Linux kernel before 4.5 allow local users to cause a denial of service (disk corruption) by writing to a page that is associated with a different user&#039;s file after unsynchronized hole punching and page-fault handling. 8727 1323577: 8728 CVE-2015-8839 kernel: ext4 filesystem page fault race condition with fallocate call. 8729 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4557" id="CVE-2016-4557" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3961" id="CVE-2016-3961" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4581" id="CVE-2016-4581" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4486" id="CVE-2016-4486" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4485" id="CVE-2016-4485" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4558" id="CVE-2016-4558" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4565" id="CVE-2016-4565" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0758" id="CVE-2016-0758" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8839" id="CVE-2015-8839" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-tools-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="22.54.amzn1" version="4.4.10"><filename>Packages/perf-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-tools-debuginfo-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="22.54.amzn1" version="4.4.10"><filename>Packages/perf-debuginfo-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-devel-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-headers-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-debuginfo-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-tools-devel-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="22.54.amzn1" version="4.4.10"><filename>Packages/perf-debuginfo-4.4.10-22.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-headers-4.4.10-22.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-tools-debuginfo-4.4.10-22.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="22.54.amzn1" version="4.4.10"><filename>Packages/perf-4.4.10-22.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-4.4.10-22.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-debuginfo-common-i686-4.4.10-22.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-devel-4.4.10-22.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-tools-4.4.10-22.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-tools-devel-4.4.10-22.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-debuginfo-4.4.10-22.54.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="22.54.amzn1" version="4.4.10"><filename>Packages/kernel-doc-4.4.10-22.54.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-704</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-704: low priority package update for kernel</title><issued date="2016-06-02 17:36" /><updated date="2016-06-03 19:27" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8730 CVE-2016-4913: 8731 The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM (aka alternate name) entries containing \\0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem. 8732 1337528: 8733 CVE-2016-4913 kernel: Information leak when handling NM entries containing NUL 8734 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4913" id="CVE-2016-4913" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-tools-debuginfo-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-tools-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="23.53.amzn1" version="4.4.11"><filename>Packages/perf-debuginfo-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-headers-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="23.53.amzn1" version="4.4.11"><filename>Packages/perf-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-devel-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-debuginfo-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-tools-devel-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-4.4.11-23.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="23.53.amzn1" version="4.4.11"><filename>Packages/perf-4.4.11-23.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-tools-devel-4.4.11-23.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-devel-4.4.11-23.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-tools-4.4.11-23.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-tools-debuginfo-4.4.11-23.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="23.53.amzn1" version="4.4.11"><filename>Packages/perf-debuginfo-4.4.11-23.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-headers-4.4.11-23.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-debuginfo-common-i686-4.4.11-23.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-debuginfo-4.4.11-23.53.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="23.53.amzn1" version="4.4.11"><filename>Packages/kernel-doc-4.4.11-23.53.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-705</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-705: medium priority package update for jq</title><issued date="2016-06-02 17:38" /><updated date="2016-06-03 19:28" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8735 CVE-2015-8863: 8736 A heap-based buffer overflow flaw was found in jq&#039;s tokenadd() function. By tricking a victim into processing a specially crafted JSON file, an attacker could use this flaw to crash jq or, potentially, execute arbitrary code on the victim&#039;s system. 8737 1328747: 8738 CVE-2015-8863 jq: heap-buffer-overflow in tokenadd() function 8739 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8863" id="CVE-2015-8863" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="jq" release="1.2.amzn1" version="1.5"><filename>Packages/jq-1.5-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jq-devel" release="1.2.amzn1" version="1.5"><filename>Packages/jq-devel-1.5-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jq-debuginfo" release="1.2.amzn1" version="1.5"><filename>Packages/jq-debuginfo-1.5-1.2.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jq-libs" release="1.2.amzn1" version="1.5"><filename>Packages/jq-libs-1.5-1.2.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="jq-libs" release="1.2.amzn1" version="1.5"><filename>Packages/jq-libs-1.5-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jq" release="1.2.amzn1" version="1.5"><filename>Packages/jq-1.5-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jq-devel" release="1.2.amzn1" version="1.5"><filename>Packages/jq-devel-1.5-1.2.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jq-debuginfo" release="1.2.amzn1" version="1.5"><filename>Packages/jq-debuginfo-1.5-1.2.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-706</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-706: medium priority package update for php56</title><issued date="2016-06-02 17:44" /><updated date="2016-06-15 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8740 CVE-2016-5096: 8741 1339949: 8742 CVE-2016-5096 php: Integer underflow causing arbitrary null write in fread/gzread 8743 8744 CVE-2016-5095: 8745 8746 8747 CVE-2016-5094: 8748 1340738: 8749 CVE-2016-5094 php: Integer overflow in php_html_entities() 8750 8751 CVE-2016-5093: 8752 1339590: 8753 CVE-2016-5093 php: Out-of-bounds heap read in get_icu_value_internal 8754 8755 CVE-2013-7456: 8756 1340433: 8757 CVE-2013-7456 gd, php: Out-of-bounds read in imagescale 8758 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7456" id="CVE-2013-7456" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5093" id="CVE-2016-5093" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5096" id="CVE-2016-5096" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5094" id="CVE-2016-5094" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5095" id="CVE-2016-5095" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-mssql" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-mssql-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-fpm-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-process-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-xml-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-pdo-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-gd-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-pspell-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-debuginfo-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-common-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-imap-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-gmp-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-cli-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-embedded-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-mysqlnd-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-mbstring-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-ldap-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-dba-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-bcmath-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-xmlrpc-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-mcrypt-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-devel-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-soap-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-opcache-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-dbg-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-enchant-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-snmp-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-pgsql-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-tidy-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-recode-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-odbc-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-intl-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-process-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-dba-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-cli-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-mbstring-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-debuginfo-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-gd-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-mssql-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-opcache-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-devel-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-soap-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-xml-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-pdo-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-enchant-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-recode-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-pspell-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-dbg-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-intl-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-odbc-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-pgsql-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-tidy-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-gmp-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-bcmath-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-xmlrpc-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-fpm-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-mcrypt-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-imap-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-ldap-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-embedded-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-mysqlnd-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-common-5.6.22-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.125.amzn1" version="5.6.22"><filename>Packages/php56-snmp-5.6.22-1.125.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-707</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-707: medium priority package update for php55</title><issued date="2016-06-02 17:47" /><updated date="2016-06-15 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8759 CVE-2016-5096: 8760 1339949: 8761 CVE-2016-5096 php: Integer underflow causing arbitrary null write in fread/gzread 8762 8763 CVE-2016-5095: 8764 8765 8766 CVE-2016-5094: 8767 1340738: 8768 CVE-2016-5094 php: Integer overflow in php_html_entities() 8769 8770 CVE-2016-5093: 8771 1339590: 8772 CVE-2016-5093 php: Out-of-bounds heap read in get_icu_value_internal 8773 8774 CVE-2016-4343: 8775 1332454: 8776 CVE-2016-4343 php: Uninitialized pointer in phar_make_dirstream() 8777 The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive. 8778 8779 CVE-2013-7456: 8780 1340433: 8781 CVE-2013-7456 gd, php: Out-of-bounds read in imagescale 8782 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5093" id="CVE-2016-5093" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5096" id="CVE-2016-5096" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4343" id="CVE-2016-4343" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5094" id="CVE-2016-5094" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5095" id="CVE-2016-5095" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7456" id="CVE-2013-7456" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-xmlrpc-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-pgsql-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-imap-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-gmp-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-ldap-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-gd-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-odbc" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-odbc-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-pdo-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-mcrypt-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-recode-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-pspell-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-process-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-mssql-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-dba-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-devel-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-mbstring-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-snmp-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-xml-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-opcache-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-enchant-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-bcmath-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-debuginfo-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-fpm-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-soap-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-embedded-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-mysqlnd-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-cli-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-intl-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-tidy-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-common-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-cli-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-debuginfo-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-bcmath-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-mcrypt-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-pdo-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-gd-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-xml-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-xmlrpc-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-snmp-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-soap-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-pgsql-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-dba-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-tidy-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-opcache-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-fpm-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-mbstring-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-pspell-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-mssql-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-enchant-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-ldap-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-recode-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-devel-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-intl-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-mysqlnd-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-imap-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-embedded-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-odbc-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-process-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-common-5.5.36-1.115.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.115.amzn1" version="5.5.36"><filename>Packages/php55-gmp-5.5.36-1.115.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-708</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-708: medium priority package update for ntp</title><issued date="2016-06-02 18:06" /><updated date="2016-06-03 19:44" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8783 CVE-2016-2518: 8784 1331468: 8785 CVE-2016-2518 ntp: out-of-bounds references on crafted packet 8786 An out-of-bounds access flaw was found in the way ntpd processed certain packets. An authenticated attacker could use a crafted packet to create a peer association with hmode of 7 and larger, which could potentially (although highly unlikely) cause ntpd to crash. 8787 8788 CVE-2016-2516: 8789 1331466: 8790 CVE-2016-2516 ntp: assertion failure in ntpd on duplicate IPs on unconfig directives 8791 8792 CVE-2016-1550: 8793 A flaw was found in the way NTP&#039;s libntp performed message authentication. An attacker able to observe the timing of the comparison function used in packet authentication could potentially use this flaw to recover the message digest. 8794 1331464: 8795 CVE-2016-1550 ntp: libntp message digest disclosure 8796 8797 CVE-2016-1548: 8798 It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client. 8799 1331462: 8800 CVE-2016-1548 ntp: ntpd switching to interleaved mode with spoofed packets 8801 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548" id="CVE-2016-1548" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518" id="CVE-2016-2518" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550" id="CVE-2016-1550" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516" id="CVE-2016-2516" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="ntp-doc" release="40.30.amzn1" version="4.2.6p5"><filename>Packages/ntp-doc-4.2.6p5-40.30.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp-debuginfo" release="40.30.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-40.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp" release="40.30.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-40.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntpdate" release="40.30.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-40.30.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-perl" release="40.30.amzn1" version="4.2.6p5"><filename>Packages/ntp-perl-4.2.6p5-40.30.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ntp-debuginfo" release="40.30.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-40.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntpdate" release="40.30.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-40.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp" release="40.30.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-40.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-709</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-709: medium priority package update for subversion</title><issued date="2016-06-02 18:08" /><updated date="2016-06-03 19:46" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8802 CVE-2016-2168: 8803 The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check. 8804 1331683: 8805 CVE-2016-2168 subversion: DoS in mod_authz_svn during COPY/MOVE authorization check 8806 8807 CVE-2016-2167: 8808 The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string. 8809 1331686: 8810 CVE-2016-2167 subversion: svnserve/sasl may authenticate users using the wrong realm 8811 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2167" id="CVE-2016-2167" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2168" id="CVE-2016-2168" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="subversion-python27" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-python27-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-ruby" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-ruby-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-tools" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-tools-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-debuginfo" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-debuginfo-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-perl" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-perl-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-javahl" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-javahl-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-devel" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-devel-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-libs" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-libs-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python26" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-python26-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_dav_svn" release="2.54.amzn1" version="1.9.4"><filename>Packages/mod24_dav_svn-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="subversion-perl" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-perl-1.9.4-2.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-1.9.4-2.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-javahl" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-javahl-1.9.4-2.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-devel" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-devel-1.9.4-2.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python26" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-python26-1.9.4-2.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-tools" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-tools-1.9.4-2.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-ruby" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-ruby-1.9.4-2.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-debuginfo" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-debuginfo-1.9.4-2.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_dav_svn" release="2.54.amzn1" version="1.9.4"><filename>Packages/mod24_dav_svn-1.9.4-2.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python27" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-python27-1.9.4-2.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-libs" release="2.54.amzn1" version="1.9.4"><filename>Packages/subversion-libs-1.9.4-2.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-710</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-710: medium priority package update for mod_dav_svn</title><issued date="2016-06-02 18:09" /><updated date="2016-06-03 19:46" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8812 CVE-2016-2168: 8813 The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check. 8814 1331683: 8815 CVE-2016-2168 subversion: DoS in mod_authz_svn during COPY/MOVE authorization check 8816 8817 CVE-2016-2167: 8818 The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string. 8819 1331686: 8820 CVE-2016-2167 subversion: svnserve/sasl may authenticate users using the wrong realm 8821 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2167" id="CVE-2016-2167" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2168" id="CVE-2016-2168" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod_dav_svn" release="2.52.amzn1" version="1.9.4"><filename>Packages/mod_dav_svn-1.9.4-2.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_dav_svn-debuginfo" release="2.52.amzn1" version="1.9.4"><filename>Packages/mod_dav_svn-debuginfo-1.9.4-2.52.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn-debuginfo" release="2.52.amzn1" version="1.9.4"><filename>Packages/mod_dav_svn-debuginfo-1.9.4-2.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn" release="2.52.amzn1" version="1.9.4"><filename>Packages/mod_dav_svn-1.9.4-2.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-711</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-711: medium priority package update for cacti</title><issued date="2016-06-02 18:14" /><updated date="2016-06-03 20:10" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8822 CVE-2016-3659: 8823 SQL injection vulnerability in graph_view.php 8824 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3659" id="CVE-2016-3659" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="cacti" release="1.13.amzn1" version="0.8.8h"><filename>Packages/cacti-0.8.8h-1.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-712</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-712: medium priority package update for libksba</title><issued date="2016-06-02 18:19" /><updated date="2016-06-03 19:56" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8825 CVE-2016-4579: 8826 1335396: 8827 CVE-2016-4579 libksba: Out-of-bounds read in _ksba_ber_parse_tl 8828 8829 CVE-2016-4574: 8830 1334831: 8831 CVE-2016-4574 libksba: Incomplete fix for CVE-2016-4356 8832 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4574" id="CVE-2016-4574" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4579" id="CVE-2016-4579" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libksba-devel" release="1.8.amzn1" version="1.3.4"><filename>Packages/libksba-devel-1.3.4-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libksba-debuginfo" release="1.8.amzn1" version="1.3.4"><filename>Packages/libksba-debuginfo-1.3.4-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libksba" release="1.8.amzn1" version="1.3.4"><filename>Packages/libksba-1.3.4-1.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libksba" release="1.8.amzn1" version="1.3.4"><filename>Packages/libksba-1.3.4-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libksba-devel" release="1.8.amzn1" version="1.3.4"><filename>Packages/libksba-devel-1.3.4-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libksba-debuginfo" release="1.8.amzn1" version="1.3.4"><filename>Packages/libksba-debuginfo-1.3.4-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-713</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-713: medium priority package update for squid</title><issued date="2016-06-15 13:30" /><updated date="2016-06-15 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8833 CVE-2016-4556: 8834 * An incorrect reference counting flaw was found in the way Squid processes ESI responses. If Squid is configured as reverse-proxy, for TLS/HTTPS interception, an attacker controlling a server accessed by Squid, could crash the squid worker, causing a Denial of Service attack. 8835 8836 CVE-2016-4554: 8837 * An input validation flaw was found in Squid's mime_get_header_field() function, which is used to search for headers within HTTP requests. An attacker could send an HTTP request from the client side with specially crafted header Host header that bypasses same-origin security protections, causing Squid operating as interception or reverse-proxy to contact the wrong origin server. It could also be used for cache poisoning for client not following RFC 7230. 8838 8839 CVE-2016-4054: 8840 * Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid. 8841 8842 CVE-2016-4053: 8843 * Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid. 8844 8845 CVE-2016-4052: 8846 * Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid. 8847 8848 CVE-2016-4051: 8849 * A buffer overflow flaw was found in the way the Squid cachemgr.cgi utility processed remotely relayed Squid input. When the CGI interface utility is used, a remote attacker could possibly use this flaw to execute arbitrary code. 8850 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4554" id="CVE-2016-4554" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4556" id="CVE-2016-4556" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4054" id="CVE-2016-4054" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4051" id="CVE-2016-4051" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4053" id="CVE-2016-4053" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4052" id="CVE-2016-4052" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2016:1138.html" id="RHSA-2016:1138" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="7" name="squid-debuginfo" release="16.21.amzn1" version="3.1.23"><filename>Packages/squid-debuginfo-3.1.23-16.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="7" name="squid" release="16.21.amzn1" version="3.1.23"><filename>Packages/squid-3.1.23-16.21.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="7" name="squid-debuginfo" release="16.21.amzn1" version="3.1.23"><filename>Packages/squid-debuginfo-3.1.23-16.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="7" name="squid" release="16.21.amzn1" version="3.1.23"><filename>Packages/squid-3.1.23-16.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-714</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-714: low priority package update for mod24_nss</title><issued date="2016-06-15 13:30" /><updated date="2016-06-15 13:30" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8851 CVE-2016-3099: 8852 1319052: 8853 CVE-2016-3099 mod_nss: Invalid handling of +CIPHER operator 8854 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3099" id="CVE-2016-3099" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod24_nss-debuginfo" release="4.22.amzn1" version="1.0.12"><filename>Packages/mod24_nss-debuginfo-1.0.12-4.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_nss" release="4.22.amzn1" version="1.0.12"><filename>Packages/mod24_nss-1.0.12-4.22.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod24_nss" release="4.22.amzn1" version="1.0.12"><filename>Packages/mod24_nss-1.0.12-4.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_nss-debuginfo" release="4.22.amzn1" version="1.0.12"><filename>Packages/mod24_nss-debuginfo-1.0.12-4.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-715</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-715: medium priority package update for nginx</title><issued date="2016-06-15 13:30" /><updated date="2016-06-15 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8855 CVE-2016-4450: 8856 1341462: 8857 CVE-2016-4450 nginx: NULL pointer dereference while writing client request body 8858 A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file. 8859 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4450" id="CVE-2016-4450" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="nginx" release="3.27.amzn1" version="1.8.1"><filename>Packages/nginx-1.8.1-3.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-debuginfo" release="3.27.amzn1" version="1.8.1"><filename>Packages/nginx-debuginfo-1.8.1-3.27.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="nginx-debuginfo" release="3.27.amzn1" version="1.8.1"><filename>Packages/nginx-debuginfo-1.8.1-3.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx" release="3.27.amzn1" version="1.8.1"><filename>Packages/nginx-1.8.1-3.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-716</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-716: important priority package update for ImageMagick</title><issued date="2016-06-22 15:00" /><updated date="2016-06-22 15:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8860 CVE-2016-5240: 8861 1333417: 8862 CVE-2016-5240 ImageMagick: SVG converting issue resulting in DoS 8863 8864 CVE-2016-5239: 8865 1334188: 8866 CVE-2016-5239 ImageMagick,GraphicsMagick: Gnuplot delegate vulnerability allowing command injection 8867 It was discovered that ImageMagick did not properly sanitize certain input before passing it to the gnuplot delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. 8868 8869 CVE-2016-5118: 8870 1340814: 8871 CVE-2016-5118 ImageMagick: Remote code execution via filename 8872 It was discovered that ImageMagick did not properly sanitize certain input before using it to invoke processes. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. 8873 8874 CVE-2015-8898: 8875 1344264: 8876 CVE-2015-8898 ImageMagick: Prevent NULL pointer access in magick/constitute.c 8877 8878 CVE-2015-8897: 8879 1344271: 8880 CVE-2015-8897 ImageMagick: Crash due to out of bounds error in SpliceImage 8881 8882 CVE-2015-8896: 8883 1269562: 8884 CVE-2015-8896 ImageMagick: Integer truncation vulnerability in coders/pict.c 8885 8886 CVE-2015-8895: 8887 1269553: 8888 CVE-2015-8895 ImageMagick: Integer and buffer overflow in coders/icon.c 8889 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8897" id="CVE-2015-8897" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8898" id="CVE-2015-8898" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5239" id="CVE-2016-5239" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8895" id="CVE-2015-8895" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8896" id="CVE-2015-8896" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5240" id="CVE-2016-5240" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5118" id="CVE-2016-5118" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ImageMagick-perl" release="15.21.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-perl-6.7.8.9-15.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-debuginfo" release="15.21.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-debuginfo-6.7.8.9-15.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-c++-devel" release="15.21.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-c++-devel-6.7.8.9-15.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-doc" release="15.21.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-doc-6.7.8.9-15.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-devel" release="15.21.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-devel-6.7.8.9-15.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick-c++" release="15.21.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-c++-6.7.8.9-15.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ImageMagick" release="15.21.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-6.7.8.9-15.21.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-doc" release="15.21.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-doc-6.7.8.9-15.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick" release="15.21.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-6.7.8.9-15.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-debuginfo" release="15.21.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-debuginfo-6.7.8.9-15.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-perl" release="15.21.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-perl-6.7.8.9-15.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-c++-devel" release="15.21.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-c++-devel-6.7.8.9-15.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-c++" release="15.21.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-c++-6.7.8.9-15.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ImageMagick-devel" release="15.21.amzn1" version="6.7.8.9"><filename>Packages/ImageMagick-devel-6.7.8.9-15.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-717</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-717: important priority package update for GraphicsMagick</title><issued date="2016-06-22 15:00" /><updated date="2016-06-22 15:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8890 CVE-2016-5241: 8891 8892 8893 CVE-2016-5118: 8894 1340814: 8895 CVE-2016-5118 ImageMagick: Remote code execution via filename 8896 It was discovered that ImageMagick did not properly sanitize certain input before using it to invoke processes. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application. 8897 8898 CVE-2016-2318: 8899 8900 8901 CVE-2016-2317: 8902 8903 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2318" id="CVE-2016-2318" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2317" id="CVE-2016-2317" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5241" id="CVE-2016-5241" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5118" id="CVE-2016-5118" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="GraphicsMagick-debuginfo" release="1.8.amzn1" version="1.3.24"><filename>Packages/GraphicsMagick-debuginfo-1.3.24-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick" release="1.8.amzn1" version="1.3.24"><filename>Packages/GraphicsMagick-1.3.24-1.8.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="GraphicsMagick-doc" release="1.8.amzn1" version="1.3.24"><filename>Packages/GraphicsMagick-doc-1.3.24-1.8.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-devel" release="1.8.amzn1" version="1.3.24"><filename>Packages/GraphicsMagick-devel-1.3.24-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++" release="1.8.amzn1" version="1.3.24"><filename>Packages/GraphicsMagick-c++-1.3.24-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-perl" release="1.8.amzn1" version="1.3.24"><filename>Packages/GraphicsMagick-perl-1.3.24-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++-devel" release="1.8.amzn1" version="1.3.24"><filename>Packages/GraphicsMagick-c++-devel-1.3.24-1.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick" release="1.8.amzn1" version="1.3.24"><filename>Packages/GraphicsMagick-1.3.24-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++-devel" release="1.8.amzn1" version="1.3.24"><filename>Packages/GraphicsMagick-c++-devel-1.3.24-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-devel" release="1.8.amzn1" version="1.3.24"><filename>Packages/GraphicsMagick-devel-1.3.24-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-debuginfo" release="1.8.amzn1" version="1.3.24"><filename>Packages/GraphicsMagick-debuginfo-1.3.24-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-perl" release="1.8.amzn1" version="1.3.24"><filename>Packages/GraphicsMagick-perl-1.3.24-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++" release="1.8.amzn1" version="1.3.24"><filename>Packages/GraphicsMagick-c++-1.3.24-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-718</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-718: medium priority package update for kernel</title><issued date="2016-06-24 22:21" /><updated date="2017-01-19 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8904 CVE-2016-9806: 8905 1401502: 8906 CVE-2016-9806 kernel: netlink: double-free in netlink_dump 8907 A double free vulnerability was found in netlink_dump, which could cause a denial of service or possibly other unspecified impact. 8908 8909 CVE-2016-4998: 8910 An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments. 8911 1349886: 8912 CVE-2016-4998 kernel: out of bounds reads when processing IPT_SO_SET_REPLACE setsockopt 8913 8914 CVE-2016-4997: 8915 A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges. 8916 1349722: 8917 CVE-2016-4997 kernel: compat IPT_SO_SET_REPLACE setsockopt 8918 8919 CVE-2016-4951: 8920 A vulnerability was found in the Linux kernel. The pointer to the netlink socket attribute is not checked, which could cause a null pointer dereference when parsing the nested attributes in function tipc_nl_publ_dump(). This allows local users to cause a DoS. 8921 1338625: 8922 CVE-2016-4951 kernel: Null pointer dereference in tipc_nl_publ_dump 8923 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4951" id="CVE-2016-4951" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4997" id="CVE-2016-4997" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4998" id="CVE-2016-4998" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9806" id="CVE-2016-9806" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perf-debuginfo" release="24.50.amzn1" version="4.4.14"><filename>Packages/perf-debuginfo-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-tools-debuginfo-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-tools-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-headers-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-devel-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="24.50.amzn1" version="4.4.14"><filename>Packages/perf-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-tools-devel-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-debuginfo-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="24.50.amzn1" version="4.4.14"><filename>Packages/perf-4.4.14-24.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-devel-4.4.14-24.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-tools-4.4.14-24.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="24.50.amzn1" version="4.4.14"><filename>Packages/perf-debuginfo-4.4.14-24.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-4.4.14-24.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-headers-4.4.14-24.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-debuginfo-common-i686-4.4.14-24.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-debuginfo-4.4.14-24.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-tools-debuginfo-4.4.14-24.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-tools-devel-4.4.14-24.50.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="24.50.amzn1" version="4.4.14"><filename>Packages/kernel-doc-4.4.14-24.50.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-719</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-719: important priority package update for libxml2</title><issued date="2016-07-14 16:30" /><updated date="2016-07-14 16:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8924 CVE-2016-4449: 8925 1338701: 8926 CVE-2016-4449 libxml2: Inappropriate fetch of entities content 8927 XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors. 8928 8929 CVE-2016-4448: 8930 Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors. 8931 1338700: 8932 CVE-2016-4448 libxml2: Format string vulnerability 8933 8934 CVE-2016-4447: 8935 The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName. 8936 1338686: 8937 CVE-2016-4447 libxml2: Heap-based buffer underreads due to xmlParseName 8938 8939 CVE-2016-3705: 8940 Missing incrementation of recursion depth counter were found in the xmlParserEntityCheck() and xmlParseAttValueComplex() functions used for parsing XML data. An attacker could launch a Denial of Service attack by passing specially crafted XML data to an application, forcing it to crash due to stack exhaustion. 8941 1332443: 8942 CVE-2016-3705 libxml2: stack overflow before detecting invalid XML file 8943 8944 CVE-2016-3627: 8945 Missing recursive loop detection checks were found in the xmlParserEntityCheck() and xmlStringGetNodeList() functions of libxml2, causing application using the library to crash by stack exhaustion while building the associated data. An attacker able to send XML data to be parsed in recovery mode could launch a Denial of Service on the application. 8946 1319829: 8947 CVE-2016-3627 libxml2: stack exhaustion while parsing xml files in recovery mode 8948 8949 CVE-2016-1840: 8950 libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1839. 8951 1338706: 8952 CVE-2016-1840 libxml2: Heap-buffer-overflow in xmlFAParserPosCharGroup 8953 8954 CVE-2016-1839: 8955 1338703: 8956 CVE-2016-1839 libxml2: Heap-based buffer overread in xmlDictAddString 8957 libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1840. 8958 8959 CVE-2016-1838: 8960 1338705: 8961 CVE-2016-1838 libxml2: Heap-based buffer overread in xmlPArserPrintFileContextInternal 8962 libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1839, and CVE-2016-1840. 8963 8964 CVE-2016-1837: 8965 libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. 8966 1338696: 8967 CVE-2016-1837 libxml2: Heap use-after-free in htmlPArsePubidLiteral and htmlParseSystemiteral 8968 8969 CVE-2016-1836: 8970 libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. 8971 1338702: 8972 CVE-2016-1836 libxml2: Heap use-after-free in xmlDictComputeFastKey 8973 8974 CVE-2016-1835: 8975 libxml2, as used in Apple iOS before 9.3.2 and OS X before 10.11.5, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. 8976 1338691: 8977 CVE-2016-1835 libxml2: Heap use-after-free in xmlSAX2AttributeNs 8978 8979 CVE-2016-1834: 8980 1338708: 8981 CVE-2016-1834 libxml2: Heap-buffer-overflow in xmlStrncat 8982 libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. 8983 8984 CVE-2016-1833: 8985 libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840. 8986 1338682: 8987 CVE-2016-1833 libxml2: Heap-based buffer overread in htmlCurrentChar 8988 8989 CVE-2016-1762: 8990 libxml2 in Apple iOS before 9.3, OS X before 10.11.4, Safari before 9.1, tvOS before 9.2, and watchOS before 2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. 8991 1338711: 8992 CVE-2016-1762 libxml2: Heap-based buffer-overread in xmlNextChar 8993 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448" id="CVE-2016-4448" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4449" id="CVE-2016-4449" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1835" id="CVE-2016-1835" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3705" id="CVE-2016-3705" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4447" id="CVE-2016-4447" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1834" id="CVE-2016-1834" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1840" id="CVE-2016-1840" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1836" id="CVE-2016-1836" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1837" id="CVE-2016-1837" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3627" id="CVE-2016-3627" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1833" id="CVE-2016-1833" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1838" id="CVE-2016-1838" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1839" id="CVE-2016-1839" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1762" id="CVE-2016-1762" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libxml2-static" release="6.3.49.amzn1" version="2.9.1"><filename>Packages/libxml2-static-2.9.1-6.3.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2" release="6.3.49.amzn1" version="2.9.1"><filename>Packages/libxml2-2.9.1-6.3.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-debuginfo" release="6.3.49.amzn1" version="2.9.1"><filename>Packages/libxml2-debuginfo-2.9.1-6.3.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-python26" release="6.3.49.amzn1" version="2.9.1"><filename>Packages/libxml2-python26-2.9.1-6.3.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-python27" release="6.3.49.amzn1" version="2.9.1"><filename>Packages/libxml2-python27-2.9.1-6.3.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-devel" release="6.3.49.amzn1" version="2.9.1"><filename>Packages/libxml2-devel-2.9.1-6.3.49.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-debuginfo" release="6.3.49.amzn1" version="2.9.1"><filename>Packages/libxml2-debuginfo-2.9.1-6.3.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-python27" release="6.3.49.amzn1" version="2.9.1"><filename>Packages/libxml2-python27-2.9.1-6.3.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2" release="6.3.49.amzn1" version="2.9.1"><filename>Packages/libxml2-2.9.1-6.3.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-static" release="6.3.49.amzn1" version="2.9.1"><filename>Packages/libxml2-static-2.9.1-6.3.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-python26" release="6.3.49.amzn1" version="2.9.1"><filename>Packages/libxml2-python26-2.9.1-6.3.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-devel" release="6.3.49.amzn1" version="2.9.1"><filename>Packages/libxml2-devel-2.9.1-6.3.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-720</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-720: medium priority package update for wget</title><issued date="2016-07-14 16:30" /><updated date="2016-07-14 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8994 CVE-2016-4971: 8995 GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. 8996 1343666: 8997 CVE-2016-4971 wget: Lack of filename checking allows arbitrary file upload via FTP redirect 8998 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971" id="CVE-2016-4971" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="wget" release="1.18.amzn1" version="1.18"><filename>Packages/wget-1.18-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wget-debuginfo" release="1.18.amzn1" version="1.18"><filename>Packages/wget-debuginfo-1.18-1.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="wget-debuginfo" release="1.18.amzn1" version="1.18"><filename>Packages/wget-debuginfo-1.18-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wget" release="1.18.amzn1" version="1.18"><filename>Packages/wget-1.18-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-721</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-721: important priority package update for varnish</title><issued date="2016-07-14 16:30" /><updated date="2016-07-14 16:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 8999 CVE-2015-8852: 9000 Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \\r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request. 9001 1328361: 9002 CVE-2015-8852 varnish: http smuggling issues 9003 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8852" id="CVE-2015-8852" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="varnish-libs-devel" release="1.20.amzn1" version="3.0.7"><filename>Packages/varnish-libs-devel-3.0.7-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="varnish-libs" release="1.20.amzn1" version="3.0.7"><filename>Packages/varnish-libs-3.0.7-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="varnish" release="1.20.amzn1" version="3.0.7"><filename>Packages/varnish-3.0.7-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="varnish-docs" release="1.20.amzn1" version="3.0.7"><filename>Packages/varnish-docs-3.0.7-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="varnish-debuginfo" release="1.20.amzn1" version="3.0.7"><filename>Packages/varnish-debuginfo-3.0.7-1.20.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="varnish-debuginfo" release="1.20.amzn1" version="3.0.7"><filename>Packages/varnish-debuginfo-3.0.7-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="varnish-libs" release="1.20.amzn1" version="3.0.7"><filename>Packages/varnish-libs-3.0.7-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="varnish" release="1.20.amzn1" version="3.0.7"><filename>Packages/varnish-3.0.7-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="varnish-libs-devel" release="1.20.amzn1" version="3.0.7"><filename>Packages/varnish-libs-devel-3.0.7-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="varnish-docs" release="1.20.amzn1" version="3.0.7"><filename>Packages/varnish-docs-3.0.7-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-722</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-722: medium priority package update for tomcat6 tomcat7 tomcat8</title><issued date="2016-07-20 18:00" /><updated date="2016-07-20 18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9004 CVE-2016-5388: 9005 1353809: 9006 CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header 9007 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388" id="CVE-2016-5388" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat6-lib" release="1.5.amzn1" version="6.0.45"><filename>Packages/tomcat6-lib-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-servlet-2.5-api" release="1.5.amzn1" version="6.0.45"><filename>Packages/tomcat6-servlet-2.5-api-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-admin-webapps" release="1.5.amzn1" version="6.0.45"><filename>Packages/tomcat6-admin-webapps-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-webapps" release="1.5.amzn1" version="6.0.45"><filename>Packages/tomcat6-webapps-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-docs-webapp" release="1.5.amzn1" version="6.0.45"><filename>Packages/tomcat6-docs-webapp-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-jsp-2.1-api" release="1.5.amzn1" version="6.0.45"><filename>Packages/tomcat6-jsp-2.1-api-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-el-2.1-api" release="1.5.amzn1" version="6.0.45"><filename>Packages/tomcat6-el-2.1-api-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6" release="1.5.amzn1" version="6.0.45"><filename>Packages/tomcat6-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-javadoc" release="1.5.amzn1" version="6.0.45"><filename>Packages/tomcat6-javadoc-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.17.amzn1" version="7.0.69"><filename>Packages/tomcat7-el-2.2-api-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.17.amzn1" version="7.0.69"><filename>Packages/tomcat7-admin-webapps-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.17.amzn1" version="7.0.69"><filename>Packages/tomcat7-log4j-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.17.amzn1" version="7.0.69"><filename>Packages/tomcat7-lib-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.17.amzn1" version="7.0.69"><filename>Packages/tomcat7-javadoc-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.17.amzn1" version="7.0.69"><filename>Packages/tomcat7-webapps-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.17.amzn1" version="7.0.69"><filename>Packages/tomcat7-docs-webapp-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.17.amzn1" version="7.0.69"><filename>Packages/tomcat7-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.17.amzn1" version="7.0.69"><filename>Packages/tomcat7-servlet-3.0-api-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.17.amzn1" version="7.0.69"><filename>Packages/tomcat7-jsp-2.2-api-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.61.amzn1" version="8.0.35"><filename>Packages/tomcat8-jsp-2.3-api-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.61.amzn1" version="8.0.35"><filename>Packages/tomcat8-javadoc-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.61.amzn1" version="8.0.35"><filename>Packages/tomcat8-admin-webapps-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.61.amzn1" version="8.0.35"><filename>Packages/tomcat8-lib-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.61.amzn1" version="8.0.35"><filename>Packages/tomcat8-servlet-3.1-api-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.61.amzn1" version="8.0.35"><filename>Packages/tomcat8-el-3.0-api-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.61.amzn1" version="8.0.35"><filename>Packages/tomcat8-webapps-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.61.amzn1" version="8.0.35"><filename>Packages/tomcat8-docs-webapp-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.61.amzn1" version="8.0.35"><filename>Packages/tomcat8-log4j-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8" release="1.61.amzn1" version="8.0.35"><filename>Packages/tomcat8-8.0.35-1.61.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-723</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-723: critical priority package update for java-1.8.0-openjdk</title><issued date="2016-07-20 18:00" /><updated date="2016-07-20 18:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9008 CVE-2016-3610: 9009 1356994: 9010 CVE-2016-3610 OpenJDK: insufficient value count check in MethodHandles.filterReturnValue() (Libraries, 8158571) 9011 9012 CVE-2016-3606: 9013 1356963: 9014 CVE-2016-3606 OpenJDK: insufficient bytecode verification (Hotspot, 8155981) 9015 9016 CVE-2016-3598: 9017 1356971: 9018 CVE-2016-3598 OpenJDK: incorrect handling of MethodHandles.dropArguments() argument (Libraries, 8155985) 9019 9020 CVE-2016-3587: 9021 1356987: 9022 CVE-2016-3587 OpenJDK: insufficient protection of MethodHandle.invokeBasic() (Hotspot, 8154475) 9023 9024 CVE-2016-3550: 9025 1357506: 9026 CVE-2016-3550 OpenJDK: integer overflows in bytecode streams (Hotspot, 8152479) 9027 9028 CVE-2016-3508: 9029 1357015: 9030 CVE-2016-3508 OpenJDK: missing entity replacement limits (JAXP, 8149962) 9031 9032 CVE-2016-3500: 9033 1357008: 9034 CVE-2016-3500 OpenJDK: maximum XML name limit not applied to namespace URIs (JAXP, 8148872) 9035 9036 CVE-2016-3458: 9037 1357494: 9038 CVE-2016-3458 OpenJDK: insufficient restrictions on the use of custom ValueHandler (CORBA, 8079718) 9039 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3587" id="CVE-2016-3587" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3458" id="CVE-2016-3458" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3508" id="CVE-2016-3508" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3598" id="CVE-2016-3598" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3550" id="CVE-2016-3550" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3606" id="CVE-2016-3606" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3610" id="CVE-2016-3610" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3500" id="CVE-2016-3500" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="3.b13.24.amzn1" version="1.8.0.101"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.101-3.b13.24.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="3.b13.24.amzn1" version="1.8.0.101"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.101-3.b13.24.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="3.b13.24.amzn1" version="1.8.0.101"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.101-3.b13.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="3.b13.24.amzn1" version="1.8.0.101"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.101-3.b13.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="3.b13.24.amzn1" version="1.8.0.101"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.101-3.b13.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="3.b13.24.amzn1" version="1.8.0.101"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.101-3.b13.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="3.b13.24.amzn1" version="1.8.0.101"><filename>Packages/java-1.8.0-openjdk-1.8.0.101-3.b13.24.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="3.b13.24.amzn1" version="1.8.0.101"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.101-3.b13.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="3.b13.24.amzn1" version="1.8.0.101"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.101-3.b13.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="3.b13.24.amzn1" version="1.8.0.101"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.101-3.b13.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="3.b13.24.amzn1" version="1.8.0.101"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.101-3.b13.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="3.b13.24.amzn1" version="1.8.0.101"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.101-3.b13.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="3.b13.24.amzn1" version="1.8.0.101"><filename>Packages/java-1.8.0-openjdk-1.8.0.101-3.b13.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-724</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-724: medium priority package update for python26 python27 python34</title><issued date="2016-07-20 18:00" /><updated date="2016-07-20 18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9040 CVE-2016-5699: 9041 It was found that Python&#039;s httplib library (used urllib, urllib2 and others) did not properly check HTTP header input in HTTPConnection.putheader(). An attacker could use this flow to inject additional headers in a Python application that allows user provided header name or values. 9042 1303699: 9043 CVE-2016-5699 python: http protocol steam injection attack 9044 9045 CVE-2016-5636: 9046 1345856: 9047 CVE-2016-5636 python: Heap overflow in zipimporter module 9048 A vulnerability was discovered in Python, in the built-in zipimporter. A specially crafted zip file placed in a module path such that it would be loaded by a later &quot;import&quot; statement could cause a heap overflow, leading to arbitrary code execution. 9049 9050 CVE-2016-0772: 9051 It was found that Python&#039;s smtplib library did not return an exception if StartTLS fails to establish correctly in the SMTP.starttls() function. An attacker with ability to launch an active man in the middle attack could strip out the STARTTLS command without generating an exception on the python SMTP client application, preventing the establishment of the TLS layer. 9052 1303647: 9053 CVE-2016-0772 python: smtplib StartTLS stripping attack 9054 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5699" id="CVE-2016-5699" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636" id="CVE-2016-5636" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0772" id="CVE-2016-0772" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python26-libs" release="2.86.amzn1" version="2.6.9"><filename>Packages/python26-libs-2.6.9-2.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-tools" release="2.86.amzn1" version="2.6.9"><filename>Packages/python26-tools-2.6.9-2.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-test" release="2.86.amzn1" version="2.6.9"><filename>Packages/python26-test-2.6.9-2.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-devel" release="2.86.amzn1" version="2.6.9"><filename>Packages/python26-devel-2.6.9-2.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26" release="2.86.amzn1" version="2.6.9"><filename>Packages/python26-2.6.9-2.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-debuginfo" release="2.86.amzn1" version="2.6.9"><filename>Packages/python26-debuginfo-2.6.9-2.86.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python26-libs" release="2.86.amzn1" version="2.6.9"><filename>Packages/python26-libs-2.6.9-2.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-tools" release="2.86.amzn1" version="2.6.9"><filename>Packages/python26-tools-2.6.9-2.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-test" release="2.86.amzn1" version="2.6.9"><filename>Packages/python26-test-2.6.9-2.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26" release="2.86.amzn1" version="2.6.9"><filename>Packages/python26-2.6.9-2.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-debuginfo" release="2.86.amzn1" version="2.6.9"><filename>Packages/python26-debuginfo-2.6.9-2.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-devel" release="2.86.amzn1" version="2.6.9"><filename>Packages/python26-devel-2.6.9-2.86.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-devel" release="4.122.amzn1" version="2.7.10"><filename>Packages/python27-devel-2.7.10-4.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-test" release="4.122.amzn1" version="2.7.10"><filename>Packages/python27-test-2.7.10-4.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-tools" release="4.122.amzn1" version="2.7.10"><filename>Packages/python27-tools-2.7.10-4.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27" release="4.122.amzn1" version="2.7.10"><filename>Packages/python27-2.7.10-4.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-debuginfo" release="4.122.amzn1" version="2.7.10"><filename>Packages/python27-debuginfo-2.7.10-4.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libs" release="4.122.amzn1" version="2.7.10"><filename>Packages/python27-libs-2.7.10-4.122.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python27-devel" release="4.122.amzn1" version="2.7.10"><filename>Packages/python27-devel-2.7.10-4.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-test" release="4.122.amzn1" version="2.7.10"><filename>Packages/python27-test-2.7.10-4.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-tools" release="4.122.amzn1" version="2.7.10"><filename>Packages/python27-tools-2.7.10-4.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-debuginfo" release="4.122.amzn1" version="2.7.10"><filename>Packages/python27-debuginfo-2.7.10-4.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27" release="4.122.amzn1" version="2.7.10"><filename>Packages/python27-2.7.10-4.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libs" release="4.122.amzn1" version="2.7.10"><filename>Packages/python27-libs-2.7.10-4.122.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python34" release="1.32.amzn1" version="3.4.3"><filename>Packages/python34-3.4.3-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-debuginfo" release="1.32.amzn1" version="3.4.3"><filename>Packages/python34-debuginfo-3.4.3-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-devel" release="1.32.amzn1" version="3.4.3"><filename>Packages/python34-devel-3.4.3-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-tools" release="1.32.amzn1" version="3.4.3"><filename>Packages/python34-tools-3.4.3-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-test" release="1.32.amzn1" version="3.4.3"><filename>Packages/python34-test-3.4.3-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-libs" release="1.32.amzn1" version="3.4.3"><filename>Packages/python34-libs-3.4.3-1.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python34-tools" release="1.32.amzn1" version="3.4.3"><filename>Packages/python34-tools-3.4.3-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-test" release="1.32.amzn1" version="3.4.3"><filename>Packages/python34-test-3.4.3-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34" release="1.32.amzn1" version="3.4.3"><filename>Packages/python34-3.4.3-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-devel" release="1.32.amzn1" version="3.4.3"><filename>Packages/python34-devel-3.4.3-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-debuginfo" release="1.32.amzn1" version="3.4.3"><filename>Packages/python34-debuginfo-3.4.3-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-libs" release="1.32.amzn1" version="3.4.3"><filename>Packages/python34-libs-3.4.3-1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-725</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-725: important priority package update for httpd24 httpd</title><issued date="2016-07-20 18:00" /><updated date="2016-07-20 18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9055 CVE-2016-5387: 9056 It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. 9057 1353755: 9058 CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header 9059 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387" id="CVE-2016-5387" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="httpd24" release="1.65.amzn1" version="2.4.23"><filename>Packages/httpd24-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="1.65.amzn1" version="2.4.23"><filename>Packages/mod24_proxy_html-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_ssl" release="1.65.amzn1" version="2.4.23"><filename>Packages/mod24_ssl-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-tools" release="1.65.amzn1" version="2.4.23"><filename>Packages/httpd24-tools-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="1.65.amzn1" version="2.4.23"><filename>Packages/mod24_session-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-devel" release="1.65.amzn1" version="2.4.23"><filename>Packages/httpd24-devel-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="1.65.amzn1" version="2.4.23"><filename>Packages/httpd24-debuginfo-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_ldap" release="1.65.amzn1" version="2.4.23"><filename>Packages/mod24_ldap-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd24-manual" release="1.65.amzn1" version="2.4.23"><filename>Packages/httpd24-manual-2.4.23-1.65.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="1.65.amzn1" version="2.4.23"><filename>Packages/mod24_session-2.4.23-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="1.65.amzn1" version="2.4.23"><filename>Packages/httpd24-devel-2.4.23-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="1.65.amzn1" version="2.4.23"><filename>Packages/httpd24-2.4.23-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="1.65.amzn1" version="2.4.23"><filename>Packages/httpd24-debuginfo-2.4.23-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="1.65.amzn1" version="2.4.23"><filename>Packages/httpd24-tools-2.4.23-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="1.65.amzn1" version="2.4.23"><filename>Packages/mod24_proxy_html-2.4.23-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="1.65.amzn1" version="2.4.23"><filename>Packages/mod24_ssl-2.4.23-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="1.65.amzn1" version="2.4.23"><filename>Packages/mod24_ldap-2.4.23-1.65.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd" release="1.8.amzn1" version="2.2.31"><filename>Packages/httpd-2.2.31-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-devel" release="1.8.amzn1" version="2.2.31"><filename>Packages/httpd-devel-2.2.31-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod_ssl" release="1.8.amzn1" version="2.2.31"><filename>Packages/mod_ssl-2.2.31-1.8.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd-manual" release="1.8.amzn1" version="2.2.31"><filename>Packages/httpd-manual-2.2.31-1.8.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-tools" release="1.8.amzn1" version="2.2.31"><filename>Packages/httpd-tools-2.2.31-1.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.8.amzn1" version="2.2.31"><filename>Packages/httpd-debuginfo-2.2.31-1.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="httpd-debuginfo" release="1.8.amzn1" version="2.2.31"><filename>Packages/httpd-debuginfo-2.2.31-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-tools" release="1.8.amzn1" version="2.2.31"><filename>Packages/httpd-tools-2.2.31-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd" release="1.8.amzn1" version="2.2.31"><filename>Packages/httpd-2.2.31-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod_ssl" release="1.8.amzn1" version="2.2.31"><filename>Packages/mod_ssl-2.2.31-1.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-devel" release="1.8.amzn1" version="2.2.31"><filename>Packages/httpd-devel-2.2.31-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-726</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-726: medium priority package update for kernel</title><issued date="2016-08-01 13:30" /><updated date="2016-08-17 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9060 CVE-2016-5696: 9061 net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack. 9062 1354708: 9063 CVE-2016-5696 kernel: challenge ACK counter information disclosure. 9064 9065 CVE-2016-5244: 9066 1343337: 9067 CVE-2016-5244 kernel: Information leak in rds_inc_info_copy 9068 A vulnerability was found in the Linux kernel in function rds_inc_info_copy of file net/rds/recv.c. The last field &quot;flags&quot; of object &quot;minfo&quot; is not initialized. This can leak data previously at the flags location to userspace. 9069 9070 CVE-2016-5243: 9071 1343335: 9072 CVE-2016-5243 kernel: Information leak in tipc_nl_compat_link_dump 9073 A leak of information was possible when issuing a netlink command of the stack memory area leading up to this function call. An attacker could use this to determine stack information for use in a later exploit. 9074 9075 CVE-2016-4470: 9076 A flaw was found in the Linux kernel&#039;s keyring handling code, where in key_reject_and_link() an uninitialised variable would eventually lead to arbitrary free address which could allow attacker to use a use-after-free style attack. 9077 1341716: 9078 CVE-2016-4470 kernel: Uninitialized variable in request_key handling causes kernel crash in error handling path 9079 9080 CVE-2016-1237: 9081 1350845: 9082 CVE-2016-1237 kernel: Missing check for permissions when setting ACL 9083 It was found that nfsd is missing permissions check when setting ACL on files, this may allow a local users to gain access to any file by setting a crafted ACL. 9084 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5244" id="CVE-2016-5244" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5243" id="CVE-2016-5243" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1237" id="CVE-2016-1237" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696" id="CVE-2016-5696" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4470" id="CVE-2016-4470" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-headers" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-headers-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-tools-devel-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-devel-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-tools-debuginfo-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="25.57.amzn1" version="4.4.15"><filename>Packages/perf-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-tools-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-debuginfo-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="25.57.amzn1" version="4.4.15"><filename>Packages/perf-debuginfo-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="25.57.amzn1" version="4.4.15"><filename>Packages/perf-debuginfo-4.4.15-25.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-tools-devel-4.4.15-25.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-debuginfo-4.4.15-25.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="25.57.amzn1" version="4.4.15"><filename>Packages/perf-4.4.15-25.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-debuginfo-common-i686-4.4.15-25.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-4.4.15-25.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-headers-4.4.15-25.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-tools-debuginfo-4.4.15-25.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-tools-4.4.15-25.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-devel-4.4.15-25.57.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="25.57.amzn1" version="4.4.15"><filename>Packages/kernel-doc-4.4.15-25.57.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-727</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-727: medium priority package update for ntp</title><issued date="2016-08-01 13:30" /><updated date="2017-01-04 14:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9085 CVE-2016-4956: 9086 ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548. 9087 1340860: 9088 CVE-2016-4956 ntp: broadcast interleave (incomplete fix for CVE-2016-1548) 9089 9090 CVE-2016-4955: 9091 ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time. 9092 1340858: 9093 CVE-2016-4955 ntp: autokey association reset 9094 9095 CVE-2016-4954: 9096 The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication. 9097 1302225: 9098 CVE-2016-4954 ntp: partial processing of spoofed packets 9099 9100 CVE-2015-8139: 9101 1300654: 9102 CVE-2015-8139 ntp: ntpq and ntpdc disclose origin timestamp to unauthenticated clients 9103 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8139" id="CVE-2015-8139" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954" id="CVE-2016-4954" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955" id="CVE-2016-4955" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956" id="CVE-2016-4956" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ntp" release="41.32.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-41.32.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-doc" release="41.32.amzn1" version="4.2.6p5"><filename>Packages/ntp-doc-4.2.6p5-41.32.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp-debuginfo" release="41.32.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-41.32.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-perl" release="41.32.amzn1" version="4.2.6p5"><filename>Packages/ntp-perl-4.2.6p5-41.32.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntpdate" release="41.32.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-41.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ntpdate" release="41.32.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-41.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp" release="41.32.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-41.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp-debuginfo" release="41.32.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-41.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-728</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-728: medium priority package update for php55 php56</title><issued date="2016-08-01 13:30" /><updated date="2016-08-17 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9104 CVE-2016-5773: 9105 1351179: 9106 CVE-2016-5773 php: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize 9107 9108 CVE-2016-5772: 9109 1351175: 9110 CVE-2016-5772 php: Double Free Corruption in wddx_deserialize 9111 9112 CVE-2016-5771: 9113 1351173: 9114 CVE-2016-5771 php: Use After Free Vulnerability in PHP's GC algorithm and unserialize 9115 9116 CVE-2016-5770: 9117 1351171: 9118 CVE-2016-5770 php: Int/size_t confusion in SplFileObject::fread 9119 A type confusion issue was found in the SPLFileObject fread() function. A remote attacker able to submit a specially crafted input to a PHP application, which uses this function, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application. 9120 9121 CVE-2016-5769: 9122 1351070: 9123 CVE-2016-5769 php: Integer Overflows in mcrypt_generic() and mdecrypt_generic() resulting in heap overflows 9124 9125 CVE-2016-5768: 9126 1351168: 9127 CVE-2016-5768 php: Double free in _php_mb_regex_ereg_replace_exec 9128 A double free flaw was found in the mb_ereg_replace_callback() function of php which is used to perform regex search. This flaw could possibly cause a PHP application to crash. 9129 9130 CVE-2016-5767: 9131 An integer overflow, leading to a heap-based buffer overflow was found in the gdImagePaletteToTrueColor() function of PHP&#039;s gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application, using gd via a specially crafted image buffer. 9132 1351069: 9133 CVE-2016-5767 gd: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow 9134 9135 CVE-2016-5766: 9136 An integer overflow, leading to a heap-based buffer overflow was found in the imagecreatefromgd2() function of PHP&#039;s gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application, using gd via a specially crafted GD2 image. 9137 1351068: 9138 CVE-2016-5766 gd: Integer Overflow in _gd2GetHeader() resulting in heap overflow 9139 9140 CVE-2016-5385: 9141 1353794: 9142 CVE-2016-5385 PHP: sets environmental variable based on user supplied Proxy request header 9143 It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP CGI script to an attacker-controlled proxy via a malicious HTTP request. 9144 9145 CVE-2015-8874: 9146 Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. 9147 1336772: 9148 CVE-2015-8874 gd: gdImageFillToBorder deep recursion leading to stack overflow 9149 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5773" id="CVE-2016-5773" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766" id="CVE-2016-5766" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5771" id="CVE-2016-5771" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5767" id="CVE-2016-5767" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5768" id="CVE-2016-5768" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5769" id="CVE-2016-5769" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5770" id="CVE-2016-5770" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8874" id="CVE-2015-8874" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5385" id="CVE-2016-5385" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5772" id="CVE-2016-5772" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php55-odbc" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-odbc-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mysqlnd" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-mysqlnd-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-cli" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-cli-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-soap" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-soap-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mssql" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-mssql-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pgsql" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-pgsql-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gmp" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-gmp-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xmlrpc" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-xmlrpc-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mcrypt" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-mcrypt-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-opcache" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-opcache-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-ldap" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-ldap-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-enchant" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-enchant-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-process" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-process-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-fpm" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-fpm-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-mbstring" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-mbstring-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-tidy" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-tidy-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-xml" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-xml-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-devel" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-devel-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pdo" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-pdo-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-intl" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-intl-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-dba" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-dba-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-gd" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-gd-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-recode" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-recode-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-imap" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-imap-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-debuginfo" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-debuginfo-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-snmp" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-snmp-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-common" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-common-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pspell" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-pspell-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-bcmath" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-bcmath-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-embedded" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-embedded-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-mbstring" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-mbstring-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-tidy" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-tidy-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-cli" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-cli-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xmlrpc" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-xmlrpc-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pdo" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-pdo-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-debuginfo" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-debuginfo-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-opcache" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-opcache-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-odbc" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-odbc-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-recode" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-recode-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-enchant" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-enchant-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-dba" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-dba-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-fpm" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-fpm-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-embedded" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-embedded-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gmp" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-gmp-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-soap" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-soap-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mcrypt" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-mcrypt-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pgsql" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-pgsql-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-imap" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-imap-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pspell" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-pspell-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-snmp" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-snmp-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-ldap" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-ldap-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-xml" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-xml-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-devel" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-devel-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-bcmath" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-bcmath-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mysqlnd" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-mysqlnd-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-common" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-common-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-process" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-process-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-mssql" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-mssql-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-gd" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-gd-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-intl" release="1.116.amzn1" version="5.5.38"><filename>Packages/php55-intl-5.5.38-1.116.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-ldap-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-gmp-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-odbc-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-common-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-xml-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-mbstring-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-intl-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-opcache-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-snmp-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-mssql-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-xmlrpc-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-embedded-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-pdo-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-pgsql-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-soap-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-bcmath-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-cli-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-tidy-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-recode-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-debuginfo-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-pspell-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-imap-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-mcrypt-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-dba-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-dbg-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-process-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-fpm-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-enchant-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-gd-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-mysqlnd-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-devel-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-embedded-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-intl-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-cli-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-gd-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-soap-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-fpm-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-tidy-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-snmp-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-enchant-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-mbstring-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-debuginfo-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-gmp-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-dbg-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-mssql-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-bcmath-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-pspell-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-opcache-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-ldap-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-common-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-imap-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-process-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-recode-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-pgsql-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-devel-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-mcrypt-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-xmlrpc-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-odbc-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-pdo-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-xml-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-dba-5.6.24-1.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.126.amzn1" version="5.6.24"><filename>Packages/php56-mysqlnd-5.6.24-1.126.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-729</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-729: important priority package update for java-1.7.0-openjdk</title><issued date="2016-08-01 13:30" /><updated date="2016-08-01 13:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9150 CVE-2016-3610: 9151 Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Libraries, a different vulnerability than CVE-2016-3598. 9152 1356994: 9153 CVE-2016-3610 OpenJDK: insufficient value count check in MethodHandles.filterReturnValue() (Libraries, 8158571) 9154 9155 CVE-2016-3606: 9156 Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot. 9157 1356963: 9158 CVE-2016-3606 OpenJDK: insufficient bytecode verification (Hotspot, 8155981) 9159 9160 CVE-2016-3598: 9161 1356971: 9162 CVE-2016-3598 OpenJDK: incorrect handling of MethodHandles.dropArguments() argument (Libraries, 8155985) 9163 Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Libraries, a different vulnerability than CVE-2016-3610. 9164 9165 CVE-2016-3550: 9166 Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality via vectors related to Hotspot. 9167 1357506: 9168 CVE-2016-3550 OpenJDK: integer overflows in bytecode streams (Hotspot, 8152479) 9169 9170 CVE-2016-3508: 9171 Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3500. 9172 1357015: 9173 CVE-2016-3508 OpenJDK: missing entity replacement limits (JAXP, 8149962) 9174 9175 CVE-2016-3500: 9176 Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3508. 9177 1357008: 9178 CVE-2016-3500 OpenJDK: maximum XML name limit not applied to namespace URIs (JAXP, 8148872) 9179 9180 CVE-2016-3458: 9181 1357494: 9182 CVE-2016-3458 OpenJDK: insufficient restrictions on the use of custom ValueHandler (CORBA, 8079718) 9183 Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; and Java SE Embedded 8u91 allows remote attackers to affect integrity via vectors related to CORBA. 9184 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3550" id="CVE-2016-3550" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3606" id="CVE-2016-3606" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3458" id="CVE-2016-3458" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3508" id="CVE-2016-3508" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3610" id="CVE-2016-3610" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3598" id="CVE-2016-3598" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3500" id="CVE-2016-3500" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.7.2.68.amzn1" version="1.7.0.111"><filename>Packages/java-1.7.0-openjdk-1.7.0.111-2.6.7.2.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.7.2.68.amzn1" version="1.7.0.111"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.111-2.6.7.2.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.7.2.68.amzn1" version="1.7.0.111"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.111-2.6.7.2.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.7.2.68.amzn1" version="1.7.0.111"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.111-2.6.7.2.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.7.2.68.amzn1" version="1.7.0.111"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.111-2.6.7.2.68.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.7.2.68.amzn1" version="1.7.0.111"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.111-2.6.7.2.68.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.7.2.68.amzn1" version="1.7.0.111"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.111-2.6.7.2.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.7.2.68.amzn1" version="1.7.0.111"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.111-2.6.7.2.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.7.2.68.amzn1" version="1.7.0.111"><filename>Packages/java-1.7.0-openjdk-1.7.0.111-2.6.7.2.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.7.2.68.amzn1" version="1.7.0.111"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.111-2.6.7.2.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.7.2.68.amzn1" version="1.7.0.111"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.111-2.6.7.2.68.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-730</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-730: medium priority package update for curl</title><issued date="2016-08-17 13:30" /><updated date="2016-08-17 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9185 CVE-2016-5421: 9186 1362199: 9187 CVE-2016-5421 curl: Use of connection struct after free 9188 Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors. 9189 9190 CVE-2016-5420: 9191 curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. 9192 1362190: 9193 CVE-2016-5420 curl: Re-using connection with wrong client cert 9194 9195 CVE-2016-5419: 9196 curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. 9197 1362183: 9198 CVE-2016-5419 curl: TLS session resumption client cert bypass 9199 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5421" id="CVE-2016-5421" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5420" id="CVE-2016-5420" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5419" id="CVE-2016-5419" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="curl-debuginfo" release="8.59.amzn1" version="7.40.0"><filename>Packages/curl-debuginfo-7.40.0-8.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl" release="8.59.amzn1" version="7.40.0"><filename>Packages/curl-7.40.0-8.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="8.59.amzn1" version="7.40.0"><filename>Packages/libcurl-devel-7.40.0-8.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="8.59.amzn1" version="7.40.0"><filename>Packages/libcurl-7.40.0-8.59.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="8.59.amzn1" version="7.40.0"><filename>Packages/libcurl-7.40.0-8.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="8.59.amzn1" version="7.40.0"><filename>Packages/curl-debuginfo-7.40.0-8.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="8.59.amzn1" version="7.40.0"><filename>Packages/libcurl-devel-7.40.0-8.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="8.59.amzn1" version="7.40.0"><filename>Packages/curl-7.40.0-8.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-731</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-731: medium priority package update for golang</title><issued date="2016-08-17 13:30" /><updated date="2016-08-17 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9200 CVE-2016-5386: 9201 1353798: 9202 CVE-2016-5386 Go: sets environmental variable based on user supplied Proxy request header 9203 An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable &quot;HTTP_PROXY&quot; using the incoming &quot;Proxy&quot; HTTP-request header. The environment variable &quot;HTTP_PROXY&quot; is used by numerous web clients, including Go&#039;s net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in-the-middle attack. 9204 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5386" id="CVE-2016-5386" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="golang-docs" release="1.22.amzn1" version="1.5.3"><filename>Packages/golang-docs-1.5.3-1.22.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-src" release="1.22.amzn1" version="1.5.3"><filename>Packages/golang-src-1.5.3-1.22.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang" release="1.22.amzn1" version="1.5.3"><filename>Packages/golang-1.5.3-1.22.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-tests" release="1.22.amzn1" version="1.5.3"><filename>Packages/golang-tests-1.5.3-1.22.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-misc" release="1.22.amzn1" version="1.5.3"><filename>Packages/golang-misc-1.5.3-1.22.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang-bin" release="1.22.amzn1" version="1.5.3"><filename>Packages/golang-bin-1.5.3-1.22.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="golang-bin" release="1.22.amzn1" version="1.5.3"><filename>Packages/golang-bin-1.5.3-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="golang" release="1.22.amzn1" version="1.5.3"><filename>Packages/golang-1.5.3-1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-732</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-732: medium priority package update for samba</title><issued date="2016-08-17 13:30" /><updated date="2016-08-17 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9205 CVE-2016-2119: 9206 1351955: 9207 CVE-2016-2119 samba: Client side SMB2/3 required signing can be downgraded 9208 A flaw was found in the way Samba initiated signed DCE/RPC connections. A man-in-the-middle attacker could use this flaw to downgrade the connection to not use signing and therefore impersonate the server. 9209 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2119" id="CVE-2016-2119" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ctdb-tests" release="7.34.amzn1" version="4.2.10"><filename>Packages/ctdb-tests-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-libs" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-libs-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-libs" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-common-libs-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client-libs" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-client-libs-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-debuginfo" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-debuginfo-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwbclient-devel" release="7.34.amzn1" version="4.2.10"><filename>Packages/libwbclient-devel-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-client-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test-devel" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-test-devel-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb-devel" release="7.34.amzn1" version="4.2.10"><filename>Packages/ctdb-devel-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-modules" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-winbind-modules-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-python" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-python-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test-libs" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-test-libs-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-winbind-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-test-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-krb5-locator" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-winbind-krb5-locator-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-devel" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-devel-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-pidl" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-pidl-4.2.10-7.34.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient" release="7.34.amzn1" version="4.2.10"><filename>Packages/libsmbclient-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-tools" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-common-tools-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-clients" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-winbind-clients-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient-devel" release="7.34.amzn1" version="4.2.10"><filename>Packages/libsmbclient-devel-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwbclient" release="7.34.amzn1" version="4.2.10"><filename>Packages/libwbclient-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb" release="7.34.amzn1" version="4.2.10"><filename>Packages/ctdb-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-common" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-common-4.2.10-7.34.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="samba-test" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-test-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-devel" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-devel-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-krb5-locator" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-winbind-krb5-locator-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-tools" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-common-tools-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-clients" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-winbind-clients-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test-libs" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-test-libs-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-winbind-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-modules" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-winbind-modules-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-libs" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-libs-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-python" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-python-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient-devel" release="7.34.amzn1" version="4.2.10"><filename>Packages/libsmbclient-devel-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb-devel" release="7.34.amzn1" version="4.2.10"><filename>Packages/ctdb-devel-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient-devel" release="7.34.amzn1" version="4.2.10"><filename>Packages/libwbclient-devel-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient" release="7.34.amzn1" version="4.2.10"><filename>Packages/libsmbclient-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb" release="7.34.amzn1" version="4.2.10"><filename>Packages/ctdb-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-libs" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-common-libs-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test-devel" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-test-devel-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-debuginfo" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-debuginfo-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient" release="7.34.amzn1" version="4.2.10"><filename>Packages/libwbclient-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-client-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb-tests" release="7.34.amzn1" version="4.2.10"><filename>Packages/ctdb-tests-4.2.10-7.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client-libs" release="7.34.amzn1" version="4.2.10"><filename>Packages/samba-client-libs-4.2.10-7.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-733</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-733: important priority package update for libtiff</title><issued date="2016-08-17 13:30" /><updated date="2016-08-17 13:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9210 CVE-2016-5320: 9211 1346687: 9212 CVE-2016-5320 libtiff: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c 9213 9214 CVE-2016-3991: 9215 1326249: 9216 CVE-2016-3991 libtiff: out-of-bounds write in loadImage() function 9217 9218 CVE-2016-3990: 9219 1326246: 9220 CVE-2016-3990 libtiff: out-of-bounds write in horizontalDifference8() 9221 9222 CVE-2016-3945: 9223 1325093: 9224 CVE-2016-3945 libtiff: out-of-bounds write in the tiff2rgba tool 9225 9226 CVE-2016-3632: 9227 1325095: 9228 CVE-2016-3632 libtiff: out-of-bounds write in _TIFFVGetField function 9229 9230 CVE-2015-8784: 9231 The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by libtiff5.tif. 9232 1301652: 9233 CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode() 9234 9235 CVE-2015-8783: 9236 1301649: 9237 CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 libtiff: invalid assertion 9238 tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image. 9239 9240 CVE-2015-8782: 9241 tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image, a different vulnerability than CVE-2015-8781. 9242 1301649: 9243 CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 libtiff: invalid assertion 9244 9245 CVE-2015-8781: 9246 tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image, a different vulnerability than CVE-2015-8782. 9247 1301649: 9248 CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 libtiff: invalid assertion 9249 9250 CVE-2015-8683: 9251 1294427: 9252 CVE-2015-8683 libtiff: Out-of-bounds when reading CIE Lab image format files 9253 The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image. 9254 9255 CVE-2015-8668: 9256 1294425: 9257 CVE-2015-8668 libtiff: OOB read in bmp2tiff 9258 Heap-based buffer overflow in the PackBitsPreEncode function in tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote attackers to execute arbitrary code or cause a denial of service via a large width field in a BMP image. 9259 9260 CVE-2015-8665: 9261 tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via the SamplesPerPixel tag in a TIFF image. 9262 1294444: 9263 CVE-2015-8665 libtiff: Out-of-bounds read in tif_getimage.c 9264 9265 CVE-2015-7554: 9266 1294417: 9267 CVE-2015-7554 libtiff: Invalid-write in _TIFFVGetField() when parsing some extension tags 9268 The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image. 9269 9270 CVE-2015-1547: 9271 The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif. 9272 1190709: 9273 CVE-2015-1547 libtiff: use of uninitialized memory in NeXTDecode 9274 9275 CVE-2014-9655: 9276 The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff-cvs-2.tif. 9277 1190703: 9278 CVE-2014-9655 libtiff: use of uninitialized memory in putcontig8bitYCbCr21tile and NeXTDecode 9279 9280 CVE-2014-9330: 9281 1177893: 9282 CVE-2014-9330 libtiff: Out-of-bounds reads followed by a crash in bmp2tiff 9283 A flaw was discovered in the bmp2tiff utility. By tricking a user into processing a specially crafted file, a remote attacker could exploit this flaw to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool. 9284 9285 CVE-2014-8130: 9286 1185817: 9287 CVE-2014-8130 libtiff: divide by zero in the tiffdither tool 9288 9289 CVE-2014-8129: 9290 1185815: 9291 CVE-2014-8129 libtiff: out-of-bounds read/write with malformed TIFF image in tiff2pdf 9292 9293 CVE-2014-8127: 9294 1185805: 9295 CVE-2014-8127 libtiff: out-of-bounds read with malformed TIFF image in multiple tools 9296 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3991" id="CVE-2016-3991" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7554" id="CVE-2015-7554" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3990" id="CVE-2016-3990" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3632" id="CVE-2016-3632" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8130" id="CVE-2014-8130" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8781" id="CVE-2015-8781" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8782" id="CVE-2015-8782" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8783" id="CVE-2015-8783" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127" id="CVE-2014-8127" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1547" id="CVE-2015-1547" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8683" id="CVE-2015-8683" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8784" id="CVE-2015-8784" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9655" id="CVE-2014-9655" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3945" id="CVE-2016-3945" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5320" id="CVE-2016-5320" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8665" id="CVE-2015-8665" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8129" id="CVE-2014-8129" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9330" id="CVE-2014-9330" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8668" id="CVE-2015-8668" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libtiff-devel" release="25.27.amzn1" version="4.0.3"><filename>Packages/libtiff-devel-4.0.3-25.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff" release="25.27.amzn1" version="4.0.3"><filename>Packages/libtiff-4.0.3-25.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-static" release="25.27.amzn1" version="4.0.3"><filename>Packages/libtiff-static-4.0.3-25.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-debuginfo" release="25.27.amzn1" version="4.0.3"><filename>Packages/libtiff-debuginfo-4.0.3-25.27.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-devel" release="25.27.amzn1" version="4.0.3"><filename>Packages/libtiff-devel-4.0.3-25.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff" release="25.27.amzn1" version="4.0.3"><filename>Packages/libtiff-4.0.3-25.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-static" release="25.27.amzn1" version="4.0.3"><filename>Packages/libtiff-static-4.0.3-25.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-debuginfo" release="25.27.amzn1" version="4.0.3"><filename>Packages/libtiff-debuginfo-4.0.3-25.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-734</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-734: important priority package update for compat-libtiff3</title><issued date="2016-08-17 13:30" /><updated date="2016-08-17 13:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9297 CVE-2016-5320: 9298 1346687: 9299 CVE-2016-5320 libtiff: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c 9300 9301 CVE-2016-3990: 9302 1326246: 9303 CVE-2016-3990 libtiff: out-of-bounds write in horizontalDifference8() 9304 9305 CVE-2015-8784: 9306 The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by libtiff5.tif. 9307 1301652: 9308 CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode() 9309 9310 CVE-2015-8783: 9311 1301649: 9312 CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 libtiff: invalid assertion 9313 tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image. 9314 9315 CVE-2015-8782: 9316 tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image, a different vulnerability than CVE-2015-8781. 9317 1301649: 9318 CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 libtiff: invalid assertion 9319 9320 CVE-2015-8781: 9321 tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image, a different vulnerability than CVE-2015-8782. 9322 1301649: 9323 CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 libtiff: invalid assertion 9324 9325 CVE-2015-8683: 9326 1294427: 9327 CVE-2015-8683 libtiff: Out-of-bounds when reading CIE Lab image format files 9328 The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image. 9329 9330 CVE-2015-8665: 9331 tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via the SamplesPerPixel tag in a TIFF image. 9332 1294444: 9333 CVE-2015-8665 libtiff: Out-of-bounds read in tif_getimage.c 9334 9335 CVE-2015-1547: 9336 The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif. 9337 1190709: 9338 CVE-2015-1547 libtiff: use of uninitialized memory in NeXTDecode 9339 9340 CVE-2014-9655: 9341 The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff-cvs-2.tif. 9342 1190703: 9343 CVE-2014-9655 libtiff: use of uninitialized memory in putcontig8bitYCbCr21tile and NeXTDecode 9344 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9655" id="CVE-2014-9655" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5320" id="CVE-2016-5320" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3990" id="CVE-2016-3990" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8784" id="CVE-2015-8784" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8665" id="CVE-2015-8665" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8781" id="CVE-2015-8781" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8782" id="CVE-2015-8782" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8783" id="CVE-2015-8783" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1547" id="CVE-2015-1547" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8683" id="CVE-2015-8683" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="compat-libtiff3" release="18.14.amzn1" version="3.9.4"><filename>Packages/compat-libtiff3-3.9.4-18.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="compat-libtiff3-debuginfo" release="18.14.amzn1" version="3.9.4"><filename>Packages/compat-libtiff3-debuginfo-3.9.4-18.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="compat-libtiff3" release="18.14.amzn1" version="3.9.4"><filename>Packages/compat-libtiff3-3.9.4-18.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="compat-libtiff3-debuginfo" release="18.14.amzn1" version="3.9.4"><filename>Packages/compat-libtiff3-debuginfo-3.9.4-18.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-735</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-735: medium priority package update for squid</title><issued date="2016-08-17 13:30" /><updated date="2016-08-17 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9345 CVE-2016-5408: 9346 1359203: 9347 CVE-2016-5408 squid: Buffer overflow vulnerability in cachemgr.cgi tool 9348 It was found that the fix for CVE-2016-4051 released via RHSA-2016:1138 did not properly prevent the stack overflow in the munge_other_line() function. A remote attacker could send specially crafted data to the Squid proxy, which would exploit the cachemgr CGI utility, possibly triggering execution of arbitrary code. 9349 9350 CVE-2016-4051: 9351 A buffer overflow flaw was found in the way the Squid cachemgr.cgi utility processed remotely relayed Squid input. When the CGI interface utility is used, a remote attacker could possibly use this flaw to execute arbitrary code. 9352 1329126: 9353 CVE-2016-4051 squid: buffer overflow in cachemgr.cgi 9354 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4051" id="CVE-2016-4051" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5408" id="CVE-2016-5408" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="7" name="squid-debuginfo" release="16.22.amzn1" version="3.1.23"><filename>Packages/squid-debuginfo-3.1.23-16.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="7" name="squid" release="16.22.amzn1" version="3.1.23"><filename>Packages/squid-3.1.23-16.22.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="7" name="squid" release="16.22.amzn1" version="3.1.23"><filename>Packages/squid-3.1.23-16.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="7" name="squid-debuginfo" release="16.22.amzn1" version="3.1.23"><filename>Packages/squid-debuginfo-3.1.23-16.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-736</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-736: medium priority package update for tomcat7 tomcat8</title><issued date="2016-08-17 13:30" /><updated date="2016-08-17 13:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9355 CVE-2016-3092: 9356 A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. 9357 1349468: 9358 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service 9359 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092" id="CVE-2016-3092" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.18.amzn1" version="7.0.70"><filename>Packages/tomcat7-servlet-3.0-api-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.18.amzn1" version="7.0.70"><filename>Packages/tomcat7-docs-webapp-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.18.amzn1" version="7.0.70"><filename>Packages/tomcat7-log4j-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.18.amzn1" version="7.0.70"><filename>Packages/tomcat7-jsp-2.2-api-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.18.amzn1" version="7.0.70"><filename>Packages/tomcat7-javadoc-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.18.amzn1" version="7.0.70"><filename>Packages/tomcat7-admin-webapps-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.18.amzn1" version="7.0.70"><filename>Packages/tomcat7-el-2.2-api-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.18.amzn1" version="7.0.70"><filename>Packages/tomcat7-webapps-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.18.amzn1" version="7.0.70"><filename>Packages/tomcat7-lib-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.18.amzn1" version="7.0.70"><filename>Packages/tomcat7-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.62.amzn1" version="8.0.36"><filename>Packages/tomcat8-lib-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.62.amzn1" version="8.0.36"><filename>Packages/tomcat8-el-3.0-api-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.62.amzn1" version="8.0.36"><filename>Packages/tomcat8-jsp-2.3-api-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.62.amzn1" version="8.0.36"><filename>Packages/tomcat8-webapps-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8" release="1.62.amzn1" version="8.0.36"><filename>Packages/tomcat8-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.62.amzn1" version="8.0.36"><filename>Packages/tomcat8-docs-webapp-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.62.amzn1" version="8.0.36"><filename>Packages/tomcat8-log4j-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.62.amzn1" version="8.0.36"><filename>Packages/tomcat8-javadoc-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.62.amzn1" version="8.0.36"><filename>Packages/tomcat8-servlet-3.1-api-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.62.amzn1" version="8.0.36"><filename>Packages/tomcat8-admin-webapps-8.0.36-1.62.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-737</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-737: important priority package update for mysql56</title><issued date="2016-08-17 13:30" /><updated date="2016-08-17 13:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9360 CVE-2016-5440: 9361 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote administrators to affect availability via vectors related to Server: RBR. 9362 1358218: 9363 CVE-2016-5440 mysql: unspecified vulnerability in subcomponent: Server: RBR (CPU July 2016) 9364 9365 CVE-2016-5439: 9366 1358216: 9367 CVE-2016-5439 mysql: unspecified vulnerability in subcomponent: Server: Privileges (CPU July 2016) 9368 Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: Privileges. 9369 9370 CVE-2016-3615: 9371 1358212: 9372 CVE-2016-3615 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU July 2016) 9373 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: DML. 9374 9375 CVE-2016-3614: 9376 Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: Security: Encryption. 9377 1358211: 9378 CVE-2016-3614 mysql: unspecified vulnerability in subcomponent: Server: Security: Encryption (CPU July 2016) 9379 9380 CVE-2016-3521: 9381 1358209: 9382 CVE-2016-3521 mysql: unspecified vulnerability in subcomponent: Server: Types (CPU July 2016) 9383 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: Types. 9384 9385 CVE-2016-3501: 9386 Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer. 9387 1358207: 9388 CVE-2016-3501 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU July 2016) 9389 9390 CVE-2016-3486: 9391 1358206: 9392 CVE-2016-3486 mysql: unspecified vulnerability in subcomponent: Server: FTS (CPU July 2016) 9393 Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: FTS. 9394 9395 CVE-2016-3477: 9396 1358205: 9397 CVE-2016-3477 mysql: unspecified vulnerability in subcomponent: Server: Parser (CPU July 2016) 9398 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser. 9399 9400 CVE-2016-3459: 9401 Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier and MariaDB 10.0.x before 10.0.25 and 10.1.x before 10.1.14 allows remote administrators to affect availability via vectors related to Server: InnoDB. 9402 1358202: 9403 CVE-2016-3459 mysql: unspecified vulnerability in subcomponent: Server: InnoDB (CPU July 2016) 9404 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5440" id="CVE-2016-5440" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3459" id="CVE-2016-3459" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5439" id="CVE-2016-5439" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3477" id="CVE-2016-3477" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3614" id="CVE-2016-3614" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3615" id="CVE-2016-3615" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3521" id="CVE-2016-3521" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3486" id="CVE-2016-3486" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3501" id="CVE-2016-3501" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql56-test" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-test-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-libs" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-libs-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-devel" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-devel-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-embedded-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-errmsg" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-errmsg-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-server" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-server-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded-devel" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-embedded-devel-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-bench" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-bench-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-common" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-common-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-debuginfo" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-debuginfo-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-common" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-common-5.6.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-test" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-test-5.6.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-devel" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-devel-5.6.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-libs" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-libs-5.6.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-server" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-server-5.6.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-5.6.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded-devel" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-embedded-devel-5.6.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-errmsg" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-errmsg-5.6.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-debuginfo" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-debuginfo-5.6.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-embedded-5.6.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-bench" release="1.16.amzn1" version="5.6.32"><filename>Packages/mysql56-bench-5.6.32-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-738</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-738: important priority package update for mysql55</title><issued date="2016-08-17 13:30" /><updated date="2016-08-17 13:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9405 CVE-2016-5444: 9406 1358223: 9407 CVE-2016-5444 mysql: unspecified vulnerability in subcomponent: Server: Connection (CPU July 2016) 9408 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows remote attackers to affect confidentiality via vectors related to Server: Connection. 9409 9410 CVE-2016-5440: 9411 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote administrators to affect availability via vectors related to Server: RBR. 9412 1358218: 9413 CVE-2016-5440 mysql: unspecified vulnerability in subcomponent: Server: RBR (CPU July 2016) 9414 9415 CVE-2016-3615: 9416 1358212: 9417 CVE-2016-3615 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU July 2016) 9418 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: DML. 9419 9420 CVE-2016-3521: 9421 1358209: 9422 CVE-2016-3521 mysql: unspecified vulnerability in subcomponent: Server: Types (CPU July 2016) 9423 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: Types. 9424 9425 CVE-2016-3477: 9426 1358205: 9427 CVE-2016-3477 mysql: unspecified vulnerability in subcomponent: Server: Parser (CPU July 2016) 9428 Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser. 9429 9430 CVE-2016-3452: 9431 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows remote attackers to affect confidentiality via vectors related to Server: Security: Encryption. 9432 1358201: 9433 CVE-2016-3452 mysql: unspecified vulnerability in subcomponent: Server: Security: Encryption (CPU July 2016) 9434 9435 CVE-2016-2047: 9436 The ssl_verify_server_cert function in sql-common/client.c in MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10; Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier; and Percona Server do not properly verify that the server hostname matches a domain name in the subject&#039;s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a &quot;/CN=&quot; string in a field in a certificate, as demonstrated by &quot;/OU=/CN=bar.com/CN=foo.com.&quot; 9437 1301874: 9438 CVE-2016-2047 mysql: ssl-validate-cert incorrect hostname check 9439 It was found that the MariaDB client library did not properly check host names against server identities noted in the X.509 certificates when establishing secure connections using TLS/SSL. A man-in-the-middle attacker could possibly use this flaw to impersonate a server to a client. 9440 9441 CVE-2016-0666: 9442 1329270: 9443 CVE-2016-0666 mysql: unspecified vulnerability in subcomponent: Server: Security: Privileges (CPU April 2016) 9444 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to Security: Privileges. 9445 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to Security: Privileges. 9446 9447 CVE-2016-0651: 9448 1329254: 9449 CVE-2016-0651 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU April 2016) 9450 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect availability via vectors related to Optimizer. 9451 9452 CVE-2016-0650: 9453 1329253: 9454 CVE-2016-0650 mysql: unspecified vulnerability in subcomponent: Server: Replication (CPU April 2016) 9455 Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to Replication. 9456 9457 CVE-2016-0649: 9458 1329252: 9459 CVE-2016-0649 mysql: unspecified vulnerability in subcomponent: Server: PS (CPU April 2016) 9460 Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to PS. 9461 9462 CVE-2016-0648: 9463 1329251: 9464 CVE-2016-0648 mysql: unspecified vulnerability in subcomponent: Server: PS (CPU April 2016) 9465 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to PS. 9466 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to PS. 9467 9468 CVE-2016-0647: 9469 1329249: 9470 CVE-2016-0647 mysql: unspecified vulnerability in subcomponent: Server: FTS (CPU April 2016) 9471 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to FTS. 9472 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to FTS. 9473 9474 CVE-2016-0646: 9475 1329248: 9476 CVE-2016-0646 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU April 2016) 9477 Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to DML. 9478 9479 CVE-2016-0644: 9480 1329247: 9481 CVE-2016-0644 mysql: unspecified vulnerability in subcomponent: Server: DDL (CPU April 2016) 9482 Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to DDL. 9483 9484 CVE-2016-0643: 9485 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect confidentiality via vectors related to DML. 9486 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect confidentiality via vectors related to DML. 9487 1329245: 9488 CVE-2016-0643 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU April 2016) 9489 9490 CVE-2016-0642: 9491 Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated. 9492 1329243: 9493 CVE-2016-0642 mysql: unspecified vulnerability in subcomponent: Server: Federated (CPU April 2016) 9494 9495 CVE-2016-0641: 9496 Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect confidentiality and availability via vectors related to MyISAM. 9497 1329241: 9498 CVE-2016-0641 mysql: unspecified vulnerability in subcomponent: Server: MyISAM (CPU April 2016) 9499 9500 CVE-2016-0640: 9501 1329239: 9502 CVE-2016-0640 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU April 2016) 9503 Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect integrity and availability via vectors related to DML. 9504 9505 CVE-2016-0616: 9506 1301510: 9507 CVE-2016-0616 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016) 9508 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. 9509 9510 CVE-2016-0609: 9511 1301507: 9512 CVE-2016-0609 mysql: unspecified vulnerability in subcomponent: Server: Security: Privileges (CPU January 2016) 9513 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to privileges. 9514 9515 CVE-2016-0608: 9516 1301506: 9517 CVE-2016-0608 mysql: unspecified vulnerability in subcomponent: Server: UDF (CPU January 2016) 9518 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to UDF. 9519 9520 CVE-2016-0606: 9521 1301504: 9522 CVE-2016-0606 mysql: unspecified vulnerability in subcomponent: Server: Security: Encryption (CPU January 2016) 9523 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect integrity via unknown vectors related to encryption. 9524 9525 CVE-2016-0600: 9526 1301501: 9527 CVE-2016-0600 mysql: unspecified vulnerability in subcomponent: Server: InnoDB (CPU January 2016) 9528 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to InnoDB. 9529 9530 CVE-2016-0598: 9531 1301498: 9532 CVE-2016-0598 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016) 9533 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML. 9534 9535 CVE-2016-0597: 9536 1301497: 9537 CVE-2016-0597 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016) 9538 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer. 9539 9540 CVE-2016-0596: 9541 1301496: 9542 CVE-2016-0596 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016) 9543 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and 5.6.27 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML. 9544 9545 CVE-2016-0546: 9546 1301493: 9547 CVE-2016-0546 mysql: unspecified vulnerability in subcomponent: Client (CPU January 2016) 9548 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that these are multiple buffer overflows in the mysqlshow tool that allow remote database servers to have unspecified impact via a long table or database name. 9549 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client. 9550 9551 CVE-2016-0505: 9552 Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Options. 9553 1301492: 9554 CVE-2016-0505 mysql: unspecified vulnerability in subcomponent: Server: Options (CPU January 2016) 9555 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0608" id="CVE-2016-0608" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0609" id="CVE-2016-0609" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0505" id="CVE-2016-0505" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0600" id="CVE-2016-0600" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0616" id="CVE-2016-0616" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3452" id="CVE-2016-3452" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0644" id="CVE-2016-0644" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3477" id="CVE-2016-3477" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0596" id="CVE-2016-0596" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0597" id="CVE-2016-0597" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0640" id="CVE-2016-0640" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3521" id="CVE-2016-3521" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0642" id="CVE-2016-0642" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0643" id="CVE-2016-0643" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0666" id="CVE-2016-0666" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0651" id="CVE-2016-0651" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0650" id="CVE-2016-0650" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0598" id="CVE-2016-0598" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0649" id="CVE-2016-0649" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2047" id="CVE-2016-2047" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5440" id="CVE-2016-5440" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5444" id="CVE-2016-5444" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0606" id="CVE-2016-0606" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0648" id="CVE-2016-0648" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0646" id="CVE-2016-0646" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0546" id="CVE-2016-0546" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0647" id="CVE-2016-0647" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3615" id="CVE-2016-3615" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0641" id="CVE-2016-0641" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql-config" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql-config-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-bench" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-bench-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-debuginfo-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-libs-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-server" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-server-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-embedded-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-embedded-devel-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-devel-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-test" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-test-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-libs-5.5.51-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-debuginfo-5.5.51-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-bench-5.5.51-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-embedded-devel-5.5.51-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-test-5.5.51-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-devel-5.5.51-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-5.5.51-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-server-5.5.51-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-config" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql-config-5.5.51-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="1.11.amzn1" version="5.5.51"><filename>Packages/mysql55-embedded-5.5.51-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-739</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-739: medium priority package update for collectd</title><issued date="2016-09-01 18:00" /><updated date="2016-09-01 18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9556 CVE-2016-6254: 9557 1360709: 9558 CVE-2016-6254 collectd: heap overflow in the network plugin 9559 Heap-based buffer overflow in the parse_packet function in network.c in collectd before 5.4.3 and 5.x before 5.5.2 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted network packet. 9560 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6254" id="CVE-2016-6254" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="collectd-web" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-web-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-postgresql" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-postgresql-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-gmond" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-gmond-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-mysql" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-mysql-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-snmp" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-snmp-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-rrdcached" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-rrdcached-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-varnish" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-varnish-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-notify_email" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-notify_email-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-apache" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-apache-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-generic-jmx" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-generic-jmx-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-lvm" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-lvm-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-rrdtool" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-rrdtool-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-memcachec" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-memcachec-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-netlink" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-netlink-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-java" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-java-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-ipvs" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-ipvs-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-ipmi" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-ipmi-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-bind" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-bind-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-debuginfo" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-debuginfo-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-email" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-email-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-dbi" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-dbi-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-curl_xml" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-curl_xml-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-nginx" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-nginx-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-curl" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-curl-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-dns" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-dns-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Collectd" release="1.11.amzn1" version="5.4.1"><filename>Packages/perl-Collectd-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-iptables" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-iptables-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-amqp" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-amqp-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="collectd-gmond" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-gmond-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-java" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-java-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-lvm" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-lvm-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-bind" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-bind-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-ipvs" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-ipvs-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-rrdcached" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-rrdcached-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-generic-jmx" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-generic-jmx-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-amqp" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-amqp-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-memcachec" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-memcachec-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-postgresql" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-postgresql-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-web" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-web-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-dbi" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-dbi-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-email" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-email-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-mysql" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-mysql-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-rrdtool" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-rrdtool-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-curl_xml" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-curl_xml-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-nginx" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-nginx-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-snmp" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-snmp-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Collectd" release="1.11.amzn1" version="5.4.1"><filename>Packages/perl-Collectd-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-curl" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-curl-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-notify_email" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-notify_email-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-debuginfo" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-debuginfo-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-ipmi" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-ipmi-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-iptables" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-iptables-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-dns" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-dns-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-varnish" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-varnish-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-apache" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-apache-5.4.1-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-netlink" release="1.11.amzn1" version="5.4.1"><filename>Packages/collectd-netlink-5.4.1-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-740</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-740: medium priority package update for kernel</title><issued date="2016-09-01 18:00" /><updated date="2016-09-01 18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9561 CVE-2016-6828: 9562 1367091: 9563 CVE-2016-6828 kernel: Use after free in tcp_xmit_retransmit_queue 9564 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6828" id="CVE-2016-6828" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-debuginfo-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="29.55.amzn1" version="4.4.19"><filename>Packages/perf-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="29.55.amzn1" version="4.4.19"><filename>Packages/perf-debuginfo-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-tools-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-tools-devel-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-tools-debuginfo-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-devel-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-headers-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-devel-4.4.19-29.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-headers-4.4.19-29.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-debuginfo-common-i686-4.4.19-29.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-tools-4.4.19-29.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-tools-debuginfo-4.4.19-29.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-debuginfo-4.4.19-29.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-tools-devel-4.4.19-29.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-4.4.19-29.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="29.55.amzn1" version="4.4.19"><filename>Packages/perf-debuginfo-4.4.19-29.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="29.55.amzn1" version="4.4.19"><filename>Packages/perf-4.4.19-29.55.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="29.55.amzn1" version="4.4.19"><filename>Packages/kernel-doc-4.4.19-29.55.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-741</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-741: medium priority package update for python34 python27 python26</title><issued date="2016-09-01 18:00" /><updated date="2016-09-01 18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9565 CVE-2016-1000110: 9566 1357334: 9567 CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user supplied Proxy request header 9568 It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request. 9569 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000110" id="CVE-2016-1000110" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python27-debuginfo" release="2.120.amzn1" version="2.7.12"><filename>Packages/python27-debuginfo-2.7.12-2.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libs" release="2.120.amzn1" version="2.7.12"><filename>Packages/python27-libs-2.7.12-2.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-tools" release="2.120.amzn1" version="2.7.12"><filename>Packages/python27-tools-2.7.12-2.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27" release="2.120.amzn1" version="2.7.12"><filename>Packages/python27-2.7.12-2.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-devel" release="2.120.amzn1" version="2.7.12"><filename>Packages/python27-devel-2.7.12-2.120.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-test" release="2.120.amzn1" version="2.7.12"><filename>Packages/python27-test-2.7.12-2.120.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python27-libs" release="2.120.amzn1" version="2.7.12"><filename>Packages/python27-libs-2.7.12-2.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-test" release="2.120.amzn1" version="2.7.12"><filename>Packages/python27-test-2.7.12-2.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27" release="2.120.amzn1" version="2.7.12"><filename>Packages/python27-2.7.12-2.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-devel" release="2.120.amzn1" version="2.7.12"><filename>Packages/python27-devel-2.7.12-2.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-tools" release="2.120.amzn1" version="2.7.12"><filename>Packages/python27-tools-2.7.12-2.120.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-debuginfo" release="2.120.amzn1" version="2.7.12"><filename>Packages/python27-debuginfo-2.7.12-2.120.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-libs" release="2.88.amzn1" version="2.6.9"><filename>Packages/python26-libs-2.6.9-2.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-tools" release="2.88.amzn1" version="2.6.9"><filename>Packages/python26-tools-2.6.9-2.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-debuginfo" release="2.88.amzn1" version="2.6.9"><filename>Packages/python26-debuginfo-2.6.9-2.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26" release="2.88.amzn1" version="2.6.9"><filename>Packages/python26-2.6.9-2.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-test" release="2.88.amzn1" version="2.6.9"><filename>Packages/python26-test-2.6.9-2.88.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-devel" release="2.88.amzn1" version="2.6.9"><filename>Packages/python26-devel-2.6.9-2.88.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python26-test" release="2.88.amzn1" version="2.6.9"><filename>Packages/python26-test-2.6.9-2.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-libs" release="2.88.amzn1" version="2.6.9"><filename>Packages/python26-libs-2.6.9-2.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-debuginfo" release="2.88.amzn1" version="2.6.9"><filename>Packages/python26-debuginfo-2.6.9-2.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-devel" release="2.88.amzn1" version="2.6.9"><filename>Packages/python26-devel-2.6.9-2.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-tools" release="2.88.amzn1" version="2.6.9"><filename>Packages/python26-tools-2.6.9-2.88.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26" release="2.88.amzn1" version="2.6.9"><filename>Packages/python26-2.6.9-2.88.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-tools" release="1.33.amzn1" version="3.4.3"><filename>Packages/python34-tools-3.4.3-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-libs" release="1.33.amzn1" version="3.4.3"><filename>Packages/python34-libs-3.4.3-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-debuginfo" release="1.33.amzn1" version="3.4.3"><filename>Packages/python34-debuginfo-3.4.3-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-devel" release="1.33.amzn1" version="3.4.3"><filename>Packages/python34-devel-3.4.3-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-test" release="1.33.amzn1" version="3.4.3"><filename>Packages/python34-test-3.4.3-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34" release="1.33.amzn1" version="3.4.3"><filename>Packages/python34-3.4.3-1.33.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python34-devel" release="1.33.amzn1" version="3.4.3"><filename>Packages/python34-devel-3.4.3-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-debuginfo" release="1.33.amzn1" version="3.4.3"><filename>Packages/python34-debuginfo-3.4.3-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-test" release="1.33.amzn1" version="3.4.3"><filename>Packages/python34-test-3.4.3-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-libs" release="1.33.amzn1" version="3.4.3"><filename>Packages/python34-libs-3.4.3-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-tools" release="1.33.amzn1" version="3.4.3"><filename>Packages/python34-tools-3.4.3-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34" release="1.33.amzn1" version="3.4.3"><filename>Packages/python34-3.4.3-1.33.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-742</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-742: low priority package update for curl</title><issued date="2016-09-27 10:30" /><updated date="2016-09-27 10:30" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9570 CVE-2016-7167: 9571 1375906: 9572 CVE-2016-7167 curl: escape and unescape integer overflows 9573 9574 CVE-2016-7141: 9575 1373229: 9576 CVE-2016-7141 curl: Incorrect reuse of client certificates 9577 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7141" id="CVE-2016-7141" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7167" id="CVE-2016-7167" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="curl-debuginfo" release="8.65.amzn1" version="7.47.1"><filename>Packages/curl-debuginfo-7.47.1-8.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="8.65.amzn1" version="7.47.1"><filename>Packages/libcurl-7.47.1-8.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="8.65.amzn1" version="7.47.1"><filename>Packages/libcurl-devel-7.47.1-8.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl" release="8.65.amzn1" version="7.47.1"><filename>Packages/curl-7.47.1-8.65.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="8.65.amzn1" version="7.47.1"><filename>Packages/libcurl-devel-7.47.1-8.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="8.65.amzn1" version="7.47.1"><filename>Packages/curl-7.47.1-8.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="8.65.amzn1" version="7.47.1"><filename>Packages/libcurl-7.47.1-8.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="8.65.amzn1" version="7.47.1"><filename>Packages/curl-debuginfo-7.47.1-8.65.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-743</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-743: important priority package update for libarchive</title><issued date="2016-09-27 10:30" /><updated date="2016-09-27 10:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9578 CVE-2016-7166: 9579 1347086: 9580 CVE-2016-7166 libarchive: Denial of service using a crafted gzip file 9581 A vulnerability was found in libarchive. A specially crafted gzip file can cause libarchive to allocate memory without limit, eventually leading to a crash. 9582 9583 CVE-2016-6250: 9584 A vulnerability was found in libarchive. An attempt to create an ISO9660 volume with 2GB or 4GB filenames could cause the application to crash. 9585 1347085: 9586 CVE-2016-6250 libarchive: Buffer overflow when writing large iso9660 containers 9587 9588 CVE-2016-5844: 9589 Undefined behavior (signed integer overflow) was discovered in libarchive, in the ISO parser. A crafted file could potentially cause denial of service. 9590 1350280: 9591 CVE-2016-5844 libarchive: undefined behaviour (integer overflow) in iso parser 9592 9593 CVE-2016-5418: 9594 A flaw was found in the way libarchive handled hardlink archive entries of non-zero size. Combined with flaws in libarchive&#039;s file system sandboxing, this issue could cause an application using libarchive to overwrite arbitrary files with arbitrary data from the archive. 9595 1362601: 9596 CVE-2016-5418 libarchive: Archive Entry with type 1 (hardlink), but has a non-zero data size file overwrite 9597 9598 CVE-2016-4809: 9599 A vulnerability was found in libarchive. A specially crafted cpio archive containing a symbolic link to a ridiculously large target path can cause memory allocation to fail, resulting in any attempt to view or extract the archive crashing. 9600 1347084: 9601 CVE-2016-4809 libarchive: Memory allocate error with symbolic links in cpio archives 9602 9603 CVE-2016-4302: 9604 1348444: 9605 CVE-2016-4302 libarchive: Heap buffer overflow in the Rar decompression functionality 9606 A vulnerability was found in libarchive&#039;s handling of RAR archives. A specially crafted RAR file can cause a heap overflow, potentially leading to code execution in the context of the application. 9607 9608 CVE-2016-4300: 9609 A vulnerability was found in libarchive&#039;s handling of 7zip data. A specially crafted 7zip file can cause a integer overflow resulting in memory corruption that can lead to code execution. 9610 1348439: 9611 CVE-2016-4300 libarchive: Heap buffer overflow vulnerability in the 7zip read_SubStreamsInfo 9612 9613 CVE-2016-1541: 9614 1334211: 9615 CVE-2016-1541 libarchive: zip_read_mac_metadata() heap-based buffer overflow 9616 A vulnerability was found in libarchive. A specially crafted zip file can provide an incorrect compressed size, which may allow an attacker to place arbitrary code on the heap and execute it in the context of the application. 9617 9618 CVE-2015-8934: 9619 1349229: 9620 CVE-2015-8934 libarchive: out of bounds heap read in RAR parser 9621 A vulnerability was found in libarchive. A specially crafted RAR file could cause the application to read memory beyond the end of the decompression buffer. 9622 9623 CVE-2015-8932: 9624 1348780: 9625 CVE-2015-8932 libarchive: Undefined behavior / invalid shiftleft in TAR parser 9626 Undefined behavior (invalid left shift) was discovered in libarchive, in how Compress streams are identified. This could cause certain files to be mistakenly identified as Compress archives and fail to read. 9627 9628 CVE-2015-8931: 9629 1348779: 9630 CVE-2015-8931 libarchive: Undefined behavior (signed integer overflow) in mtree parser 9631 Undefined behavior (signed integer overflow) was discovered in libarchive, in the MTREE parser&#039;s calculation of maximum and minimum dates. A crafted mtree file could potentially cause denial of service. 9632 9633 CVE-2015-8930: 9634 1349204: 9635 CVE-2015-8930 libarchive: Endless loop in ISO parser 9636 A vulnerability was found in libarchive. A specially crafted ISO file could cause the application to consume resources until it hit a memory limit, leading to a crash or denial of service. 9637 9638 CVE-2015-8928: 9639 1348429: 9640 CVE-2015-8928 libarchive: Heap out of bounds read in mtree parser 9641 A vulnerability was found in libarchive. A specially crafted MTREE file could cause a limited out-of-bounds read, potentially disclosing contents of application memory. 9642 9643 CVE-2015-8926: 9644 1348424: 9645 CVE-2015-8926 libarchive: NULL pointer access in RAR parser 9646 A vulnerability was found in libarchive. A specially crafted RAR file could cause the application to disclose a 128k block of memory from an uncontrolled location. 9647 9648 CVE-2015-8925: 9649 1348423: 9650 CVE-2015-8925 libarchive: Unclear invalid memory read in mtree parser 9651 A vulnerability was found in libarchive. A specially crafted MTREE file could cause a small out-of-bounds read, potentially disclosing a small amount of application memory. 9652 9653 CVE-2015-8924: 9654 1348421: 9655 CVE-2015-8924 libarchive: Heap out of bounds read in TAR parser 9656 A vulnerability was found in libarchive. A specially crafted TAR file could trigger an out-of-bounds read, potentially causing the application to disclose a small amount of application memory. 9657 9658 CVE-2015-8923: 9659 1348773: 9660 CVE-2015-8923 libarchive: Unclear crashes in ZIP parser 9661 A vulnerability was found in libarchive. A specially crafted ZIP file could cause a few bytes of application memory in a 256-byte region to be disclosed. 9662 9663 CVE-2015-8922: 9664 1348419: 9665 CVE-2015-8922 libarchive: NULL pointer access in 7z parser 9666 A vulnerability was found in libarchive. A specially crafted 7Z file could trigger a NULL pointer dereference, causing the application to crash. 9667 9668 CVE-2015-8921: 9669 1348772: 9670 CVE-2015-8921 libarchive: Global out of bounds read in mtree parser 9671 A vulnerability was found in libarchive. A specially crafted mtree file could cause libarchive to read beyond a statically declared structure, potentially disclosing application memory. 9672 9673 CVE-2015-8920: 9674 A vulnerability was found in libarchive. A specially crafted AR archive could cause the application to read a single byte of application memory, potentially disclosing it to the attacker. 9675 1348416: 9676 CVE-2015-8920 libarchive: Stack out of bounds read in ar parser 9677 9678 CVE-2015-8919: 9679 A vulnerability was found in libarchive. A specially crafted LZA/LZH file could cause a small out-of-bounds read, potentially disclosing a few bytes of application memory. 9680 1348414: 9681 CVE-2015-8919 libarchive: Heap out of bounds read in LHA/LZH parser 9682 9683 CVE-2015-8917: 9684 A vulnerability was found in libarchive. A specially crafted CAB file could cause the application dereference a NULL pointer, leading to a crash. 9685 1348413: 9686 CVE-2015-8917 libarchive: NULL pointer access in CAB parser 9687 9688 CVE-2015-8916: 9689 1348412: 9690 CVE-2015-8916 libarchive: NULL pointer access in RAR parser through bsdtar 9691 A vulnerability was found in libarchive. A specially crafted RAR file could cause the application dereference a NULL pointer, leading to a crash. 9692 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8928" id="CVE-2015-8928" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8934" id="CVE-2015-8934" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4302" id="CVE-2016-4302" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8920" id="CVE-2015-8920" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8921" id="CVE-2015-8921" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8922" id="CVE-2015-8922" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8923" id="CVE-2015-8923" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8924" id="CVE-2015-8924" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8925" id="CVE-2015-8925" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8926" id="CVE-2015-8926" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8932" id="CVE-2015-8932" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8919" id="CVE-2015-8919" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1541" id="CVE-2016-1541" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8917" id="CVE-2015-8917" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8916" id="CVE-2015-8916" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4300" id="CVE-2016-4300" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8930" id="CVE-2015-8930" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8931" id="CVE-2015-8931" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4809" id="CVE-2016-4809" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5418" id="CVE-2016-5418" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6250" id="CVE-2016-6250" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5844" id="CVE-2016-5844" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7166" id="CVE-2016-7166" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="bsdtar" release="10.11.amzn1" version="3.1.2"><filename>Packages/bsdtar-3.1.2-10.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libarchive-devel" release="10.11.amzn1" version="3.1.2"><filename>Packages/libarchive-devel-3.1.2-10.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libarchive" release="10.11.amzn1" version="3.1.2"><filename>Packages/libarchive-3.1.2-10.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="bsdcpio" release="10.11.amzn1" version="3.1.2"><filename>Packages/bsdcpio-3.1.2-10.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libarchive-debuginfo" release="10.11.amzn1" version="3.1.2"><filename>Packages/libarchive-debuginfo-3.1.2-10.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libarchive-devel" release="10.11.amzn1" version="3.1.2"><filename>Packages/libarchive-devel-3.1.2-10.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="bsdtar" release="10.11.amzn1" version="3.1.2"><filename>Packages/bsdtar-3.1.2-10.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libarchive" release="10.11.amzn1" version="3.1.2"><filename>Packages/libarchive-3.1.2-10.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="bsdcpio" release="10.11.amzn1" version="3.1.2"><filename>Packages/bsdcpio-3.1.2-10.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libarchive-debuginfo" release="10.11.amzn1" version="3.1.2"><filename>Packages/libarchive-debuginfo-3.1.2-10.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-744</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-744: medium priority package update for libgcrypt gnupg</title><issued date="2016-09-15 19:00" /><updated date="2016-09-15 19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9693 CVE-2016-6313: 9694 1366105: 9695 CVE-2016-6313 libgcrypt: PRNG output is predictable 9696 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313" id="CVE-2016-6313" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libgcrypt-devel" release="12.19.amzn1" version="1.5.3"><filename>Packages/libgcrypt-devel-1.5.3-12.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libgcrypt" release="12.19.amzn1" version="1.5.3"><filename>Packages/libgcrypt-1.5.3-12.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libgcrypt-debuginfo" release="12.19.amzn1" version="1.5.3"><filename>Packages/libgcrypt-debuginfo-1.5.3-12.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libgcrypt-devel" release="12.19.amzn1" version="1.5.3"><filename>Packages/libgcrypt-devel-1.5.3-12.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libgcrypt" release="12.19.amzn1" version="1.5.3"><filename>Packages/libgcrypt-1.5.3-12.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libgcrypt-debuginfo" release="12.19.amzn1" version="1.5.3"><filename>Packages/libgcrypt-debuginfo-1.5.3-12.19.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg-debuginfo" release="1.28.amzn1" version="1.4.19"><filename>Packages/gnupg-debuginfo-1.4.19-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg" release="1.28.amzn1" version="1.4.19"><filename>Packages/gnupg-1.4.19-1.28.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnupg-debuginfo" release="1.28.amzn1" version="1.4.19"><filename>Packages/gnupg-debuginfo-1.4.19-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg" release="1.28.amzn1" version="1.4.19"><filename>Packages/gnupg-1.4.19-1.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-745</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-745: medium priority package update for bind</title><issued date="2016-09-15 19:00" /><updated date="2016-09-15 19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9697 CVE-2016-2775: 9698 1357803: 9699 CVE-2016-2775 bind: Too long query name causes segmentation fault in lwresd 9700 It was found that the lightweight resolver could crash due to an error when asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length. A remote attacker could use this flaw to crash lwresd or named when using the &quot;lwres&quot; statement in named.conf. 9701 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2775" id="CVE-2016-2775" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-libs" release="0.37.rc1.47.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.37.rc1.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.37.rc1.47.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.37.rc1.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.37.rc1.47.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.37.rc1.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.37.rc1.47.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.37.rc1.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.37.rc1.47.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.37.rc1.47.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.37.rc1.47.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.47.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.37.rc1.47.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.37.rc1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.37.rc1.47.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.37.rc1.47.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.37.rc1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.37.rc1.47.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.37.rc1.47.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.37.rc1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.37.rc1.47.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.37.rc1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.37.rc1.47.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.47.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-746</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-746: important priority package update for lighttpd</title><issued date="2016-09-15 19:00" /><updated date="2016-09-15 19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9702 CVE-2016-1000212: 9703 It was discovered that lighttpd class did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. 9704 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000212" id="CVE-2016-1000212" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="lighttpd-mod_mysql_vhost" release="1.34.amzn1" version="1.4.41"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.41-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-mod_geoip" release="1.34.amzn1" version="1.4.41"><filename>Packages/lighttpd-mod_geoip-1.4.41-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd" release="1.34.amzn1" version="1.4.41"><filename>Packages/lighttpd-1.4.41-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-fastcgi" release="1.34.amzn1" version="1.4.41"><filename>Packages/lighttpd-fastcgi-1.4.41-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-debuginfo" release="1.34.amzn1" version="1.4.41"><filename>Packages/lighttpd-debuginfo-1.4.41-1.34.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-debuginfo" release="1.34.amzn1" version="1.4.41"><filename>Packages/lighttpd-debuginfo-1.4.41-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd" release="1.34.amzn1" version="1.4.41"><filename>Packages/lighttpd-1.4.41-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_geoip" release="1.34.amzn1" version="1.4.41"><filename>Packages/lighttpd-mod_geoip-1.4.41-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_mysql_vhost" release="1.34.amzn1" version="1.4.41"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.41-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-fastcgi" release="1.34.amzn1" version="1.4.41"><filename>Packages/lighttpd-fastcgi-1.4.41-1.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-747</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-747: medium priority package update for postgresql92 postgresql93 postgresql94</title><issued date="2016-09-15 19:00" /><updated date="2016-09-15 19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9705 CVE-2016-5424: 9706 A flaw was found in the way PostgreSQL client programs handled database and role names containing newlines, carriage returns, double quotes, or backslashes. By crafting such an object name, roles with the CREATEDB or CREATEROLE option could escalate their privileges to superuser when a superuser next executes maintenance with a vulnerable client program. 9707 1364002: 9708 CVE-2016-5424 postgresql: privilege escalation via crafted database and role names 9709 9710 CVE-2016-5423: 9711 A flaw was found in the way PostgreSQL server handled certain SQL statements containing CASE/WHEN commands. A remote, authenticated attacker could use a specially crafted SQL statement to cause PostgreSQL to crash or disclose a few bytes of server memory or possibly execute arbitrary code. 9712 1364001: 9713 CVE-2016-5423 postgresql: CASE/WHEN with inlining can cause untrusted pointer dereference 9714 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5423" id="CVE-2016-5423" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5424" id="CVE-2016-5424" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql93-libs" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-libs-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plperl" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-plperl-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-debuginfo" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-debuginfo-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-devel" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-devel-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-docs" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-docs-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-pltcl" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-pltcl-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-contrib" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-contrib-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython27" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-plpython27-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-server" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-server-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-test" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-test-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython26" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-plpython26-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-test" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-test-9.3.14-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-docs" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-docs-9.3.14-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-pltcl" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-pltcl-9.3.14-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-server" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-server-9.3.14-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython26" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-plpython26-9.3.14-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-devel" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-devel-9.3.14-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython27" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-plpython27-9.3.14-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-debuginfo" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-debuginfo-9.3.14-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-contrib" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-contrib-9.3.14-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plperl" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-plperl-9.3.14-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-libs" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-libs-9.3.14-1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93" release="1.62.amzn1" version="9.3.14"><filename>Packages/postgresql93-9.3.14-1.62.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython26" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-plpython26-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plperl" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-plperl-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-pltcl" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-pltcl-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-libs" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-libs-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-test" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-test-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-server" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-server-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-debuginfo" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-debuginfo-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-contrib" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-contrib-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-test" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-test-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-libs" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-libs-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-docs" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-docs-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-devel" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-devel-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython27" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-plpython27-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython27" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-plpython27-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-docs" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-docs-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plperl" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-plperl-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server-compat" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-server-compat-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-debuginfo" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-debuginfo-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython26" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-plpython26-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-contrib" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-contrib-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-devel" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-devel-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plperl" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-plperl-9.4.9-1.67.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-server-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-test" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-test-9.4.9-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-docs" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-docs-9.2.18-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-libs" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-libs-9.4.9-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython27" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-plpython27-9.4.9-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server-compat" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-server-compat-9.2.18-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-contrib" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-contrib-9.2.18-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-9.4.9-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-libs" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-libs-9.2.18-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-server" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-server-9.4.9-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython26" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-plpython26-9.4.9-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-debuginfo" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-debuginfo-9.2.18-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython27" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-plpython27-9.2.18-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-debuginfo" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-debuginfo-9.4.9-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-test" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-test-9.2.18-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-docs" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-docs-9.4.9-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-9.2.18-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-devel" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-devel-9.4.9-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plperl" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-plperl-9.2.18-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-contrib" release="1.67.amzn1" version="9.4.9"><filename>Packages/postgresql94-contrib-9.4.9-1.67.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-server-9.2.18-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython26" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-plpython26-9.2.18-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-devel" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-devel-9.2.18-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-pltcl" release="1.59.amzn1" version="9.2.18"><filename>Packages/postgresql92-pltcl-9.2.18-1.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-748</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-748: important priority package update for java-1.6.0-openjdk</title><issued date="2016-09-15 19:00" /><updated date="2016-09-15 19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9715 CVE-2016-3606: 9716 Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot. 9717 1356963: 9718 CVE-2016-3606 OpenJDK: insufficient bytecode verification (Hotspot, 8155981) 9719 9720 CVE-2016-3550: 9721 Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality via vectors related to Hotspot. 9722 1357506: 9723 CVE-2016-3550 OpenJDK: integer overflows in bytecode streams (Hotspot, 8152479) 9724 9725 CVE-2016-3508: 9726 Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3500. 9727 1357015: 9728 CVE-2016-3508 OpenJDK: missing entity replacement limits (JAXP, 8149962) 9729 9730 CVE-2016-3500: 9731 Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3508. 9732 1357008: 9733 CVE-2016-3500 OpenJDK: maximum XML name limit not applied to namespace URIs (JAXP, 8148872) 9734 9735 CVE-2016-3458: 9736 1357494: 9737 CVE-2016-3458 OpenJDK: insufficient restrictions on the use of custom ValueHandler (CORBA, 8079718) 9738 Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; and Java SE Embedded 8u91 allows remote attackers to affect integrity via vectors related to CORBA. 9739 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3550" id="CVE-2016-3550" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3606" id="CVE-2016-3606" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3458" id="CVE-2016-3458" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3500" id="CVE-2016-3500" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3508" id="CVE-2016-3508" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="1.13.12.6.75.amzn1" version="1.6.0.40"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.40-1.13.12.6.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="1.13.12.6.75.amzn1" version="1.6.0.40"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.40-1.13.12.6.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="1.13.12.6.75.amzn1" version="1.6.0.40"><filename>Packages/java-1.6.0-openjdk-1.6.0.40-1.13.12.6.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="1.13.12.6.75.amzn1" version="1.6.0.40"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.40-1.13.12.6.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="1.13.12.6.75.amzn1" version="1.6.0.40"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.40-1.13.12.6.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="1.13.12.6.75.amzn1" version="1.6.0.40"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.40-1.13.12.6.75.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="1.13.12.6.75.amzn1" version="1.6.0.40"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.40-1.13.12.6.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="1.13.12.6.75.amzn1" version="1.6.0.40"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.40-1.13.12.6.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="1.13.12.6.75.amzn1" version="1.6.0.40"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.40-1.13.12.6.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="1.13.12.6.75.amzn1" version="1.6.0.40"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.40-1.13.12.6.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="1.13.12.6.75.amzn1" version="1.6.0.40"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.40-1.13.12.6.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="1.13.12.6.75.amzn1" version="1.6.0.40"><filename>Packages/java-1.6.0-openjdk-1.6.0.40-1.13.12.6.75.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-749</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-749: important priority package update for openssl</title><issued date="2016-09-22 16:00" /><updated date="2016-09-26 12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9740 CVE-2016-6304: 9741 It was discovered that if a client continually requests renegotiation, sending an excessively large OCSP Status Request extension each time, there will be unbounded memory growth on the server, eventually leading to a denial of service through memory exhaustion. 9742 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304" id="CVE-2016-6304" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-static" release="15.95.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-15.95.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="15.95.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-15.95.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="15.95.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-15.95.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="15.95.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-15.95.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="15.95.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-15.95.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="15.95.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-15.95.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="15.95.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-15.95.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="15.95.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-15.95.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="15.95.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-15.95.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="15.95.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-15.95.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-750</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-750: medium priority package update for openvpn</title><issued date="2016-09-27 10:30" /><updated date="2016-09-27 10:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9743 CVE-2016-6329: 9744 Ciphers with 64-bit block sizes used in CBC mode were found to be vulnerable to birthday attack when key renegotiation doesn't happen frequently or at all in long running connections. Blowfish cipher as used in OpenVPN by default is vulnerable to this attack, that allows remote attacker to recover partial plaintext information (XOR of two plaintext blocks). 9745 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6329" id="CVE-2016-6329" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openvpn" release="1.16.amzn1" version="2.3.12"><filename>Packages/openvpn-2.3.12-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openvpn-debuginfo" release="1.16.amzn1" version="2.3.12"><filename>Packages/openvpn-debuginfo-2.3.12-1.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openvpn-debuginfo" release="1.16.amzn1" version="2.3.12"><filename>Packages/openvpn-debuginfo-2.3.12-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openvpn" release="1.16.amzn1" version="2.3.12"><filename>Packages/openvpn-2.3.12-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-751</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-751: important priority package update for bind</title><issued date="2016-09-28 15:45" /><updated date="2016-09-28 15:45" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9746 CVE-2016-2776: 9747 1378380: 9748 CVE-2016-2776 bind: assertion failure in buffer.c while building responses to a specifically constructed request 9749 A denial of service flaw was found in the way BIND constructed a response to a query that met certain criteria. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request packet. 9750 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776" id="CVE-2016-2776" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-sdb" release="0.37.rc1.48.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.37.rc1.48.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.37.rc1.48.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.37.rc1.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.37.rc1.48.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.37.rc1.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.37.rc1.48.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.37.rc1.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.37.rc1.48.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.37.rc1.48.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.37.rc1.48.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.37.rc1.48.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.37.rc1.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.37.rc1.48.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.37.rc1.48.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.37.rc1.48.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.37.rc1.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.37.rc1.48.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.37.rc1.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.37.rc1.48.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.37.rc1.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.37.rc1.48.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-752</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-752: medium priority package update for GraphicsMagick</title><issued date="2016-10-12 17:00" /><updated date="2016-10-12 17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9751 CVE-2016-7449: 9752 The TIFF reader had a bug pertaining to use of TIFFGetField() when a 'count' value is returned. The bug caused a heap read overflow (due to using strlcpy() to copy a possibly unterminated string) which could allow an untrusted file to crash the software. 9753 9754 CVE-2016-7448: 9755 The Utah RLE reader did not validate that header information was reasonable given the file size and so it could cause huge memory allocations and/or consume huge amounts of CPU, causing a denial of service. 9756 9757 CVE-2016-7447: 9758 A possible heap overflow was discovered in the EscapeParenthesis() function. 9759 9760 CVE-2016-7446: 9761 Various issues were found in the processing of SVG files in GraphicsMagick. 9762 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7447" id="CVE-2016-7447" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7446" id="CVE-2016-7446" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7449" id="CVE-2016-7449" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7448" id="CVE-2016-7448" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="GraphicsMagick-c++" release="1.9.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-c++-1.3.25-1.9.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="GraphicsMagick-doc" release="1.9.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-doc-1.3.25-1.9.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick" release="1.9.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-1.3.25-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-perl" release="1.9.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-perl-1.3.25-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++-devel" release="1.9.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-c++-devel-1.3.25-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-devel" release="1.9.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-devel-1.3.25-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-debuginfo" release="1.9.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-debuginfo-1.3.25-1.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++-devel" release="1.9.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-c++-devel-1.3.25-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-devel" release="1.9.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-devel-1.3.25-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick" release="1.9.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-1.3.25-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++" release="1.9.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-c++-1.3.25-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-perl" release="1.9.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-perl-1.3.25-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-debuginfo" release="1.9.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-debuginfo-1.3.25-1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-753</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-753: medium priority package update for php56</title><issued date="2016-10-12 17:00" /><updated date="2016-10-12 17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9763 CVE-2016-7418: 9764 1377352: 9765 CVE-2016-7418 php: Null pointer dereference in php_wddx_push_element 9766 The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call. 9767 9768 CVE-2016-7417: 9769 1377344: 9770 CVE-2016-7417 php: Missing type check when unserializing SplArray 9771 ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data. 9772 9773 CVE-2016-7416: 9774 1377340: 9775 CVE-2016-7416 php: Stack based buffer overflow in msgfmt_format_message 9776 ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a MessageFormatter::formatMessage call with a long first argument. 9777 9778 CVE-2016-7414: 9779 1377336: 9780 CVE-2016-7414 php: Out of bounds heap read when verifying signature of zip phar in phar_parse_zipfile 9781 The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c. 9782 9783 CVE-2016-7413: 9784 Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call. 9785 1377314: 9786 CVE-2016-7413 php: Use after free in wddx_deserialize 9787 9788 CVE-2016-7412: 9789 ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata. 9790 1377311: 9791 CVE-2016-7412 php: Heap overflow in mysqlnd when not receiving UNSIGNED_FLAG in BIT field 9792 9793 CVE-2016-7411: 9794 1377303: 9795 CVE-2016-7411 php: Memory corruption when destructing deserialized object 9796 ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object. 9797 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7418" id="CVE-2016-7418" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7414" id="CVE-2016-7414" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7416" id="CVE-2016-7416" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7417" id="CVE-2016-7417" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7411" id="CVE-2016-7411" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7412" id="CVE-2016-7412" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7413" id="CVE-2016-7413" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-process" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-process-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-dba-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-odbc-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-intl-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-pgsql-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-recode-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-gmp-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-enchant-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-xml-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-ldap-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-bcmath-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-devel-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-mbstring-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-common-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-soap-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-dbg-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-pspell-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-debuginfo-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-snmp-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-xmlrpc-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-mssql-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-cli-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-pdo-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-opcache-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-gd-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-fpm-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-mysqlnd-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-embedded-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-tidy-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-imap-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-mcrypt-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-tidy-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-bcmath-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-fpm-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-mysqlnd-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-intl-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-cli-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-mssql-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-enchant-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-dba-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-soap-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-common-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-mcrypt-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-gmp-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-process-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-pspell-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-mbstring-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-pgsql-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-debuginfo-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-dbg-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-imap-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-odbc-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-snmp-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-ldap-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-embedded-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-xmlrpc-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-devel-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-pdo-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-gd-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-opcache-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-recode-5.6.26-1.128.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.128.amzn1" version="5.6.26"><filename>Packages/php56-xml-5.6.26-1.128.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-754</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-754: medium priority package update for php70</title><issued date="2016-10-12 17:00" /><updated date="2016-10-12 17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9798 CVE-2016-7418: 9799 1377352: 9800 CVE-2016-7418 php: Null pointer dereference in php_wddx_push_element 9801 The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call. 9802 9803 CVE-2016-7417: 9804 1377344: 9805 CVE-2016-7417 php: Missing type check when unserializing SplArray 9806 ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data. 9807 9808 CVE-2016-7416: 9809 1377340: 9810 CVE-2016-7416 php: Stack based buffer overflow in msgfmt_format_message 9811 ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a MessageFormatter::formatMessage call with a long first argument. 9812 9813 CVE-2016-7414: 9814 1377336: 9815 CVE-2016-7414 php: Out of bounds heap read when verifying signature of zip phar in phar_parse_zipfile 9816 The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c. 9817 9818 CVE-2016-7413: 9819 Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call. 9820 1377314: 9821 CVE-2016-7413 php: Use after free in wddx_deserialize 9822 9823 CVE-2016-7412: 9824 ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata. 9825 1377311: 9826 CVE-2016-7412 php: Heap overflow in mysqlnd when not receiving UNSIGNED_FLAG in BIT field 9827 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7418" id="CVE-2016-7418" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7414" id="CVE-2016-7414" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7416" id="CVE-2016-7416" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7417" id="CVE-2016-7417" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7412" id="CVE-2016-7412" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7413" id="CVE-2016-7413" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php70-tidy" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-tidy-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-imap" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-imap-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pspell" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-pspell-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mbstring" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-mbstring-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-intl" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-intl-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dba" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-dba-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-embedded" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-embedded-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mysqlnd" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-mysqlnd-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-soap" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-soap-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-zip" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-zip-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-opcache" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-opcache-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gmp" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-gmp-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-pdo-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-fpm" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-fpm-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-snmp" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-snmp-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-common" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-common-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mcrypt" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-mcrypt-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pgsql" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-pgsql-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-enchant" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-enchant-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-recode" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-recode-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-odbc" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-odbc-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-json" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-json-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-cli" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-cli-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xmlrpc" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-xmlrpc-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-ldap" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-ldap-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo-dblib" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-pdo-dblib-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-devel" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-devel-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-process" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-process-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-debuginfo" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-debuginfo-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dbg" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-dbg-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-bcmath" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-bcmath-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gd" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-gd-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xml" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-xml-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php70-enchant" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-enchant-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-bcmath" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-bcmath-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-process" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-process-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-intl" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-intl-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gmp" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-gmp-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-soap" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-soap-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xml" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-xml-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mbstring" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-mbstring-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mcrypt" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-mcrypt-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-json" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-json-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gd" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-gd-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-recode" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-recode-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-snmp" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-snmp-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-imap" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-imap-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-ldap" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-ldap-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-tidy" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-tidy-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-cli" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-cli-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-odbc" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-odbc-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-zip" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-zip-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-common" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-common-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-embedded" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-embedded-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo-dblib" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-pdo-dblib-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-fpm" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-fpm-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-pdo-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-devel" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-devel-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mysqlnd" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-mysqlnd-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dba" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-dba-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xmlrpc" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-xmlrpc-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dbg" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-dbg-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pgsql" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-pgsql-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pspell" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-pspell-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-opcache" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-opcache-7.0.11-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-debuginfo" release="1.16.amzn1" version="7.0.11"><filename>Packages/php70-debuginfo-7.0.11-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-755</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-755: medium priority package update for openssl</title><issued date="2016-10-12 17:00" /><updated date="2016-10-12 17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9828 CVE-2016-6306: 9829 1377594: 9830 CVE-2016-6306 openssl: certificate message OOB reads 9831 Multiple out of bounds read flaws were found in the way OpenSSL handled certain TLS/SSL protocol handshake messages. A remote attacker could possibly use these flaws to crash a TLS/SSL server or client using OpenSSL. 9832 9833 CVE-2016-6302: 9834 An integer underflow flaw leading to a buffer over-read was found in the way OpenSSL parsed TLS session tickets. A remote attacker could use this flaw to crash a TLS server using OpenSSL if it used SHA-512 as HMAC for session tickets. 9835 1369855: 9836 CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks 9837 9838 CVE-2016-2183: 9839 1369383: 9840 CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) 9841 A flaw was found in the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. 9842 9843 CVE-2016-2182: 9844 1367340: 9845 CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() 9846 An out of bounds write flaw was discovered in the OpenSSL BN_bn2dec() function. An attacker able to make an application using OpenSSL to process a large BIGNUM could cause the application to crash or, possibly, execute arbitrary code. 9847 9848 CVE-2016-2181: 9849 1369113: 9850 CVE-2016-2181 openssl: DTLS replay protection bypass allows DoS against DTLS connection 9851 A flaw was found in the Datagram TLS (DTLS) replay protection implementation in OpenSSL. A remote attacker could possibly use this flaw to make a DTLS server using OpenSSL to reject further packets sent from a DTLS client over an established DTLS connection. 9852 9853 CVE-2016-2180: 9854 1359615: 9855 CVE-2016-2180 OpenSSL: OOB read in TS_OBJ_print_bio() 9856 An out of bounds read flaw was found in the way OpenSSL formatted Public Key Infrastructure Time-Stamp Protocol data for printing. An attacker could possibly cause an application using OpenSSL to crash if it printed time stamp data from the attacker. 9857 9858 CVE-2016-2179: 9859 1369504: 9860 CVE-2016-2179 openssl: DTLS memory exhaustion DoS when messages are not removed from fragment buffer 9861 It was discovered that the Datagram TLS (DTLS) implementation could fail to release memory in certain cases. A malicious DTLS client could cause a DTLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory. 9862 9863 CVE-2016-2178: 9864 It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm (DSA) signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system. 9865 1343400: 9866 CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation 9867 9868 CVE-2016-2177: 9869 1341705: 9870 CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase 9871 Multiple integer overflow flaws were found in the way OpenSSL performed pointer arithmetic. A remote attacker could possibly use these flaws to cause a TLS/SSL server or client using OpenSSL to crash. 9872 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2179" id="CVE-2016-2179" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178" id="CVE-2016-2178" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6302" id="CVE-2016-6302" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2181" id="CVE-2016-2181" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6306" id="CVE-2016-6306" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183" id="CVE-2016-2183" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2182" id="CVE-2016-2182" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177" id="CVE-2016-2177" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2180" id="CVE-2016-2180" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl" release="15.96.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-15.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="15.96.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-15.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="15.96.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-15.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="15.96.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-15.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="15.96.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-15.96.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="15.96.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-15.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="15.96.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-15.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="15.96.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-15.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="15.96.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-15.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="15.96.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-15.96.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-756</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-756: important priority package update for mysql55 mysql56</title><issued date="2016-10-12 17:00" /><updated date="2016-10-12 17:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9873 CVE-2016-6662: 9874 It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. 9875 1375198: 9876 CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation 9877 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662" id="CVE-2016-6662" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql55" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-debuginfo-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-devel-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-embedded-devel-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-libs-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-server" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-server-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-bench" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-bench-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-test" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-test-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-config" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql-config-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-embedded-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-5.5.52-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-embedded-devel-5.5.52-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-debuginfo-5.5.52-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-embedded-5.5.52-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-devel-5.5.52-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-test-5.5.52-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-config" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql-config-5.5.52-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-libs-5.5.52-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-server-5.5.52-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="1.13.amzn1" version="5.5.52"><filename>Packages/mysql55-bench-5.5.52-1.13.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-devel" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-devel-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-common" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-common-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-embedded-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded-devel" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-embedded-devel-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-errmsg" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-errmsg-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-server" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-server-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-libs" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-libs-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-bench" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-bench-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-debuginfo" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-debuginfo-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-test" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-test-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded-devel" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-embedded-devel-5.6.33-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-server" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-server-5.6.33-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-test" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-test-5.6.33-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-common" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-common-5.6.33-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-debuginfo" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-debuginfo-5.6.33-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-5.6.33-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-libs" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-libs-5.6.33-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-devel" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-devel-5.6.33-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-embedded-5.6.33-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-bench" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-bench-5.6.33-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-errmsg" release="1.21.amzn1" version="5.6.33"><filename>Packages/mysql56-errmsg-5.6.33-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-757</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-757: critical priority package update for kernel</title><issued date="2016-10-20 04:11" /><updated date="2016-11-10 18:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9878 CVE-2016-5195: 9879 9880 CVE-2016-5195 kernel: remove gup_flags FOLL_WRITE games from __get_user_pages() 9881 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195" id="CVE-2016-5195" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-tools-devel-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-tools-debuginfo-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="31.54.amzn1" version="4.4.23"><filename>Packages/perf-debuginfo-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-devel-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-tools-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="31.54.amzn1" version="4.4.23"><filename>Packages/perf-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-debuginfo-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-headers-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-4.4.23-31.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-devel-4.4.23-31.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-tools-debuginfo-4.4.23-31.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-tools-devel-4.4.23-31.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-debuginfo-common-i686-4.4.23-31.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="31.54.amzn1" version="4.4.23"><filename>Packages/perf-4.4.23-31.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-debuginfo-4.4.23-31.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="31.54.amzn1" version="4.4.23"><filename>Packages/perf-debuginfo-4.4.23-31.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-tools-4.4.23-31.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-headers-4.4.23-31.54.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="31.54.amzn1" version="4.4.23"><filename>Packages/kernel-doc-4.4.23-31.54.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-758</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-758: important priority package update for bind</title><issued date="2016-10-20 11:32" /><updated date="2016-10-20 20:26" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9882 CVE-2016-2848: 9883 9884 CVE-2016-2848 bind: 9885 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2848" id="CVE-2016-2848" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.37.rc1.49.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.37.rc1.49.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.37.rc1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.37.rc1.49.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.37.rc1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.37.rc1.49.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.37.rc1.49.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.37.rc1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.37.rc1.49.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.37.rc1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.37.rc1.49.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.49.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.37.rc1.49.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.37.rc1.49.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.37.rc1.49.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.37.rc1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.37.rc1.49.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.37.rc1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.37.rc1.49.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.37.rc1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.37.rc1.49.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.37.rc1.49.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.37.rc1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-759</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-759: critical priority package update for java-1.8.0-openjdk</title><issued date="2016-10-27 17:00" /><updated date="2016-10-27 17:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9886 CVE-2016-5597: 9887 1386103: 9888 CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838) 9889 A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication. 9890 9891 CVE-2016-5582: 9892 1385402: 9893 CVE-2016-5582 OpenJDK: incomplete type checks of System.arraycopy arguments (Hotspot, 8160591) 9894 It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy() function in certain cases. An untrusted Java application or applet could use this flaw to corrupt virtual machine&#039;s memory and completely bypass Java sandbox restrictions. 9895 9896 CVE-2016-5573: 9897 It was discovered that the Hotspot component of OpenJDK did not properly check received Java Debug Wire Protocol (JDWP) packets. An attacker could possibly use this flaw to send debugging commands to a Java program running with debugging enabled if they could make victim&#039;s browser send HTTP requests to the JDWP port of the debugged application. 9898 1385544: 9899 CVE-2016-5573 OpenJDK: insufficient checks of JDWP packets (Hotspot, 8159519) 9900 9901 CVE-2016-5554: 9902 1385714: 9903 CVE-2016-5554 OpenJDK: insufficient classloader consistency checks in ClassLoaderWithRepository (JMX, 8157739) 9904 A flaw was found in the way the JMX component of OpenJDK handled classloaders. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 9905 9906 CVE-2016-5542: 9907 It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for JAR integrity verification. This flaw could allow an attacker to modify content of the JAR file that used weak signing key or hash algorithm. 9908 1385723: 9909 CVE-2016-5542 OpenJDK: missing algorithm restrictions for jar verification (Libraries, 8155973) 9910 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5542" id="CVE-2016-5542" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5554" id="CVE-2016-5554" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5597" id="CVE-2016-5597" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5573" id="CVE-2016-5573" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5582" id="CVE-2016-5582" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="1.b15.25.amzn1" version="1.8.0.111"><filename>Packages/java-1.8.0-openjdk-1.8.0.111-1.b15.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="1.b15.25.amzn1" version="1.8.0.111"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.111-1.b15.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="1.b15.25.amzn1" version="1.8.0.111"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.111-1.b15.25.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="1.b15.25.amzn1" version="1.8.0.111"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.111-1.b15.25.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="1.b15.25.amzn1" version="1.8.0.111"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.111-1.b15.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="1.b15.25.amzn1" version="1.8.0.111"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.111-1.b15.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="1.b15.25.amzn1" version="1.8.0.111"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.111-1.b15.25.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="1.b15.25.amzn1" version="1.8.0.111"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.111-1.b15.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="1.b15.25.amzn1" version="1.8.0.111"><filename>Packages/java-1.8.0-openjdk-1.8.0.111-1.b15.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="1.b15.25.amzn1" version="1.8.0.111"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.111-1.b15.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="1.b15.25.amzn1" version="1.8.0.111"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.111-1.b15.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="1.b15.25.amzn1" version="1.8.0.111"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.111-1.b15.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="1.b15.25.amzn1" version="1.8.0.111"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.111-1.b15.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-760</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-760: important priority package update for python-twisted-web</title><issued date="2016-10-27 17:00" /><updated date="2016-10-27 17:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9911 CVE-2016-1000111: 9912 1357345: 9913 CVE-2016-1000111 Python Twisted: sets environmental variable based on user supplied Proxy request header 9914 It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. 9915 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000111" id="CVE-2016-1000111" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python27-twisted-web" release="5.5.amzn1" version="8.2.0"><filename>Packages/python27-twisted-web-8.2.0-5.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python26-twisted-web" release="5.5.amzn1" version="8.2.0"><filename>Packages/python26-twisted-web-8.2.0-5.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python26-twisted-web" release="5.5.amzn1" version="8.2.0"><filename>Packages/python26-twisted-web-8.2.0-5.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-twisted-web" release="5.5.amzn1" version="8.2.0"><filename>Packages/python27-twisted-web-8.2.0-5.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-761</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-761: important priority package update for memcached</title><issued date="2016-11-10 18:00" /><updated date="2016-11-10 18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9916 CVE-2016-8706: 9917 1390512: 9918 CVE-2016-8706 memcached: SASL authentication remote code execution 9919 An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached&#039;s parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. 9920 9921 CVE-2016-8705: 9922 1390511: 9923 CVE-2016-8705 memcached: Server update remote code execution 9924 An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. 9925 9926 CVE-2016-8704: 9927 An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code. 9928 1390510: 9929 CVE-2016-8704 memcached: Server append/prepend remote code execution 9930 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8705" id="CVE-2016-8705" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8704" id="CVE-2016-8704" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8706" id="CVE-2016-8706" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="memcached" release="9.13.amzn1" version="1.4.15"><filename>Packages/memcached-1.4.15-9.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="memcached-devel" release="9.13.amzn1" version="1.4.15"><filename>Packages/memcached-devel-1.4.15-9.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="memcached-debuginfo" release="9.13.amzn1" version="1.4.15"><filename>Packages/memcached-debuginfo-1.4.15-9.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="memcached" release="9.13.amzn1" version="1.4.15"><filename>Packages/memcached-1.4.15-9.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="memcached-debuginfo" release="9.13.amzn1" version="1.4.15"><filename>Packages/memcached-debuginfo-1.4.15-9.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="memcached-devel" release="9.13.amzn1" version="1.4.15"><filename>Packages/memcached-devel-1.4.15-9.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-762</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-762: important priority package update for kernel</title><issued date="2016-11-10 18:00" /><updated date="2016-11-10 18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9931 CVE-2016-8666: 9932 The IP stack in the Linux kernel before 4.6 allows remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for packets with tunnel stacking, as demonstrated by interleaved IPv4 headers and GRE headers, a related issue to CVE-2016-7039. 9933 1384991: 9934 CVE-2016-8666 kernel: Remotely triggerable recursion in GRE code leading to kernel crash 9935 9936 CVE-2016-7039: 9937 1375944: 9938 CVE-2016-7039 kernel: remotely triggerable unbounded recursion in the vlan gro code leading to a kernel crash 9939 Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path, as an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel. 9940 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8666" id="CVE-2016-8666" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7039" id="CVE-2016-7039" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-devel-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="32.54.amzn1" version="4.4.30"><filename>Packages/perf-debuginfo-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-tools-devel-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-tools-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-headers-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-tools-debuginfo-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="32.54.amzn1" version="4.4.30"><filename>Packages/perf-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-debuginfo-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-tools-devel-4.4.30-32.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-debuginfo-4.4.30-32.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-headers-4.4.30-32.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-tools-4.4.30-32.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-devel-4.4.30-32.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="32.54.amzn1" version="4.4.30"><filename>Packages/perf-debuginfo-4.4.30-32.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-debuginfo-common-i686-4.4.30-32.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="32.54.amzn1" version="4.4.30"><filename>Packages/perf-4.4.30-32.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-4.4.30-32.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-tools-debuginfo-4.4.30-32.54.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="32.54.amzn1" version="4.4.30"><filename>Packages/kernel-doc-4.4.30-32.54.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-763</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-763: important priority package update for cloud-init</title><issued date="2016-11-10 18:00" /><updated date="2016-11-10 18:00" /><severity>important</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="cloud-init" release="2.13.amzn1" version="0.7.6"><filename>Packages/cloud-init-0.7.6-2.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-764</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-764: important priority package update for tomcat6 tomcat7 tomcat8</title><issued date="2016-11-10 18:00" /><updated date="2016-11-10 18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9941 CVE-2016-6797: 9942 1390493: 9943 CVE-2016-6797 tomcat: unrestricted access to global resources 9944 9945 CVE-2016-6796: 9946 1390515: 9947 CVE-2016-6796 tomcat: security manager bypass via JSP Servlet config parameters 9948 9949 CVE-2016-6794: 9950 1390520: 9951 CVE-2016-6794 tomcat: system property disclosure 9952 9953 CVE-2016-6325: 9954 1367447: 9955 CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation 9956 It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. 9957 9958 CVE-2016-5018: 9959 1390525: 9960 CVE-2016-5018 tomcat: security manager bypass via IntrospectHelper utility function 9961 9962 CVE-2016-0762: 9963 1390526: 9964 CVE-2016-0762 tomcat: timing attack in Realm implementation 9965 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6325" id="CVE-2016-6325" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5018" id="CVE-2016-5018" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762" id="CVE-2016-0762" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6794" id="CVE-2016-6794" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6796" id="CVE-2016-6796" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6797" id="CVE-2016-6797" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat6-webapps" release="1.7.amzn1" version="6.0.47"><filename>Packages/tomcat6-webapps-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-servlet-2.5-api" release="1.7.amzn1" version="6.0.47"><filename>Packages/tomcat6-servlet-2.5-api-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-jsp-2.1-api" release="1.7.amzn1" version="6.0.47"><filename>Packages/tomcat6-jsp-2.1-api-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-javadoc" release="1.7.amzn1" version="6.0.47"><filename>Packages/tomcat6-javadoc-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-docs-webapp" release="1.7.amzn1" version="6.0.47"><filename>Packages/tomcat6-docs-webapp-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-el-2.1-api" release="1.7.amzn1" version="6.0.47"><filename>Packages/tomcat6-el-2.1-api-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6" release="1.7.amzn1" version="6.0.47"><filename>Packages/tomcat6-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-admin-webapps" release="1.7.amzn1" version="6.0.47"><filename>Packages/tomcat6-admin-webapps-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-lib" release="1.7.amzn1" version="6.0.47"><filename>Packages/tomcat6-lib-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.21.amzn1" version="7.0.72"><filename>Packages/tomcat7-el-2.2-api-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.21.amzn1" version="7.0.72"><filename>Packages/tomcat7-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.21.amzn1" version="7.0.72"><filename>Packages/tomcat7-admin-webapps-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.21.amzn1" version="7.0.72"><filename>Packages/tomcat7-log4j-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.21.amzn1" version="7.0.72"><filename>Packages/tomcat7-javadoc-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.21.amzn1" version="7.0.72"><filename>Packages/tomcat7-docs-webapp-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.21.amzn1" version="7.0.72"><filename>Packages/tomcat7-jsp-2.2-api-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.21.amzn1" version="7.0.72"><filename>Packages/tomcat7-lib-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.21.amzn1" version="7.0.72"><filename>Packages/tomcat7-webapps-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.21.amzn1" version="7.0.72"><filename>Packages/tomcat7-servlet-3.0-api-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.65.amzn1" version="8.0.38"><filename>Packages/tomcat8-el-3.0-api-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.65.amzn1" version="8.0.38"><filename>Packages/tomcat8-admin-webapps-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.65.amzn1" version="8.0.38"><filename>Packages/tomcat8-log4j-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.65.amzn1" version="8.0.38"><filename>Packages/tomcat8-lib-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8" release="1.65.amzn1" version="8.0.38"><filename>Packages/tomcat8-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.65.amzn1" version="8.0.38"><filename>Packages/tomcat8-servlet-3.1-api-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.65.amzn1" version="8.0.38"><filename>Packages/tomcat8-jsp-2.3-api-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.65.amzn1" version="8.0.38"><filename>Packages/tomcat8-docs-webapp-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.65.amzn1" version="8.0.38"><filename>Packages/tomcat8-webapps-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.65.amzn1" version="8.0.38"><filename>Packages/tomcat8-javadoc-8.0.38-1.65.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-765</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-765: important priority package update for policycoreutils</title><issued date="2016-11-10 18:00" /><updated date="2016-11-10 18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9966 CVE-2016-7545: 9967 It was found that the sandbox tool provided in policycoreutils was vulnerable to a TIOCSTI ioctl attack. A specially crafted program executed via the sandbox command could use this flaw to execute arbitrary commands in the context of the parent bash, escaping the sandbox. 9968 1378577: 9969 CVE-2016-7545 policycoreutils: SELinux sandbox escape via TIOCSTI ioctl 9970 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7545" id="CVE-2016-7545" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="policycoreutils-python" release="5.25.amzn1" version="2.1.12"><filename>Packages/policycoreutils-python-2.1.12-5.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="policycoreutils-restorecond" release="5.25.amzn1" version="2.1.12"><filename>Packages/policycoreutils-restorecond-2.1.12-5.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="policycoreutils-debuginfo" release="5.25.amzn1" version="2.1.12"><filename>Packages/policycoreutils-debuginfo-2.1.12-5.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="policycoreutils-newrole" release="5.25.amzn1" version="2.1.12"><filename>Packages/policycoreutils-newrole-2.1.12-5.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="policycoreutils" release="5.25.amzn1" version="2.1.12"><filename>Packages/policycoreutils-2.1.12-5.25.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="policycoreutils-debuginfo" release="5.25.amzn1" version="2.1.12"><filename>Packages/policycoreutils-debuginfo-2.1.12-5.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="policycoreutils-restorecond" release="5.25.amzn1" version="2.1.12"><filename>Packages/policycoreutils-restorecond-2.1.12-5.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="policycoreutils" release="5.25.amzn1" version="2.1.12"><filename>Packages/policycoreutils-2.1.12-5.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="policycoreutils-newrole" release="5.25.amzn1" version="2.1.12"><filename>Packages/policycoreutils-newrole-2.1.12-5.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="policycoreutils-python" release="5.25.amzn1" version="2.1.12"><filename>Packages/policycoreutils-python-2.1.12-5.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-766</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-766: medium priority package update for curl</title><issued date="2016-11-10 18:00" /><updated date="2016-11-10 18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 9971 CVE-2016-8624: 9972 1388390: 9973 CVE-2016-8624 curl: Invalid URL parsing with '#' 9974 9975 CVE-2016-8623: 9976 1388388: 9977 CVE-2016-8623 curl: Use-after-free via shared cookies 9978 9979 CVE-2016-8622: 9980 1388386: 9981 CVE-2016-8622 curl: URL unescape heap overflow via integer truncation 9982 9983 CVE-2016-8621: 9984 1388385: 9985 CVE-2016-8621 curl: curl_getdate out-of-bounds read 9986 9987 CVE-2016-8620: 9988 1388382: 9989 CVE-2016-8620 curl: Glob parser write/read out of bounds 9990 9991 CVE-2016-8619: 9992 1388379: 9993 CVE-2016-8619 curl: Double-free in krb5 code 9994 9995 CVE-2016-8618: 9996 1388378: 9997 CVE-2016-8618 curl: Double-free in curl_maprintf 9998 9999 CVE-2016-8617: 10000 1388377: 10001 CVE-2016-8617 curl: Out-of-bounds write via unchecked multiplication 10002 10003 CVE-2016-8616: 10004 1388371: 10005 CVE-2016-8616 curl: Case insensitive password comparison 10006 10007 CVE-2016-8615: 10008 1388370: 10009 CVE-2016-8615 curl: Cookie injection for other servers 10010 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617" id="CVE-2016-8617" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8616" id="CVE-2016-8616" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615" id="CVE-2016-8615" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622" id="CVE-2016-8622" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8623" id="CVE-2016-8623" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8620" id="CVE-2016-8620" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8621" id="CVE-2016-8621" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619" id="CVE-2016-8619" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618" id="CVE-2016-8618" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624" id="CVE-2016-8624" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="curl" release="9.66.amzn1" version="7.47.1"><filename>Packages/curl-7.47.1-9.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="9.66.amzn1" version="7.47.1"><filename>Packages/libcurl-devel-7.47.1-9.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="9.66.amzn1" version="7.47.1"><filename>Packages/libcurl-7.47.1-9.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="9.66.amzn1" version="7.47.1"><filename>Packages/curl-debuginfo-7.47.1-9.66.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="9.66.amzn1" version="7.47.1"><filename>Packages/libcurl-7.47.1-9.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="9.66.amzn1" version="7.47.1"><filename>Packages/libcurl-devel-7.47.1-9.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="9.66.amzn1" version="7.47.1"><filename>Packages/curl-7.47.1-9.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="9.66.amzn1" version="7.47.1"><filename>Packages/curl-debuginfo-7.47.1-9.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-767</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-767: medium priority package update for php-ZendFramework</title><issued date="2016-11-18 12:30" /><updated date="2016-11-18 12:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10011 CVE-2016-6233: 10012 The implementation of ORDER BY and GROUP BY in Zend_Db_Select was discovered to be vulnerable to SQL injection. 10013 10014 CVE-2016-4861: 10015 The implementation of ORDER BY and GROUP BY in Zend_Db_Select was discovered to be vulnerable to SQL injection. 10016 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6233" id="CVE-2016-6233" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4861" id="CVE-2016-4861" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Pgsql" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Feed" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Feed-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Services" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Services-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Captcha" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Captcha-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Memcached" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Cache-Backend-Memcached-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-full" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-full-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Auth-Adapter-Ldap" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Auth-Adapter-Ldap-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Apc" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Cache-Backend-Apc-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-extras" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-extras-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Cache-Backend-Libmemcached" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Cache-Backend-Libmemcached-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Dojo" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Dojo-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-demos" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-demos-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Pdf" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Pdf-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Soap" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Soap-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Mysqli" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Db-Adapter-Mysqli-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Search-Lucene" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Search-Lucene-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Ldap" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Ldap-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Serializer-Adapter-Igbinary" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Serializer-Adapter-Igbinary-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Mysql" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="php-ZendFramework-Db-Adapter-Pdo-Mssql" release="1.12.amzn1" version="1.12.20"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.20-1.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-768</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-768: important priority package update for bind</title><issued date="2016-11-18 12:30" /><updated date="2016-11-18 12:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10017 CVE-2016-8864: 10018 A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. 10019 1389652: 10020 CVE-2016-8864 bind: assertion failure while handling responses containing a DNAME answer 10021 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864" id="CVE-2016-8864" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind" release="0.47.rc1.51.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.47.rc1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.47.rc1.51.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.47.rc1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.47.rc1.51.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.47.rc1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.47.rc1.51.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.47.rc1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.47.rc1.51.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.47.rc1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.47.rc1.51.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.47.rc1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.47.rc1.51.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.47.rc1.51.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.47.rc1.51.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.47.rc1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.47.rc1.51.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.47.rc1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.47.rc1.51.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.47.rc1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.47.rc1.51.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.47.rc1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.47.rc1.51.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.47.rc1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.47.rc1.51.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.47.rc1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.47.rc1.51.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.47.rc1.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-769</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-769: medium priority package update for poppler</title><issued date="2016-11-18 12:30" /><updated date="2016-11-18 12:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10022 CVE-2015-8868: 10023 A heap-buffer overflow was found in the poppler library. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code when opened. 10024 1326225: 10025 CVE-2015-8868 poppler: heap buffer overflow in ExponentialFunction 10026 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8868" id="CVE-2015-8868" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="poppler-debuginfo" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-debuginfo-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-utils" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-utils-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-glib" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-glib-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-cpp" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-cpp-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-glib-devel" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-glib-devel-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-devel" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-devel-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-cpp-devel" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-cpp-devel-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="poppler-cpp-devel" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-cpp-devel-0.22.5-6.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-glib" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-glib-0.22.5-6.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-devel" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-devel-0.22.5-6.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-0.22.5-6.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-cpp" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-cpp-0.22.5-6.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-debuginfo" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-debuginfo-0.22.5-6.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-glib-devel" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-glib-devel-0.22.5-6.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-utils" release="6.16.amzn1" version="0.22.5"><filename>Packages/poppler-utils-0.22.5-6.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-770</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-770: medium priority package update for openssh</title><issued date="2016-11-18 12:30" /><updated date="2016-11-18 12:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10027 CVE-2015-8325: 10028 It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root. 10029 1328012: 10030 CVE-2015-8325 openssh: privilege escalation via user's PAM environment and UseLogin=yes 10031 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8325" id="CVE-2015-8325" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="pam_ssh_agent_auth" release="9.31.62.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.31.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-debuginfo" release="31.62.amzn1" version="6.6.1p1"><filename>Packages/openssh-debuginfo-6.6.1p1-31.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh" release="31.62.amzn1" version="6.6.1p1"><filename>Packages/openssh-6.6.1p1-31.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-ldap" release="31.62.amzn1" version="6.6.1p1"><filename>Packages/openssh-ldap-6.6.1p1-31.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-server" release="31.62.amzn1" version="6.6.1p1"><filename>Packages/openssh-server-6.6.1p1-31.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-keycat" release="31.62.amzn1" version="6.6.1p1"><filename>Packages/openssh-keycat-6.6.1p1-31.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-clients" release="31.62.amzn1" version="6.6.1p1"><filename>Packages/openssh-clients-6.6.1p1-31.62.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssh-clients" release="31.62.amzn1" version="6.6.1p1"><filename>Packages/openssh-clients-6.6.1p1-31.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-debuginfo" release="31.62.amzn1" version="6.6.1p1"><filename>Packages/openssh-debuginfo-6.6.1p1-31.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-keycat" release="31.62.amzn1" version="6.6.1p1"><filename>Packages/openssh-keycat-6.6.1p1-31.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-ldap" release="31.62.amzn1" version="6.6.1p1"><filename>Packages/openssh-ldap-6.6.1p1-31.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-server" release="31.62.amzn1" version="6.6.1p1"><filename>Packages/openssh-server-6.6.1p1-31.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam_ssh_agent_auth" release="9.31.62.amzn1" version="0.9.3"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.31.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh" release="31.62.amzn1" version="6.6.1p1"><filename>Packages/openssh-6.6.1p1-31.62.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-771</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-771: important priority package update for java-1.7.0-openjdk</title><issued date="2016-11-18 12:30" /><updated date="2016-11-18 12:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10032 CVE-2016-5597: 10033 1386103: 10034 CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838) 10035 A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication. 10036 10037 CVE-2016-5582: 10038 1385402: 10039 CVE-2016-5582 OpenJDK: incomplete type checks of System.arraycopy arguments (Hotspot, 8160591) 10040 It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy() function in certain cases. An untrusted Java application or applet could use this flaw to corrupt virtual machine&#039;s memory and completely bypass Java sandbox restrictions. 10041 10042 CVE-2016-5573: 10043 It was discovered that the Hotspot component of OpenJDK did not properly check received Java Debug Wire Protocol (JDWP) packets. An attacker could possibly use this flaw to send debugging commands to a Java program running with debugging enabled if they could make victim&#039;s browser send HTTP requests to the JDWP port of the debugged application. 10044 1385544: 10045 CVE-2016-5573 OpenJDK: insufficient checks of JDWP packets (Hotspot, 8159519) 10046 10047 CVE-2016-5554: 10048 1385714: 10049 CVE-2016-5554 OpenJDK: insufficient classloader consistency checks in ClassLoaderWithRepository (JMX, 8157739) 10050 A flaw was found in the way the JMX component of OpenJDK handled classloaders. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 10051 10052 CVE-2016-5542: 10053 It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for JAR integrity verification. This flaw could allow an attacker to modify content of the JAR file that used weak signing key or hash algorithm. 10054 1385723: 10055 CVE-2016-5542 OpenJDK: missing algorithm restrictions for jar verification (Libraries, 8155973) 10056 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5542" id="CVE-2016-5542" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5554" id="CVE-2016-5554" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5597" id="CVE-2016-5597" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5573" id="CVE-2016-5573" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5582" id="CVE-2016-5582" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.8.1.69.amzn1" version="1.7.0.121"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.121-2.6.8.1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.8.1.69.amzn1" version="1.7.0.121"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.121-2.6.8.1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.8.1.69.amzn1" version="1.7.0.121"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.121-2.6.8.1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.8.1.69.amzn1" version="1.7.0.121"><filename>Packages/java-1.7.0-openjdk-1.7.0.121-2.6.8.1.69.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.8.1.69.amzn1" version="1.7.0.121"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.121-2.6.8.1.69.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.8.1.69.amzn1" version="1.7.0.121"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.121-2.6.8.1.69.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.8.1.69.amzn1" version="1.7.0.121"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.121-2.6.8.1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.8.1.69.amzn1" version="1.7.0.121"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.121-2.6.8.1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.8.1.69.amzn1" version="1.7.0.121"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.121-2.6.8.1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.8.1.69.amzn1" version="1.7.0.121"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.121-2.6.8.1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.8.1.69.amzn1" version="1.7.0.121"><filename>Packages/java-1.7.0-openjdk-1.7.0.121-2.6.8.1.69.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-772</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-772: important priority package update for kernel</title><issued date="2016-12-06 23:44" /><updated date="2016-12-07 19:04" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10057 CVE-2016-9084: 10058 The use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with CVE-2016-9083 may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine. 10059 1389259: 10060 CVE-2016-9084 kernel: Integer overflow when using kzalloc in vfio driver 10061 10062 CVE-2016-9083: 10063 A flaw was discovered in the Linux kernel&#039;s implementation of VFIO. An attacker issuing an ioctl can create a situation where memory is corrupted and modify memory outside of the expected area. This may overwrite kernel memory and subvert kernel execution. 10064 1389258: 10065 CVE-2016-9083 kernel: State machine confusion bug in vfio driver leading to memory corruption 10066 10067 CVE-2016-8655: 10068 1400019: 10069 CVE-2016-8655 kernel: Race condition in packet_set_ring leads to use after free 10070 A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. 10071 10072 CVE-2016-8645: 10073 It was discovered that the Linux kernel since 3.6-rc1 with &#039;net.ipv4.tcp_fastopen&#039; set to 1 can hit BUG() statement in tcp_collapse() function after making a number of certain syscalls leading to a possible system crash. 10074 1393904: 10075 CVE-2016-8645 kernel: a BUG() statement can be hit in net/ipv4/tcp_input.c 10076 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8645" id="CVE-2016-8645" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655" id="CVE-2016-8655" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9083" id="CVE-2016-9083" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9084" id="CVE-2016-9084" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-tools-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="33.55.amzn1" version="4.4.35"><filename>Packages/perf-debuginfo-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-headers-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-tools-devel-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="33.55.amzn1" version="4.4.35"><filename>Packages/perf-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-devel-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-debuginfo-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-tools-debuginfo-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-debuginfo-common-i686-4.4.35-33.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="33.55.amzn1" version="4.4.35"><filename>Packages/perf-debuginfo-4.4.35-33.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-tools-4.4.35-33.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="33.55.amzn1" version="4.4.35"><filename>Packages/perf-4.4.35-33.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-4.4.35-33.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-tools-debuginfo-4.4.35-33.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-headers-4.4.35-33.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-debuginfo-4.4.35-33.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-tools-devel-4.4.35-33.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-devel-4.4.35-33.55.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="33.55.amzn1" version="4.4.35"><filename>Packages/kernel-doc-4.4.35-33.55.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-773</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-773: medium priority package update for 389-ds-base</title><issued date="2016-12-15 00:28" /><updated date="2016-12-15 23:48" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10077 CVE-2016-5416: 10078 It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI (Access Control Instructions) could be read by an anonymous user. This could lead to leakage of sensitive information. 10079 1349540: 10080 CVE-2016-5416 389-ds-base: ACI readable by anonymous user 10081 10082 CVE-2016-5405: 10083 It was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack. A remote attacker could possibly use this flaw to retrieve directory server password after many tries. 10084 1358865: 10085 CVE-2016-5405 389-ds-base: Password verification vulnerable to timing attack 10086 10087 CVE-2016-4992: 10088 An information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not. 10089 1347760: 10090 CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation 10091 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5405" id="CVE-2016-5405" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5416" id="CVE-2016-5416" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4992" id="CVE-2016-4992" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base" release="11.49.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-1.3.5.10-11.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-snmp" release="11.49.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-snmp-1.3.5.10-11.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="11.49.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-libs-1.3.5.10-11.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="11.49.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-debuginfo-1.3.5.10-11.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="11.49.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-devel-1.3.5.10-11.49.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="11.49.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-debuginfo-1.3.5.10-11.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="11.49.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-devel-1.3.5.10-11.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-snmp" release="11.49.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-snmp-1.3.5.10-11.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="11.49.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-1.3.5.10-11.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="11.49.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-libs-1.3.5.10-11.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-774</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-774: medium priority package update for nss-util nss nss-softokn</title><issued date="2016-12-15 00:32" /><updated date="2016-12-15 23:52" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10092 CVE-2016-8635: 10093 1391818: 10094 CVE-2016-8635 nss: small-subgroups attack flaw 10095 It was found that Diffie Hellman Client key exchange handling in NSS was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group. 10096 10097 CVE-2016-5285: 10098 1383883: 10099 CVE-2016-5285 nss: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash 10100 A NULL pointer dereference flaw was found in the way NSS handled invalid Diffie-Hellman keys. A remote client could use this flaw to crash a TLS/SSL server using NSS. 10101 10102 CVE-2016-2834: 10103 Multiple buffer handling flaws were found in the way NSS handled cryptographic data from the network. A remote attacker could use these flaws to crash an application using NSS or, possibly, execute arbitrary code with the permission of the user running the application. 10104 1347908: 10105 CVE-2016-2834 nss: Multiple security flaws (MFSA 2016-61) 10106 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2834" id="CVE-2016-2834" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8635" id="CVE-2016-8635" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5285" id="CVE-2016-5285" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-util" release="1.1.51.amzn1" version="3.21.3"><filename>Packages/nss-util-3.21.3-1.1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util-devel" release="1.1.51.amzn1" version="3.21.3"><filename>Packages/nss-util-devel-3.21.3-1.1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util-debuginfo" release="1.1.51.amzn1" version="3.21.3"><filename>Packages/nss-util-debuginfo-3.21.3-1.1.51.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-util" release="1.1.51.amzn1" version="3.21.3"><filename>Packages/nss-util-3.21.3-1.1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-util-debuginfo" release="1.1.51.amzn1" version="3.21.3"><filename>Packages/nss-util-debuginfo-3.21.3-1.1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-util-devel" release="1.1.51.amzn1" version="3.21.3"><filename>Packages/nss-util-devel-3.21.3-1.1.51.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="2.77.amzn1" version="3.21.3"><filename>Packages/nss-sysinit-3.21.3-2.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="2.77.amzn1" version="3.21.3"><filename>Packages/nss-pkcs11-devel-3.21.3-2.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="2.77.amzn1" version="3.21.3"><filename>Packages/nss-tools-3.21.3-2.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="2.77.amzn1" version="3.21.3"><filename>Packages/nss-3.21.3-2.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="2.77.amzn1" version="3.21.3"><filename>Packages/nss-devel-3.21.3-2.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="2.77.amzn1" version="3.21.3"><filename>Packages/nss-debuginfo-3.21.3-2.77.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="2.77.amzn1" version="3.21.3"><filename>Packages/nss-debuginfo-3.21.3-2.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="2.77.amzn1" version="3.21.3"><filename>Packages/nss-tools-3.21.3-2.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="2.77.amzn1" version="3.21.3"><filename>Packages/nss-devel-3.21.3-2.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="2.77.amzn1" version="3.21.3"><filename>Packages/nss-sysinit-3.21.3-2.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="2.77.amzn1" version="3.21.3"><filename>Packages/nss-pkcs11-devel-3.21.3-2.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="2.77.amzn1" version="3.21.3"><filename>Packages/nss-3.21.3-2.77.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn-devel" release="14.4.39.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-devel-3.16.2.3-14.4.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn-freebl" release="14.4.39.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-freebl-3.16.2.3-14.4.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn-debuginfo" release="14.4.39.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-debuginfo-3.16.2.3-14.4.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn-freebl-devel" release="14.4.39.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-freebl-devel-3.16.2.3-14.4.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-softokn" release="14.4.39.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-3.16.2.3-14.4.39.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn" release="14.4.39.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-3.16.2.3-14.4.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-freebl" release="14.4.39.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-freebl-3.16.2.3-14.4.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-debuginfo" release="14.4.39.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-debuginfo-3.16.2.3-14.4.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-freebl-devel" release="14.4.39.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-freebl-devel-3.16.2.3-14.4.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-softokn-devel" release="14.4.39.amzn1" version="3.16.2.3"><filename>Packages/nss-softokn-devel-3.16.2.3-14.4.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-775</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-775: medium priority package update for expat</title><issued date="2016-12-15 00:38" /><updated date="2016-12-15 23:51" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10107 CVE-2016-0718: 10108 * An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, possibly, execute arbitrary code with the permission of the user running the application. 10109 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718" id="CVE-2016-0718" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2016:2824.html" id="RHSA-2016:2824" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="expat-debuginfo" release="10.21.amzn1" version="2.1.0"><filename>Packages/expat-debuginfo-2.1.0-10.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="expat-devel" release="10.21.amzn1" version="2.1.0"><filename>Packages/expat-devel-2.1.0-10.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="expat" release="10.21.amzn1" version="2.1.0"><filename>Packages/expat-2.1.0-10.21.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="expat" release="10.21.amzn1" version="2.1.0"><filename>Packages/expat-2.1.0-10.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="expat-devel" release="10.21.amzn1" version="2.1.0"><filename>Packages/expat-devel-2.1.0-10.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="expat-debuginfo" release="10.21.amzn1" version="2.1.0"><filename>Packages/expat-debuginfo-2.1.0-10.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-776</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-776: important priority package update for tomcat6</title><issued date="2016-12-15 00:41" /><updated date="2016-12-15 23:49" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10110 CVE-2016-8735: 10111 1397485: 10112 CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener 10113 10114 CVE-2016-6816: 10115 1397484: 10116 CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests 10117 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" id="CVE-2016-6816" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735" id="CVE-2016-8735" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat6-admin-webapps" release="1.8.amzn1" version="6.0.48"><filename>Packages/tomcat6-admin-webapps-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-el-2.1-api" release="1.8.amzn1" version="6.0.48"><filename>Packages/tomcat6-el-2.1-api-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-servlet-2.5-api" release="1.8.amzn1" version="6.0.48"><filename>Packages/tomcat6-servlet-2.5-api-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-javadoc" release="1.8.amzn1" version="6.0.48"><filename>Packages/tomcat6-javadoc-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-jsp-2.1-api" release="1.8.amzn1" version="6.0.48"><filename>Packages/tomcat6-jsp-2.1-api-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-webapps" release="1.8.amzn1" version="6.0.48"><filename>Packages/tomcat6-webapps-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-docs-webapp" release="1.8.amzn1" version="6.0.48"><filename>Packages/tomcat6-docs-webapp-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-lib" release="1.8.amzn1" version="6.0.48"><filename>Packages/tomcat6-lib-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6" release="1.8.amzn1" version="6.0.48"><filename>Packages/tomcat6-6.0.48-1.8.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-777</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-777: important priority package update for tomcat7</title><issued date="2016-12-15 00:48" /><updated date="2016-12-15 23:49" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10118 CVE-2016-8735: 10119 1397485: 10120 CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener 10121 10122 CVE-2016-6816: 10123 1397484: 10124 CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests 10125 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" id="CVE-2016-6816" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735" id="CVE-2016-8735" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7" release="1.23.amzn1" version="7.0.73"><filename>Packages/tomcat7-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.23.amzn1" version="7.0.73"><filename>Packages/tomcat7-jsp-2.2-api-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.23.amzn1" version="7.0.73"><filename>Packages/tomcat7-lib-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.23.amzn1" version="7.0.73"><filename>Packages/tomcat7-webapps-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.23.amzn1" version="7.0.73"><filename>Packages/tomcat7-docs-webapp-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.23.amzn1" version="7.0.73"><filename>Packages/tomcat7-el-2.2-api-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.23.amzn1" version="7.0.73"><filename>Packages/tomcat7-log4j-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.23.amzn1" version="7.0.73"><filename>Packages/tomcat7-admin-webapps-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.23.amzn1" version="7.0.73"><filename>Packages/tomcat7-javadoc-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.23.amzn1" version="7.0.73"><filename>Packages/tomcat7-servlet-3.0-api-7.0.73-1.23.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-778</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-778: important priority package update for tomcat8</title><issued date="2016-12-15 00:50" /><updated date="2016-12-15 23:49" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10126 CVE-2016-8735: 10127 1397485: 10128 CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener 10129 10130 CVE-2016-6816: 10131 1397484: 10132 CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests 10133 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" id="CVE-2016-6816" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735" id="CVE-2016-8735" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.67.amzn1" version="8.0.39"><filename>Packages/tomcat8-el-3.0-api-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.67.amzn1" version="8.0.39"><filename>Packages/tomcat8-docs-webapp-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.67.amzn1" version="8.0.39"><filename>Packages/tomcat8-admin-webapps-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.67.amzn1" version="8.0.39"><filename>Packages/tomcat8-javadoc-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8" release="1.67.amzn1" version="8.0.39"><filename>Packages/tomcat8-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.67.amzn1" version="8.0.39"><filename>Packages/tomcat8-servlet-3.1-api-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.67.amzn1" version="8.0.39"><filename>Packages/tomcat8-webapps-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.67.amzn1" version="8.0.39"><filename>Packages/tomcat8-log4j-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.67.amzn1" version="8.0.39"><filename>Packages/tomcat8-lib-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.67.amzn1" version="8.0.39"><filename>Packages/tomcat8-jsp-2.3-api-8.0.39-1.67.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2016-779</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-779: important priority package update for vim</title><issued date="2016-12-19 16:30" /><updated date="2016-12-19 16:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10134 CVE-2016-1248: 10135 A vulnerability was found in vim in how certain modeline options were treated. An attacker could craft a file that, when opened in vim with modelines enabled, could execute arbitrary commands with privileges of the user running vim. 10136 1398227: 10137 CVE-2016-1248 vim: Lack of validation of values for few options results in code exection 10138 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1248" id="CVE-2016-1248" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="2" name="vim-debuginfo" release="1.43.amzn1" version="8.0.0134"><filename>Packages/vim-debuginfo-8.0.0134-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="vim-common" release="1.43.amzn1" version="8.0.0134"><filename>Packages/vim-common-8.0.0134-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="vim-minimal" release="1.43.amzn1" version="8.0.0134"><filename>Packages/vim-minimal-8.0.0134-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="vim-enhanced" release="1.43.amzn1" version="8.0.0134"><filename>Packages/vim-enhanced-8.0.0134-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="vim-filesystem" release="1.43.amzn1" version="8.0.0134"><filename>Packages/vim-filesystem-8.0.0134-1.43.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="2" name="vim-minimal" release="1.43.amzn1" version="8.0.0134"><filename>Packages/vim-minimal-8.0.0134-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="vim-enhanced" release="1.43.amzn1" version="8.0.0134"><filename>Packages/vim-enhanced-8.0.0134-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="vim-filesystem" release="1.43.amzn1" version="8.0.0134"><filename>Packages/vim-filesystem-8.0.0134-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="vim-debuginfo" release="1.43.amzn1" version="8.0.0134"><filename>Packages/vim-debuginfo-8.0.0134-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="vim-common" release="1.43.amzn1" version="8.0.0134"><filename>Packages/vim-common-8.0.0134-1.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-780</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-780: medium priority package update for sudo</title><issued date="2017-01-04 17:00" /><updated date="2017-01-04 17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10139 CVE-2016-7076: 10140 It was discovered that the sudo noexec restriction could have been bypassed if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges. 10141 1384982: 10142 CVE-2016-7076 sudo: noexec bypass via wordexp() 10143 10144 CVE-2016-7032: 10145 1372830: 10146 CVE-2016-7032 sudo: noexec bypass via system() and popen() 10147 It was discovered that the sudo noexec restriction could have been bypassed if application run via sudo executed system() or popen() C library functions with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could use this flaw to execute arbitrary commands with elevated privileges. 10148 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7032" id="CVE-2016-7032" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7076" id="CVE-2016-7076" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="sudo-devel" release="25.23.amzn1" version="1.8.6p3"><filename>Packages/sudo-devel-1.8.6p3-25.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sudo-debuginfo" release="25.23.amzn1" version="1.8.6p3"><filename>Packages/sudo-debuginfo-1.8.6p3-25.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sudo" release="25.23.amzn1" version="1.8.6p3"><filename>Packages/sudo-1.8.6p3-25.23.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="sudo-devel" release="25.23.amzn1" version="1.8.6p3"><filename>Packages/sudo-devel-1.8.6p3-25.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sudo" release="25.23.amzn1" version="1.8.6p3"><filename>Packages/sudo-1.8.6p3-25.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sudo-debuginfo" release="25.23.amzn1" version="1.8.6p3"><filename>Packages/sudo-debuginfo-1.8.6p3-25.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-781</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-781: medium priority package update for ntp</title><issued date="2017-01-04 17:00" /><updated date="2017-01-04 17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10149 CVE-2016-9311: 10150 1398350: 10151 CVE-2016-9311 ntp: Null pointer dereference when trap service is enabled 10152 10153 CVE-2016-9310: 10154 1397319: 10155 CVE-2016-9310 ntp: Mode 6 unauthenticated trap information disclosure and DDoS vector 10156 10157 CVE-2016-7433: 10158 1397347: 10159 CVE-2016-7433 ntp: Broken initial sync calculations regression 10160 10161 CVE-2016-7429: 10162 1397341: 10163 CVE-2016-7429 ntp: Attack on interface selection 10164 10165 CVE-2016-7426: 10166 1397345: 10167 CVE-2016-7426 ntp: Client rate limiting and server responses 10168 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7429" id="CVE-2016-7429" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426" id="CVE-2016-7426" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311" id="CVE-2016-9311" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7433" id="CVE-2016-7433" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310" id="CVE-2016-9310" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="ntp-perl" release="43.33.amzn1" version="4.2.6p5"><filename>Packages/ntp-perl-4.2.6p5-43.33.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp" release="43.33.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-43.33.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-doc" release="43.33.amzn1" version="4.2.6p5"><filename>Packages/ntp-doc-4.2.6p5-43.33.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp-debuginfo" release="43.33.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-43.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntpdate" release="43.33.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-43.33.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ntpdate" release="43.33.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-43.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp" release="43.33.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-43.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp-debuginfo" release="43.33.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-43.33.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-782</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-782: medium priority package update for kernel</title><issued date="2017-01-04 17:00" /><updated date="2017-02-22 12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10169 CVE-2016-9793: 10170 1402013: 10171 CVE-2016-9793 kernel: Signed overflow for SO_{SND|RCV}BUFFORCE 10172 The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option. 10173 10174 CVE-2016-9576: 10175 The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device. 10176 1403145: 10177 CVE-2016-9576 kernel: Use after free in SCSI generic device interface 10178 10179 CVE-2016-8650: 10180 A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key. 10181 1395187: 10182 CVE-2016-8650 kernel: Null pointer dereference via keyctl 10183 10184 CVE-2016-8399: 10185 1403833: 10186 CVE-2016-8399 kernel: net: Out of bounds stack read in memcpy_fromiovec 10187 A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out of bounds read by creating a smaller-than-expected ICMP header and sending to its destination via sendto(). 10188 10189 CVE-2016-10147: 10190 Algorithms not compatible with mcryptd could be spawned by mcryptd with a direct crypto_alloc_tfm invocation using a &quot;mcryptd(alg)&quot; name construct. This causes mcryptd to crash the kernel if an arbitrary &quot;alg&quot; is incompatible and not intended to be used with mcryptd. 10191 1404200: 10192 CVE-2016-10147 kernel: Kernel crash by spawning mcrypt(alg) with incompatible algorithm 10193 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9793" id="CVE-2016-9793" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9576" id="CVE-2016-9576" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10147" id="CVE-2016-10147" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8650" id="CVE-2016-8650" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8399" id="CVE-2016-8399" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perf" release="34.54.amzn1" version="4.4.39"><filename>Packages/perf-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-tools-debuginfo-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-devel-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-headers-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-tools-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-tools-devel-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="34.54.amzn1" version="4.4.39"><filename>Packages/perf-debuginfo-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-debuginfo-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-debuginfo-4.4.39-34.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-headers-4.4.39-34.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-tools-debuginfo-4.4.39-34.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-tools-4.4.39-34.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-debuginfo-common-i686-4.4.39-34.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-4.4.39-34.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-devel-4.4.39-34.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-tools-devel-4.4.39-34.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="34.54.amzn1" version="4.4.39"><filename>Packages/perf-debuginfo-4.4.39-34.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="34.54.amzn1" version="4.4.39"><filename>Packages/perf-4.4.39-34.54.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="34.54.amzn1" version="4.4.39"><filename>Packages/kernel-doc-4.4.39-34.54.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-783</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-783: important priority package update for docker</title><issued date="2017-01-10 18:00" /><updated date="2017-01-10 18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10194 CVE-2016-9962: 10195 It was discovered that runC allowed additional container processes via `runc exec` to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file descriptors of these new processes during the initialization, which can lead to container escapes or modification of runC state before the process is fully placed inside the container. 10196 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9962" id="CVE-2016-9962" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="docker" release="1.17.amzn1" version="1.12.6"><filename>Packages/docker-1.12.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="docker-devel" release="1.17.amzn1" version="1.12.6"><filename>Packages/docker-devel-1.12.6-1.17.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="docker-debuginfo" release="1.17.amzn1" version="1.12.6"><filename>Packages/docker-debuginfo-1.12.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="docker-pkg-devel" release="1.17.amzn1" version="1.12.6"><filename>Packages/docker-pkg-devel-1.12.6-1.17.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-784</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-784: medium priority package update for ghostscript</title><issued date="2017-01-10 18:00" /><updated date="2017-01-10 18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10197 CVE-2016-8602: 10198 It was found that ghostscript did not sufficiently check the validity of parameters given to the .sethalftone5 function. A specially crafted postscript document could cause a crash, or execute arbitrary code in the context of the gs process. 10199 1383940: 10200 CVE-2016-8602 ghostscript: check for sufficient params in .sethalftone5 10201 10202 CVE-2016-7979: 10203 1382305: 10204 CVE-2016-7979 ghostscript: Type confusion in .initialize_dsc_parser allows remote code execution 10205 It was found that the ghostscript function .initialize_dsc_parser did not validate its parameter before using it, allowing a type confusion flaw. A specially crafted postscript document could cause a crash code execution in the context of the gs process. 10206 10207 CVE-2016-7977: 10208 1380415: 10209 CVE-2016-7977 ghostscript: .libfile does not honor -dSAFER 10210 It was found that ghostscript function .libfile did not honor the -dSAFER option, usually used when processing untrusted documents, leading to information disclosure. A specially crafted postscript document could, in the context of the gs process, retrieve file content on the target machine. 10211 10212 CVE-2013-5653: 10213 It was found that the ghostscript functions getenv and filenameforall did not honor the -dSAFER option, usually used when processing untrusted documents, leading to information disclosure. A specially crafted postscript document could read environment variable and list directory respectively, from the target. 10214 1380327: 10215 CVE-2013-5653 ghostscript: getenv and filenameforall ignore -dSAFER 10216 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7977" id="CVE-2016-7977" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8602" id="CVE-2016-8602" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5653" id="CVE-2013-5653" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7979" id="CVE-2016-7979" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ghostscript-doc" release="21.1.24.amzn1" version="8.70"><filename>Packages/ghostscript-doc-8.70-21.1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript-devel" release="21.1.24.amzn1" version="8.70"><filename>Packages/ghostscript-devel-8.70-21.1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript-debuginfo" release="21.1.24.amzn1" version="8.70"><filename>Packages/ghostscript-debuginfo-8.70-21.1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript" release="21.1.24.amzn1" version="8.70"><filename>Packages/ghostscript-8.70-21.1.24.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript-doc" release="21.1.24.amzn1" version="8.70"><filename>Packages/ghostscript-doc-8.70-21.1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript-devel" release="21.1.24.amzn1" version="8.70"><filename>Packages/ghostscript-devel-8.70-21.1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript" release="21.1.24.amzn1" version="8.70"><filename>Packages/ghostscript-8.70-21.1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript-debuginfo" release="21.1.24.amzn1" version="8.70"><filename>Packages/ghostscript-debuginfo-8.70-21.1.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-785</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-785: medium priority package update for httpd24</title><issued date="2017-01-19 16:30" /><updated date="2017-01-19 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10217 CVE-2016-8743: 10218 1406822: 10219 CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects 10220 10221 CVE-2016-2161: 10222 1406753: 10223 CVE-2016-2161 httpd: DoS vulnerability in mod_auth_digest 10224 10225 CVE-2016-0736: 10226 1406744: 10227 CVE-2016-0736 httpd: Padding Oracle in Apache mod_session_crypto 10228 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736" id="CVE-2016-0736" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161" id="CVE-2016-2161" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743" id="CVE-2016-8743" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="httpd24" release="1.68.amzn1" version="2.4.25"><filename>Packages/httpd24-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd24-manual" release="1.68.amzn1" version="2.4.25"><filename>Packages/httpd24-manual-2.4.25-1.68.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="1.68.amzn1" version="2.4.25"><filename>Packages/httpd24-debuginfo-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="1.68.amzn1" version="2.4.25"><filename>Packages/mod24_session-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="1.68.amzn1" version="2.4.25"><filename>Packages/mod24_proxy_html-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_ldap" release="1.68.amzn1" version="2.4.25"><filename>Packages/mod24_ldap-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_ssl" release="1.68.amzn1" version="2.4.25"><filename>Packages/mod24_ssl-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-devel" release="1.68.amzn1" version="2.4.25"><filename>Packages/httpd24-devel-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-tools" release="1.68.amzn1" version="2.4.25"><filename>Packages/httpd24-tools-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="1.68.amzn1" version="2.4.25"><filename>Packages/mod24_ssl-2.4.25-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="1.68.amzn1" version="2.4.25"><filename>Packages/httpd24-2.4.25-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="1.68.amzn1" version="2.4.25"><filename>Packages/httpd24-debuginfo-2.4.25-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="1.68.amzn1" version="2.4.25"><filename>Packages/httpd24-devel-2.4.25-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="1.68.amzn1" version="2.4.25"><filename>Packages/mod24_session-2.4.25-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="1.68.amzn1" version="2.4.25"><filename>Packages/mod24_ldap-2.4.25-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="1.68.amzn1" version="2.4.25"><filename>Packages/mod24_proxy_html-2.4.25-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="1.68.amzn1" version="2.4.25"><filename>Packages/httpd24-tools-2.4.25-1.68.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-786</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-786: medium priority package update for kernel</title><issued date="2017-01-19 16:30" /><updated date="2017-01-19 16:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10229 CVE-2016-10088: 10230 1412210: 10231 CVE-2016-10088 kernel: Use after free in SCSI generic device interface (CVE-2016-9576 regression) 10232 The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576. 10233 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10088" id="CVE-2016-10088" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perf" release="36.55.amzn1" version="4.4.41"><filename>Packages/perf-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-devel-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="36.55.amzn1" version="4.4.41"><filename>Packages/perf-debuginfo-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-tools-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-debuginfo-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-headers-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-tools-debuginfo-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-tools-devel-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-tools-4.4.41-36.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="36.55.amzn1" version="4.4.41"><filename>Packages/perf-4.4.41-36.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="36.55.amzn1" version="4.4.41"><filename>Packages/perf-debuginfo-4.4.41-36.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-debuginfo-4.4.41-36.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-tools-debuginfo-4.4.41-36.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-devel-4.4.41-36.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-4.4.41-36.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-tools-devel-4.4.41-36.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-debuginfo-common-i686-4.4.41-36.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-headers-4.4.41-36.55.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="36.55.amzn1" version="4.4.41"><filename>Packages/kernel-doc-4.4.41-36.55.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-787</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-787: medium priority package update for php56</title><issued date="2017-01-26 18:00" /><updated date="2017-01-26 18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10234 CVE-2016-9935: 10235 1404731: 10236 CVE-2016-9935 php: Invalid read when wddx decodes empty boolean element 10237 The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document. 10238 10239 CVE-2016-9934: 10240 1404726: 10241 CVE-2016-9934 php: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow 10242 ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string. 10243 10244 CVE-2016-9933: 10245 1404723: 10246 CVE-2016-9933 php, gd: Stack overflow in gdImageFillToBorder on truecolor images 10247 Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value. 10248 10249 CVE-2016-9137: 10250 Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing. 10251 1391000: 10252 CVE-2016-9137 php: Use after free in unserialize() 10253 10254 CVE-2016-8670: 10255 1391068: 10256 CVE-2016-8670 gd, php: Stack based buffer overflow in dynamicGetbuf 10257 A vulnerability was found in gd. Integer underflow in a calculation in dynamicGetbuf() was incorrectly handled, leading in some circumstances to an out of bounds write through a very large argument to memcpy(). An attacker could create a crafted image that would lead to a crash or, potentially, code execution. 10258 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9935" id="CVE-2016-9935" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9934" id="CVE-2016-9934" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9137" id="CVE-2016-9137" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8670" id="CVE-2016-8670" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9933" id="CVE-2016-9933" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-odbc" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-odbc-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-devel-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-embedded-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-gd-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-mssql-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-opcache-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-common-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-mysqlnd-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-pdo-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-pgsql-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-dba-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-tidy-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-process-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-mcrypt-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-xml-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-pspell-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-soap-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-gmp-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-enchant-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-imap-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-debuginfo-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-xmlrpc-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-bcmath-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-snmp-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-intl-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-mbstring-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-ldap-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-fpm-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-dbg-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-cli-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-recode-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-dbg-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-snmp-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-pspell-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-debuginfo-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-cli-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-odbc-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-mssql-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-fpm-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-imap-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-opcache-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-intl-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-gmp-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-dba-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-mcrypt-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-pdo-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-mysqlnd-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-process-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-devel-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-recode-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-bcmath-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-common-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-pgsql-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-tidy-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-enchant-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-xml-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-ldap-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-embedded-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-mbstring-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-xmlrpc-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-soap-5.6.29-1.131.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.131.amzn1" version="5.6.29"><filename>Packages/php56-gd-5.6.29-1.131.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-788</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-788: medium priority package update for php70</title><issued date="2017-01-26 18:00" /><updated date="2017-01-26 18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10259 CVE-2016-9936: 10260 1404735: 10261 CVE-2016-9936 php: Use After Free in unserialize() 10262 The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834. 10263 10264 CVE-2016-9935: 10265 1404731: 10266 CVE-2016-9935 php: Invalid read when wddx decodes empty boolean element 10267 The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document. 10268 10269 CVE-2016-9934: 10270 1404726: 10271 CVE-2016-9934 php: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow 10272 ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string. 10273 10274 CVE-2016-9933: 10275 1404723: 10276 CVE-2016-9933 php, gd: Stack overflow in gdImageFillToBorder on truecolor images 10277 Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value. 10278 10279 CVE-2016-9137: 10280 Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing. 10281 1391000: 10282 CVE-2016-9137 php: Use after free in unserialize() 10283 10284 CVE-2016-7480: 10285 The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data. 10286 1416499: 10287 CVE-2016-7480 php: Use of uninitialized value in SplObjectStorag::unserialize 10288 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9935" id="CVE-2016-9935" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9934" id="CVE-2016-9934" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9936" id="CVE-2016-9936" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9933" id="CVE-2016-9933" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9137" id="CVE-2016-9137" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7480" id="CVE-2016-7480" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php70-embedded" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-embedded-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-json" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-json-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo-dblib" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-pdo-dblib-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-common" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-common-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-intl" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-intl-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-cli" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-cli-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-soap" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-soap-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pspell" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-pspell-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xmlrpc" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-xmlrpc-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-zip" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-zip-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-enchant" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-enchant-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gd" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-gd-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mysqlnd" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-mysqlnd-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-imap" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-imap-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-recode" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-recode-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mcrypt" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-mcrypt-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gmp" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-gmp-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mbstring" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-mbstring-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xml" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-xml-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-pdo-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pgsql" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-pgsql-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-debuginfo" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-debuginfo-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dba" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-dba-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-process" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-process-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-devel" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-devel-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-fpm" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-fpm-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-ldap" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-ldap-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-bcmath" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-bcmath-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-opcache" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-opcache-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-snmp" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-snmp-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-odbc" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-odbc-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-tidy" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-tidy-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dbg" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-dbg-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php70-pspell" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-pspell-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-bcmath" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-bcmath-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mbstring" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-mbstring-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mysqlnd" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-mysqlnd-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mcrypt" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-mcrypt-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-imap" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-imap-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-intl" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-intl-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xmlrpc" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-xmlrpc-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-enchant" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-enchant-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-debuginfo" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-debuginfo-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-embedded" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-embedded-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-zip" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-zip-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dbg" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-dbg-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-soap" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-soap-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-snmp" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-snmp-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-common" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-common-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gd" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-gd-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-ldap" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-ldap-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gmp" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-gmp-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-cli" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-cli-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-devel" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-devel-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-tidy" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-tidy-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xml" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-xml-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-pdo-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dba" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-dba-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-process" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-process-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-recode" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-recode-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pgsql" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-pgsql-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo-dblib" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-pdo-dblib-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-fpm" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-fpm-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-opcache" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-opcache-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-json" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-json-7.0.14-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-odbc" release="1.20.amzn1" version="7.0.14"><filename>Packages/php70-odbc-7.0.14-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-789</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-789: medium priority package update for mysql55</title><issued date="2017-01-26 18:00" /><updated date="2017-01-26 18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10289 CVE-2017-3318: 10290 1414357: 10291 CVE-2017-3318 mysql: Server: Error Handling unspecified vulnerability (CPU Jan 2017) 10292 10293 CVE-2017-3317: 10294 1414355: 10295 CVE-2017-3317 mysql: Logging unspecified vulnerability (CPU Jan 2017) 10296 10297 CVE-2017-3313: 10298 1414353: 10299 CVE-2017-3313 mysql: Server: MyISAM unspecified vulnerability (CPU Jan 2017) 10300 10301 CVE-2017-3258: 10302 1414351: 10303 CVE-2017-3258 mysql: Server: DDL unspecified vulnerability (CPU Jan 2017) 10304 10305 CVE-2017-3244: 10306 1414342: 10307 CVE-2017-3244 mysql: Server: DML unspecified vulnerability (CPU Jan 2017) 10308 10309 CVE-2017-3243: 10310 1414340: 10311 CVE-2017-3243 mysql: Server: Charsets unspecified vulnerability (CPU Jan 2017) 10312 10313 CVE-2017-3238: 10314 1414338: 10315 CVE-2017-3238 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2017) 10316 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3317" id="CVE-2017-3317" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3258" id="CVE-2017-3258" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3238" id="CVE-2017-3238" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3244" id="CVE-2017-3244" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3313" id="CVE-2017-3313" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3318" id="CVE-2017-3318" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3243" id="CVE-2017-3243" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql55-test" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-test-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-server" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-server-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-bench" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-bench-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-embedded-devel-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-embedded-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-libs-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-config" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql-config-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-devel-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-debuginfo-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql-config" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql-config-5.5.54-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-devel-5.5.54-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-embedded-devel-5.5.54-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-5.5.54-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-bench-5.5.54-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-server-5.5.54-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-embedded-5.5.54-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-debuginfo-5.5.54-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-test-5.5.54-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="1.16.amzn1" version="5.5.54"><filename>Packages/mysql55-libs-5.5.54-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-790</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-790: medium priority package update for mysql56</title><issued date="2017-01-26 18:00" /><updated date="2017-01-26 18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10317 CVE-2017-3318: 10318 1414357: 10319 CVE-2017-3318 mysql: Server: Error Handling unspecified vulnerability (CPU Jan 2017) 10320 10321 CVE-2017-3317: 10322 1414355: 10323 CVE-2017-3317 mysql: Logging unspecified vulnerability (CPU Jan 2017) 10324 10325 CVE-2017-3313: 10326 1414353: 10327 CVE-2017-3313 mysql: Server: MyISAM unspecified vulnerability (CPU Jan 2017) 10328 10329 CVE-2017-3273: 10330 1414352: 10331 CVE-2017-3273 mysql: Server: DDL unspecified vulnerability (CPU Jan 2017) 10332 10333 CVE-2017-3258: 10334 1414351: 10335 CVE-2017-3258 mysql: Server: DDL unspecified vulnerability (CPU Jan 2017) 10336 10337 CVE-2017-3257: 10338 1414350: 10339 CVE-2017-3257 mysql: Server: InnoDB unspecified vulnerability (CPU Jan 2017) 10340 10341 CVE-2017-3244: 10342 1414342: 10343 CVE-2017-3244 mysql: Server: DML unspecified vulnerability (CPU Jan 2017) 10344 10345 CVE-2017-3238: 10346 1414338: 10347 CVE-2017-3238 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2017) 10348 10349 CVE-2016-8327: 10350 1414337: 10351 CVE-2016-8327 mysql: Server: Replication unspecified vulnerability (CPU Jan 2017) 10352 10353 CVE-2016-8318: 10354 1414335: 10355 CVE-2016-8318 mysql: Server: Security: Encryption unspecified vulnerability (CPU Jan 2017) 10356 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8318" id="CVE-2016-8318" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3238" id="CVE-2017-3238" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8327" id="CVE-2016-8327" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3317" id="CVE-2017-3317" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3258" id="CVE-2017-3258" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3313" id="CVE-2017-3313" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3273" id="CVE-2017-3273" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3244" id="CVE-2017-3244" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3318" id="CVE-2017-3318" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3257" id="CVE-2017-3257" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql56-embedded-devel" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-embedded-devel-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-devel" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-devel-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-server" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-server-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-libs" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-libs-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-errmsg" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-errmsg-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-debuginfo" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-debuginfo-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-embedded-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-test" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-test-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-common" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-common-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-bench" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-bench-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-libs" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-libs-5.6.35-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-bench" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-bench-5.6.35-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-devel" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-devel-5.6.35-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-server" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-server-5.6.35-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-debuginfo" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-debuginfo-5.6.35-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-errmsg" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-errmsg-5.6.35-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-test" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-test-5.6.35-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-common" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-common-5.6.35-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-5.6.35-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-embedded-5.6.35-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded-devel" release="1.23.amzn1" version="5.6.35"><filename>Packages/mysql56-embedded-devel-5.6.35-1.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-791</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-791: critical priority package update for java-1.8.0-openjdk</title><issued date="2017-01-26 18:00" /><updated date="2017-01-26 18:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10357 CVE-2017-3289: 10358 1413562: 10359 CVE-2017-3289 OpenJDK: insecure class construction (Hotspot, 8167104) 10360 10361 CVE-2017-3272: 10362 1413554: 10363 CVE-2017-3272 OpenJDK: insufficient protected field access checks in atomic field updaters (Libraries, 8165344) 10364 10365 CVE-2017-3261: 10366 1413653: 10367 CVE-2017-3261 OpenJDK: integer overflow in SocketOutputStream boundary check (Networking, 8164147) 10368 10369 CVE-2017-3253: 10370 It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. 10371 1413583: 10372 CVE-2017-3253 OpenJDK: imageio PNGImageReader failed to honor ignoreMetadata for iTXt and zTXt chunks (2D, 8166988) 10373 10374 CVE-2017-3252: 10375 1413906: 10376 CVE-2017-3252 OpenJDK: LdapLoginModule incorrect userDN extraction (JAAS, 8161743) 10377 It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. 10378 10379 CVE-2017-3241: 10380 It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. 10381 1413955: 10382 CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802) 10383 10384 CVE-2017-3231: 10385 1413717: 10386 CVE-2017-3231 OpenJDK: URLClassLoader insufficient access control checks (Networking, 8151934) 10387 10388 CVE-2016-5552: 10389 1413882: 10390 CVE-2016-5552 OpenJDK: incorrect URL parsing in URLStreamHandler (Networking, 8167223) 10391 It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. 10392 10393 CVE-2016-5548: 10394 1413920: 10395 CVE-2016-5548 OpenJDK: DSA implementation timing attack (Libraries, 8168728) 10396 A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. 10397 10398 CVE-2016-5547: 10399 1413764: 10400 CVE-2016-5547 OpenJDK: missing ObjectIdentifier length check (Libraries, 8168705) 10401 It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. 10402 10403 CVE-2016-5546: 10404 1413911: 10405 CVE-2016-5546 OpenJDK: incorrect ECDSA signature extraction from the DER input (Libraries, 8168714) 10406 It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. 10407 10408 CVE-2016-2183: 10409 1369383: 10410 CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) 10411 A flaw was found in the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. 10412 A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. 10413 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5547" id="CVE-2016-5547" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5546" id="CVE-2016-5546" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3231" id="CVE-2017-3231" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5548" id="CVE-2016-5548" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3289" id="CVE-2017-3289" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3261" id="CVE-2017-3261" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183" id="CVE-2016-2183" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3272" id="CVE-2017-3272" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3241" id="CVE-2017-3241" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5552" id="CVE-2016-5552" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3253" id="CVE-2017-3253" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3252" id="CVE-2017-3252" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="0.b13.29.amzn1" version="1.8.0.121"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.121-0.b13.29.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="0.b13.29.amzn1" version="1.8.0.121"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.121-0.b13.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc-zip" release="0.b13.29.amzn1" version="1.8.0.121"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.121-0.b13.29.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="0.b13.29.amzn1" version="1.8.0.121"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.121-0.b13.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="0.b13.29.amzn1" version="1.8.0.121"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.121-0.b13.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="0.b13.29.amzn1" version="1.8.0.121"><filename>Packages/java-1.8.0-openjdk-1.8.0.121-0.b13.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.b13.29.amzn1" version="1.8.0.121"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.121-0.b13.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="0.b13.29.amzn1" version="1.8.0.121"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.121-0.b13.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.b13.29.amzn1" version="1.8.0.121"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.121-0.b13.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="0.b13.29.amzn1" version="1.8.0.121"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.121-0.b13.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="0.b13.29.amzn1" version="1.8.0.121"><filename>Packages/java-1.8.0-openjdk-1.8.0.121-0.b13.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="0.b13.29.amzn1" version="1.8.0.121"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.121-0.b13.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="0.b13.29.amzn1" version="1.8.0.121"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.121-0.b13.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="0.b13.29.amzn1" version="1.8.0.121"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.121-0.b13.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-792</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-792: low priority package update for glibc</title><issued date="2017-02-06 18:00" /><updated date="2017-02-06 18:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10414 CVE-2016-3075: 10415 A stack overflow vulnerability was found in _nss_dns_getnetbyname_r. On systems with nsswitch configured to include &quot;networks: dns&quot; with a privileged or network-facing service that would attempt to resolve user-provided network names, an attacker could provide an excessively long network name, resulting in stack corruption and code execution. 10416 1321866: 10417 CVE-2016-3075 glibc: Stack overflow in nss_dns_getnetbyname_r 10418 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3075" id="CVE-2016-3075" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-157.169.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-157.169.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-2.17-157.169.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="157.169.amzn1" version="2.17"><filename>Packages/nscd-2.17-157.169.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-157.169.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-157.169.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-157.169.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-157.169.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-157.169.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-157.169.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-157.169.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-2.17-157.169.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-157.169.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-157.169.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-157.169.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="157.169.amzn1" version="2.17"><filename>Packages/nscd-2.17-157.169.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-157.169.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="157.169.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-157.169.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-793</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-793: low priority package update for krb5</title><issued date="2017-02-06 18:00" /><updated date="2017-02-06 18:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10419 CVE-2016-3120: 10420 1361050: 10421 CVE-2016-3120 krb5: S4U2Self KDC crash when anon is restricted 10422 A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a null pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. 10423 10424 CVE-2016-3119: 10425 1319616: 10426 CVE-2016-3119 krb5: null pointer dereference in kadmin 10427 A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a null pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. 10428 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3119" id="CVE-2016-3119" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3120" id="CVE-2016-3120" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="krb5-devel" release="27.41.amzn1" version="1.14.1"><filename>Packages/krb5-devel-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server" release="27.41.amzn1" version="1.14.1"><filename>Packages/krb5-server-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server-ldap" release="27.41.amzn1" version="1.14.1"><filename>Packages/krb5-server-ldap-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-workstation" release="27.41.amzn1" version="1.14.1"><filename>Packages/krb5-workstation-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libkadm5" release="27.41.amzn1" version="1.14.1"><filename>Packages/libkadm5-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-pkinit-openssl" release="27.41.amzn1" version="1.14.1"><filename>Packages/krb5-pkinit-openssl-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-libs" release="27.41.amzn1" version="1.14.1"><filename>Packages/krb5-libs-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-debuginfo" release="27.41.amzn1" version="1.14.1"><filename>Packages/krb5-debuginfo-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="krb5-debuginfo" release="27.41.amzn1" version="1.14.1"><filename>Packages/krb5-debuginfo-1.14.1-27.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server" release="27.41.amzn1" version="1.14.1"><filename>Packages/krb5-server-1.14.1-27.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-devel" release="27.41.amzn1" version="1.14.1"><filename>Packages/krb5-devel-1.14.1-27.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-pkinit-openssl" release="27.41.amzn1" version="1.14.1"><filename>Packages/krb5-pkinit-openssl-1.14.1-27.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libkadm5" release="27.41.amzn1" version="1.14.1"><filename>Packages/libkadm5-1.14.1-27.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-libs" release="27.41.amzn1" version="1.14.1"><filename>Packages/krb5-libs-1.14.1-27.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server-ldap" release="27.41.amzn1" version="1.14.1"><filename>Packages/krb5-server-ldap-1.14.1-27.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-workstation" release="27.41.amzn1" version="1.14.1"><filename>Packages/krb5-workstation-1.14.1-27.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-794</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-794: medium priority package update for subversion mod_dav_svn</title><issued date="2017-02-06 18:00" /><updated date="2017-02-06 18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10429 CVE-2016-8734: 10430 1397403: 10431 CVE-2016-8734 subversion: unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s):// 10432 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8734" id="CVE-2016-8734" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod_dav_svn-debuginfo" release="2.53.amzn1" version="1.9.5"><filename>Packages/mod_dav_svn-debuginfo-1.9.5-2.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_dav_svn" release="2.53.amzn1" version="1.9.5"><filename>Packages/mod_dav_svn-1.9.5-2.53.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn-debuginfo" release="2.53.amzn1" version="1.9.5"><filename>Packages/mod_dav_svn-debuginfo-1.9.5-2.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn" release="2.53.amzn1" version="1.9.5"><filename>Packages/mod_dav_svn-1.9.5-2.53.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-libs" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-libs-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_dav_svn" release="1.56.amzn1" version="1.9.5"><filename>Packages/mod24_dav_svn-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python26" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-python26-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-ruby" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-ruby-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-perl" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-perl-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-debuginfo" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-debuginfo-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python27" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-python27-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-devel" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-devel-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-tools" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-tools-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-javahl" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-javahl-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="subversion" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-1.9.5-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-devel" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-devel-1.9.5-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_dav_svn" release="1.56.amzn1" version="1.9.5"><filename>Packages/mod24_dav_svn-1.9.5-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-ruby" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-ruby-1.9.5-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-perl" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-perl-1.9.5-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-debuginfo" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-debuginfo-1.9.5-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python27" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-python27-1.9.5-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-javahl" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-javahl-1.9.5-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-libs" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-libs-1.9.5-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-tools" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-tools-1.9.5-1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python26" release="1.56.amzn1" version="1.9.5"><filename>Packages/subversion-python26-1.9.5-1.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-795</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-795: important priority package update for java-1.6.0-openjdk</title><issued date="2017-02-06 18:00" /><updated date="2017-02-06 18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10433 CVE-2016-5597: 10434 1386103: 10435 CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838) 10436 A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication. 10437 10438 CVE-2016-5582: 10439 1385402: 10440 CVE-2016-5582 OpenJDK: incomplete type checks of System.arraycopy arguments (Hotspot, 8160591) 10441 It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy() function in certain cases. An untrusted Java application or applet could use this flaw to corrupt virtual machine&#039;s memory and completely bypass Java sandbox restrictions. 10442 10443 CVE-2016-5573: 10444 It was discovered that the Hotspot component of OpenJDK did not properly check received Java Debug Wire Protocol (JDWP) packets. An attacker could possibly use this flaw to send debugging commands to a Java program running with debugging enabled if they could make victim&#039;s browser send HTTP requests to the JDWP port of the debugged application. 10445 1385544: 10446 CVE-2016-5573 OpenJDK: insufficient checks of JDWP packets (Hotspot, 8159519) 10447 10448 CVE-2016-5554: 10449 1385714: 10450 CVE-2016-5554 OpenJDK: insufficient classloader consistency checks in ClassLoaderWithRepository (JMX, 8157739) 10451 A flaw was found in the way the JMX component of OpenJDK handled classloaders. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. 10452 10453 CVE-2016-5542: 10454 It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for JAR integrity verification. This flaw could allow an attacker to modify content of the JAR file that used weak signing key or hash algorithm. 10455 1385723: 10456 CVE-2016-5542 OpenJDK: missing algorithm restrictions for jar verification (Libraries, 8155973) 10457 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5542" id="CVE-2016-5542" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5554" id="CVE-2016-5554" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5597" id="CVE-2016-5597" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5573" id="CVE-2016-5573" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5582" id="CVE-2016-5582" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-src" release="1.13.13.1.77.amzn1" version="1.6.0.41"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="1.13.13.1.77.amzn1" version="1.6.0.41"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-demo" release="1.13.13.1.77.amzn1" version="1.6.0.41"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-javadoc" release="1.13.13.1.77.amzn1" version="1.6.0.41"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk" release="1.13.13.1.77.amzn1" version="1.6.0.41"><filename>Packages/java-1.6.0-openjdk-1.6.0.41-1.13.13.1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.6.0-openjdk-devel" release="1.13.13.1.77.amzn1" version="1.6.0.41"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.77.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk" release="1.13.13.1.77.amzn1" version="1.6.0.41"><filename>Packages/java-1.6.0-openjdk-1.6.0.41-1.13.13.1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-src" release="1.13.13.1.77.amzn1" version="1.6.0.41"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-debuginfo" release="1.13.13.1.77.amzn1" version="1.6.0.41"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-javadoc" release="1.13.13.1.77.amzn1" version="1.6.0.41"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-demo" release="1.13.13.1.77.amzn1" version="1.6.0.41"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.6.0-openjdk-devel" release="1.13.13.1.77.amzn1" version="1.6.0.41"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.77.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-796</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-796: medium priority package update for tomcat7 tomcat8</title><issued date="2017-02-14 12:00" /><updated date="2017-02-14 12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10458 CVE-2016-8745: 10459 1403824: 10460 CVE-2016-8745 tomcat: information disclosure due to incorrect Processor sharing 10461 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745" id="CVE-2016-8745" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.69.amzn1" version="8.0.41"><filename>Packages/tomcat8-jsp-2.3-api-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.69.amzn1" version="8.0.41"><filename>Packages/tomcat8-javadoc-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.69.amzn1" version="8.0.41"><filename>Packages/tomcat8-webapps-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.69.amzn1" version="8.0.41"><filename>Packages/tomcat8-lib-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.69.amzn1" version="8.0.41"><filename>Packages/tomcat8-log4j-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.69.amzn1" version="8.0.41"><filename>Packages/tomcat8-servlet-3.1-api-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.69.amzn1" version="8.0.41"><filename>Packages/tomcat8-el-3.0-api-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.69.amzn1" version="8.0.41"><filename>Packages/tomcat8-admin-webapps-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8" release="1.69.amzn1" version="8.0.41"><filename>Packages/tomcat8-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.69.amzn1" version="8.0.41"><filename>Packages/tomcat8-docs-webapp-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.25.amzn1" version="7.0.75"><filename>Packages/tomcat7-lib-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.25.amzn1" version="7.0.75"><filename>Packages/tomcat7-log4j-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.25.amzn1" version="7.0.75"><filename>Packages/tomcat7-webapps-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.25.amzn1" version="7.0.75"><filename>Packages/tomcat7-javadoc-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.25.amzn1" version="7.0.75"><filename>Packages/tomcat7-el-2.2-api-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.25.amzn1" version="7.0.75"><filename>Packages/tomcat7-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.25.amzn1" version="7.0.75"><filename>Packages/tomcat7-admin-webapps-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.25.amzn1" version="7.0.75"><filename>Packages/tomcat7-docs-webapp-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.25.amzn1" version="7.0.75"><filename>Packages/tomcat7-jsp-2.2-api-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.25.amzn1" version="7.0.75"><filename>Packages/tomcat7-servlet-3.0-api-7.0.75-1.25.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-797</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-797: critical priority package update for java-1.7.0-openjdk</title><issued date="2017-02-14 12:00" /><updated date="2017-02-14 12:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10462 CVE-2017-3289: 10463 1413562: 10464 CVE-2017-3289 OpenJDK: insecure class construction (Hotspot, 8167104) 10465 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS v3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). 10466 10467 CVE-2017-3272: 10468 1413554: 10469 CVE-2017-3272 OpenJDK: insufficient protected field access checks in atomic field updaters (Libraries, 8165344) 10470 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS v3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). 10471 10472 CVE-2017-3261: 10473 1413653: 10474 CVE-2017-3261 OpenJDK: integer overflow in SocketOutputStream boundary check (Networking, 8164147) 10475 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS v3.0 Base Score 4.3 (Confidentiality impacts). 10476 10477 CVE-2017-3253: 10478 It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. 10479 1413583: 10480 CVE-2017-3253 OpenJDK: imageio PNGImageReader failed to honor ignoreMetadata for iTXt and zTXt chunks (2D, 8166988) 10481 10482 CVE-2017-3252: 10483 1413906: 10484 CVE-2017-3252 OpenJDK: LdapLoginModule incorrect userDN extraction (JAAS, 8161743) 10485 It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. 10486 10487 CVE-2017-3241: 10488 It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. 10489 1413955: 10490 CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802) 10491 10492 CVE-2017-3231: 10493 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS v3.0 Base Score 4.3 (Confidentiality impacts). 10494 1413717: 10495 CVE-2017-3231 OpenJDK: URLClassLoader insufficient access control checks (Networking, 8151934) 10496 10497 CVE-2016-5552: 10498 1413882: 10499 CVE-2016-5552 OpenJDK: incorrect URL parsing in URLStreamHandler (Networking, 8167223) 10500 It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. 10501 10502 CVE-2016-5548: 10503 1413920: 10504 CVE-2016-5548 OpenJDK: DSA implementation timing attack (Libraries, 8168728) 10505 A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. 10506 10507 CVE-2016-5547: 10508 1413764: 10509 CVE-2016-5547 OpenJDK: missing ObjectIdentifier length check (Libraries, 8168705) 10510 It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. 10511 10512 CVE-2016-5546: 10513 It was discovered that the Libraries component of OpenJDK accepted ECDSA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. 10514 1413911: 10515 CVE-2016-5546 OpenJDK: incorrect ECDSA signature extraction from the DER input (Libraries, 8168714) 10516 It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. 10517 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5546" id="CVE-2016-5546" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3231" id="CVE-2017-3231" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5548" id="CVE-2016-5548" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3289" id="CVE-2017-3289" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3261" id="CVE-2017-3261" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3241" id="CVE-2017-3241" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3272" id="CVE-2017-3272" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5547" id="CVE-2016-5547" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5552" id="CVE-2016-5552" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3253" id="CVE-2017-3253" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3252" id="CVE-2017-3252" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.9.0.70.amzn1" version="1.7.0.131"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.9.0.70.amzn1" version="1.7.0.131"><filename>Packages/java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.9.0.70.amzn1" version="1.7.0.131"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.70.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.9.0.70.amzn1" version="1.7.0.131"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.9.0.70.amzn1" version="1.7.0.131"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.9.0.70.amzn1" version="1.7.0.131"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.9.0.70.amzn1" version="1.7.0.131"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.9.0.70.amzn1" version="1.7.0.131"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.9.0.70.amzn1" version="1.7.0.131"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.9.0.70.amzn1" version="1.7.0.131"><filename>Packages/java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.9.0.70.amzn1" version="1.7.0.131"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-798</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-798: important priority package update for bind</title><issued date="2017-02-14 12:00" /><updated date="2017-02-14 12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10518 CVE-2016-9147: 10519 1411367: 10520 CVE-2016-9147 bind: assertion failure while handling a query response containing inconsistent DNSSEC information 10521 A denial of service flaw was found in the way BIND handled a query response containing inconsistent DNSSEC information. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. 10522 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9147" id="CVE-2016-9147" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-devel" release="0.47.rc1.52.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.47.rc1.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.47.rc1.52.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.47.rc1.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.47.rc1.52.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.47.rc1.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.47.rc1.52.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.47.rc1.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.47.rc1.52.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.47.rc1.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.47.rc1.52.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.47.rc1.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.47.rc1.52.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.47.rc1.52.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.47.rc1.52.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.47.rc1.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.47.rc1.52.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.47.rc1.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.47.rc1.52.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.47.rc1.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.47.rc1.52.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.47.rc1.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.47.rc1.52.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.47.rc1.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.47.rc1.52.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.47.rc1.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.47.rc1.52.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.47.rc1.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-799</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-799: medium priority package update for openldap</title><issued date="2017-02-14 12:00" /><updated date="2017-02-14 12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10523 CVE-2015-3276: 10524 1238322: 10525 CVE-2015-3276 openldap: incorrect multi-keyword mode cipherstring parsing 10526 A flaw was found in the way OpenLDAP parsed OpenSSL-style cipher strings. As a result, OpenLDAP could potentially use ciphers that were not intended to be enabled. 10527 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3276" id="CVE-2015-3276" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openldap-servers" release="12.30.amzn1" version="2.4.40"><filename>Packages/openldap-servers-2.4.40-12.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-servers-sql" release="12.30.amzn1" version="2.4.40"><filename>Packages/openldap-servers-sql-2.4.40-12.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-clients" release="12.30.amzn1" version="2.4.40"><filename>Packages/openldap-clients-2.4.40-12.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap" release="12.30.amzn1" version="2.4.40"><filename>Packages/openldap-2.4.40-12.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-debuginfo" release="12.30.amzn1" version="2.4.40"><filename>Packages/openldap-debuginfo-2.4.40-12.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openldap-devel" release="12.30.amzn1" version="2.4.40"><filename>Packages/openldap-devel-2.4.40-12.30.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openldap-debuginfo" release="12.30.amzn1" version="2.4.40"><filename>Packages/openldap-debuginfo-2.4.40-12.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-clients" release="12.30.amzn1" version="2.4.40"><filename>Packages/openldap-clients-2.4.40-12.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-servers-sql" release="12.30.amzn1" version="2.4.40"><filename>Packages/openldap-servers-sql-2.4.40-12.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap" release="12.30.amzn1" version="2.4.40"><filename>Packages/openldap-2.4.40-12.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-servers" release="12.30.amzn1" version="2.4.40"><filename>Packages/openldap-servers-2.4.40-12.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openldap-devel" release="12.30.amzn1" version="2.4.40"><filename>Packages/openldap-devel-2.4.40-12.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-800</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-800: important priority package update for mysql51</title><issued date="2017-02-22 18:00" /><updated date="2017-02-22 18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10528 CVE-2016-6663: 10529 A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. 10530 1378936: 10531 CVE-2016-6663 CVE-2016-5616 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016) 10532 10533 CVE-2016-6662: 10534 It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server. 10535 1375198: 10536 CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation (CPU Oct 2016) 10537 1375198: 10538 CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation 10539 10540 CVE-2016-5616: 10541 A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user. 10542 1378936: 10543 CVE-2016-6663 CVE-2016-5616 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016) 10544 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662" id="CVE-2016-6662" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6663" id="CVE-2016-6663" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5616" id="CVE-2016-5616" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql51-server" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-server-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-devel" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-devel-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-common" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-common-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-debuginfo" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-debuginfo-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-test" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-test-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded-devel" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-embedded-devel-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-libs" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-libs-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-bench" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-bench-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql51-embedded" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-embedded-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-bench" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-bench-5.1.73-8.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded-devel" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-embedded-devel-5.1.73-8.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-debuginfo" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-debuginfo-5.1.73-8.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-5.1.73-8.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-common" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-common-5.1.73-8.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-test" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-test-5.1.73-8.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-server" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-server-5.1.73-8.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-devel" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-devel-5.1.73-8.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-libs" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-libs-5.1.73-8.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql51-embedded" release="8.72.amzn1" version="5.1.73"><filename>Packages/mysql51-embedded-5.1.73-8.72.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-801</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-801: important priority package update for python-crypto</title><issued date="2017-03-06 14:00" /><updated date="2017-03-06 14:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10545 CVE-2013-7459: 10546 1409754: 10547 CVE-2013-7459 pycrypto: Heap-buffer overflow in ALGobject structure 10548 Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py. 10549 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7459" id="CVE-2013-7459" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python26-crypto" release="1.14.amzn1" version="2.6.1"><filename>Packages/python26-crypto-2.6.1-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-crypto" release="1.14.amzn1" version="2.6.1"><filename>Packages/python27-crypto-2.6.1-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python-crypto-debuginfo" release="1.14.amzn1" version="2.6.1"><filename>Packages/python-crypto-debuginfo-2.6.1-1.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python26-crypto" release="1.14.amzn1" version="2.6.1"><filename>Packages/python26-crypto-2.6.1-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python-crypto-debuginfo" release="1.14.amzn1" version="2.6.1"><filename>Packages/python-crypto-debuginfo-2.6.1-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-crypto" release="1.14.amzn1" version="2.6.1"><filename>Packages/python27-crypto-2.6.1-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-802</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-802: medium priority package update for libtiff compat-libtiff3</title><issued date="2017-03-06 14:00" /><updated date="2017-03-06 14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10550 CVE-2016-9540: 10551 tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka &quot;cpStripToTile heap-buffer-overflow.&quot; 10552 1397768: 10553 CVE-2016-9540 libtiff: cpStripToTile heap-buffer-overflow 10554 10555 CVE-2016-9537: 10556 tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in buffers. Reported as MSVR 35093, MSVR 35096, and MSVR 35097. 10557 1397760: 10558 CVE-2016-9537 libtiff: Out-of-bounds write vulnerabilities in tools/tiffcrop.c 10559 10560 CVE-2016-9536: 10561 1397758: 10562 CVE-2016-9536 libtiff: t2p_process_jpeg_strip heap-buffer-overflow 10563 tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka &quot;t2p_process_jpeg_strip heap-buffer-overflow.&quot; 10564 10565 CVE-2016-9535: 10566 1397755: 10567 CVE-2016-9535 libtiff: Predictor heap-buffer-overflow 10568 tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka &quot;Predictor heap-buffer-overflow.&quot; 10569 10570 CVE-2016-9534: 10571 1397751: 10572 CVE-2016-9534 libtiff: TIFFFlushData1 heap-buffer-overflow 10573 tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that didn&#039;t reset the tif_rawcc and tif_rawcp members. Reported as MSVR 35095, aka &quot;TIFFFlushData1 heap-buffer-overflow.&quot; 10574 10575 CVE-2016-9533: 10576 tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers. Reported as MSVR 35094, aka &quot;PixarLog horizontalDifference heap-buffer-overflow.&quot; 10577 1397769: 10578 CVE-2016-9533 libtiff: PixarLog horizontalDifference heap-buffer-overflow 10579 10580 CVE-2016-5652: 10581 An exploitable heap-based buffer overflow exists in the handling of TIFF images in LibTIFF&#039;s TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means. 10582 1389222: 10583 CVE-2016-5652 libtiff: tiff2pdf JPEG Compression Tables Heap Buffer Overflow 10584 10585 CVE-2015-8870: 10586 Integer overflow in tools/bmp2tiff.c in LibTIFF before 4.0.4 allows remote attackers to cause a denial of service (heap-based buffer over-read), or possibly obtain sensitive information from process memory, via crafted width and length values in RLE4 or RLE8 data in a BMP file. 10587 1402778: 10588 CVE-2015-8870 libtiff: Integer overflow in tools/bmp2tiff.c 10589 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652" id="CVE-2016-5652" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9535" id="CVE-2016-9535" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9533" id="CVE-2016-9533" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9540" id="CVE-2016-9540" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9534" id="CVE-2016-9534" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9537" id="CVE-2016-9537" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9536" id="CVE-2016-9536" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8870" id="CVE-2015-8870" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libtiff-static" release="27.29.amzn1" version="4.0.3"><filename>Packages/libtiff-static-4.0.3-27.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff" release="27.29.amzn1" version="4.0.3"><filename>Packages/libtiff-4.0.3-27.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-devel" release="27.29.amzn1" version="4.0.3"><filename>Packages/libtiff-devel-4.0.3-27.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtiff-debuginfo" release="27.29.amzn1" version="4.0.3"><filename>Packages/libtiff-debuginfo-4.0.3-27.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-devel" release="27.29.amzn1" version="4.0.3"><filename>Packages/libtiff-devel-4.0.3-27.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-debuginfo" release="27.29.amzn1" version="4.0.3"><filename>Packages/libtiff-debuginfo-4.0.3-27.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff-static" release="27.29.amzn1" version="4.0.3"><filename>Packages/libtiff-static-4.0.3-27.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtiff" release="27.29.amzn1" version="4.0.3"><filename>Packages/libtiff-4.0.3-27.29.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="compat-libtiff3-debuginfo" release="21.15.amzn1" version="3.9.4"><filename>Packages/compat-libtiff3-debuginfo-3.9.4-21.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="compat-libtiff3" release="21.15.amzn1" version="3.9.4"><filename>Packages/compat-libtiff3-3.9.4-21.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="compat-libtiff3-debuginfo" release="21.15.amzn1" version="3.9.4"><filename>Packages/compat-libtiff3-debuginfo-3.9.4-21.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="compat-libtiff3" release="21.15.amzn1" version="3.9.4"><filename>Packages/compat-libtiff3-3.9.4-21.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-803</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-803: medium priority package update for openssl</title><issued date="2017-03-06 14:00" /><updated date="2017-03-06 14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10590 CVE-2017-3731: 10591 1416852: 10592 CVE-2017-3731 openssl: Truncated packet could crash via OOB read 10593 An integer underflow leading to an out of bounds read flaw was found in OpenSSL. A remote attacker could possibly use this flaw to crash a 32-bit TLS/SSL server or client using OpenSSL if it used the RC4-MD5 cipher suite. 10594 10595 CVE-2016-8610: 10596 1384743: 10597 CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS 10598 A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. 10599 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731" id="CVE-2017-3731" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8610" id="CVE-2016-8610" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-perl" release="15.99.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-15.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="15.99.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-15.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="15.99.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-15.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="15.99.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-15.99.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="15.99.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-15.99.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="15.99.amzn1" version="1.0.1k"><filename>Packages/openssl-debuginfo-1.0.1k-15.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="15.99.amzn1" version="1.0.1k"><filename>Packages/openssl-perl-1.0.1k-15.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="15.99.amzn1" version="1.0.1k"><filename>Packages/openssl-1.0.1k-15.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="15.99.amzn1" version="1.0.1k"><filename>Packages/openssl-static-1.0.1k-15.99.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="15.99.amzn1" version="1.0.1k"><filename>Packages/openssl-devel-1.0.1k-15.99.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-804</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-804: medium priority package update for exim</title><issued date="2017-03-06 14:00" /><updated date="2017-03-06 14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10600 CVE-2016-9963: 10601 It was found that Exim leaked DKIM signing private keys to the &quot;mainlog&quot; log file. As a result, an attacker with access to system log files could potentially access these leaked DKIM private keys. 10602 1405322: 10603 CVE-2016-9963 exim: Possible information disclosure to remote atacker 10604 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9963" id="CVE-2016-9963" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="exim-pgsql" release="2.11.amzn1" version="4.88"><filename>Packages/exim-pgsql-4.88-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-mon" release="2.11.amzn1" version="4.88"><filename>Packages/exim-mon-4.88-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-debuginfo" release="2.11.amzn1" version="4.88"><filename>Packages/exim-debuginfo-4.88-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-mysql" release="2.11.amzn1" version="4.88"><filename>Packages/exim-mysql-4.88-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim" release="2.11.amzn1" version="4.88"><filename>Packages/exim-4.88-2.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-greylist" release="2.11.amzn1" version="4.88"><filename>Packages/exim-greylist-4.88-2.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="exim" release="2.11.amzn1" version="4.88"><filename>Packages/exim-4.88-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-mon" release="2.11.amzn1" version="4.88"><filename>Packages/exim-mon-4.88-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-mysql" release="2.11.amzn1" version="4.88"><filename>Packages/exim-mysql-4.88-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-pgsql" release="2.11.amzn1" version="4.88"><filename>Packages/exim-pgsql-4.88-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-debuginfo" release="2.11.amzn1" version="4.88"><filename>Packages/exim-debuginfo-4.88-2.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-greylist" release="2.11.amzn1" version="4.88"><filename>Packages/exim-greylist-4.88-2.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-805</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-805: important priority package update for kernel</title><issued date="2017-03-06 14:00" /><updated date="2017-06-07 21:47" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10605 CVE-2017-6214: 10606 1426542: 10607 CVE-2017-6214 kernel: ipv4/tcp: Infinite loop in tcp_splice_read() 10608 A flaw was found in the Linux kernel&#039;s handling of packets with the URG flag. Applications using the splice() and tcp_splice_read() functionality can allow a remote attacker to force the kernel to enter a condition in which it can loop indefinitely. 10609 10610 CVE-2017-6074: 10611 A use-after-free flaw was found in the way the Linux kernel&#039;s Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system. 10612 1423071: 10613 CVE-2017-6074 kernel: use after free in dccp protocol 10614 10615 CVE-2017-5986: 10616 It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. 10617 1420276: 10618 CVE-2017-5986 kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf 10619 10620 CVE-2017-5970: 10621 A vulnerability was found in the Linux kernel where having malicious IP options present would cause the ipv4_pktinfo_prepare() function to drop/free the dst. This could result in a system crash or possible privilege escalation. 10622 1421638: 10623 CVE-2017-5970 kernel: ipv4: Invalid IP options could cause skb->dst drop 10624 10625 CVE-2017-5897: 10626 1419848: 10627 CVE-2017-5897 kernel: ip6_gre: Invalid reads in ip6gre_err 10628 An issue was found in the Linux kernel ipv6 implementation of GRE tunnels which allows a remote attacker to trigger an out-of-bounds access. At this time we understand no trust barrier has been crossed and there is no security implications in this flaw. 10629 10630 CVE-2017-5551: 10631 A vulnerability was found in the Linux kernel in &#039;tmpfs&#039; file system. When file permissions are modified via &#039;chmod&#039; and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via &#039;setxattr&#039; sets the file permissions as well as the new ACL, but doesn&#039;t clear the setgid bit in a similar way; this allows to bypass the check in &#039;chmod&#039;. 10632 1416126: 10633 CVE-2017-5551 kernel: S_ISGD is not cleared when setting posix ACLs in tmpfs (CVE-2016-7097 incomplete fix) 10634 10635 CVE-2016-7097: 10636 1368938: 10637 CVE-2016-7097 kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit 10638 A vulnerability was found in the Linux kernel. When file permissions are modified via chmod and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn&#039;t clear the setgid bit in a similar way; this allows to bypass the check in chmod. 10639 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5897" id="CVE-2017-5897" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5970" id="CVE-2017-5970" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074" id="CVE-2017-6074" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5551" id="CVE-2017-5551" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5986" id="CVE-2017-5986" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6214" id="CVE-2017-6214" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7097" id="CVE-2016-7097" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-tools-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="40.58.amzn1" version="4.4.51"><filename>Packages/perf-debuginfo-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="40.58.amzn1" version="4.4.51"><filename>Packages/perf-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-tools-debuginfo-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-tools-devel-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-debuginfo-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-devel-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-headers-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-devel-4.4.51-40.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-headers-4.4.51-40.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-tools-4.4.51-40.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="40.58.amzn1" version="4.4.51"><filename>Packages/perf-debuginfo-4.4.51-40.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="40.58.amzn1" version="4.4.51"><filename>Packages/perf-4.4.51-40.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-tools-debuginfo-4.4.51-40.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-debuginfo-common-i686-4.4.51-40.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-debuginfo-4.4.51-40.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-tools-devel-4.4.51-40.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-4.4.51-40.58.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="40.58.amzn1" version="4.4.51"><filename>Packages/kernel-doc-4.4.51-40.58.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-806</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-806: low priority package update for curl</title><issued date="2017-03-22 16:00" /><updated date="2017-03-22 16:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10640 CVE-2016-9586: 10641 1406712: 10642 CVE-2016-9586 curl: printf floating point buffer overflow 10643 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9586" id="CVE-2016-9586" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="curl-debuginfo" release="9.70.amzn1" version="7.47.1"><filename>Packages/curl-debuginfo-7.47.1-9.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="9.70.amzn1" version="7.47.1"><filename>Packages/libcurl-7.47.1-9.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl" release="9.70.amzn1" version="7.47.1"><filename>Packages/curl-7.47.1-9.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="9.70.amzn1" version="7.47.1"><filename>Packages/libcurl-devel-7.47.1-9.70.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="9.70.amzn1" version="7.47.1"><filename>Packages/curl-7.47.1-9.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="9.70.amzn1" version="7.47.1"><filename>Packages/libcurl-7.47.1-9.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="9.70.amzn1" version="7.47.1"><filename>Packages/curl-debuginfo-7.47.1-9.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="9.70.amzn1" version="7.47.1"><filename>Packages/libcurl-devel-7.47.1-9.70.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-807</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-807: medium priority package update for openjpeg</title><issued date="2017-03-22 16:00" /><updated date="2017-03-22 16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10644 CVE-2016-9675: 10645 1382202: 10646 CVE-2016-9675 openjpeg: incorrect fix for CVE-2013-6045 10647 A vulnerability was found in the patch for CVE-2013-6045 for OpenJPEG. A specially crafted JPEG2000 image, when read by an application using OpenJPEG, could cause heap-based buffer overflows leading to a crash or possible code execution. 10648 10649 CVE-2016-7163: 10650 1374329: 10651 CVE-2016-7163 openjpeg: Integer overflow in opj_pi_create_decode 10652 An integer overflow, leading to a heap buffer overflow, was found in OpenJPEG. An attacker could create a crafted JPEG2000 image that, when loaded by an application using openjpeg, could lead to a crash or, potentially, code execution. 10653 10654 CVE-2016-5159: 10655 An integer overflow, leading to a heap buffer overflow, was found in openjpeg, also affecting the PDF viewer in Chromium. A specially crafted JPEG2000 image could cause an incorrect calculation when allocating memory for code blocks, which could lead to a crash, or potentially, code execution. 10656 1372220: 10657 CVE-2016-5159 chromium-browser, openjpeg: heap overflow in parsing of JPEG2000 code blocks 10658 10659 CVE-2016-5158: 10660 1372219: 10661 CVE-2016-5158 chromium-browser, openjpeg: heap overflow due to unsafe use of opj_aligned_malloc 10662 An integer overflow, leading to a heap buffer overflow, was found in openjpeg, also affecting the PDF viewer in Chromium. A specially crafted JPEG2000 image could cause incorrect calculations when allocating various data structures, which could lead to a crash, or potentially, code execution. 10663 10664 CVE-2016-5139: 10665 An integer overflow, leading to a heap buffer overflow, was found in openjpeg, also affecting the PDF viewer in Chromium. A specially crafted JPEG2000 image could cause an incorrect calculation when allocating precinct data structures, which could lead to a crash, or potentially, code execution. 10666 1363982: 10667 CVE-2016-5139 chromium-browser, openjpeg: Heap overflow in parsing of JPEG2000 precincts 10668 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5139" id="CVE-2016-5139" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7163" id="CVE-2016-7163" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5159" id="CVE-2016-5159" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5158" id="CVE-2016-5158" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9675" id="CVE-2016-9675" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openjpeg-devel" release="16.9.amzn1" version="1.3"><filename>Packages/openjpeg-devel-1.3-16.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openjpeg-debuginfo" release="16.9.amzn1" version="1.3"><filename>Packages/openjpeg-debuginfo-1.3-16.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openjpeg-libs" release="16.9.amzn1" version="1.3"><filename>Packages/openjpeg-libs-1.3-16.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openjpeg" release="16.9.amzn1" version="1.3"><filename>Packages/openjpeg-1.3-16.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openjpeg-libs" release="16.9.amzn1" version="1.3"><filename>Packages/openjpeg-libs-1.3-16.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openjpeg" release="16.9.amzn1" version="1.3"><filename>Packages/openjpeg-1.3-16.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openjpeg-debuginfo" release="16.9.amzn1" version="1.3"><filename>Packages/openjpeg-debuginfo-1.3-16.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openjpeg-devel" release="16.9.amzn1" version="1.3"><filename>Packages/openjpeg-devel-1.3-16.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-808</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-808: medium priority package update for php56</title><issued date="2017-03-28 23:30" /><updated date="2017-03-29 22:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10669 CVE-2016-10168: 10670 Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image. 10671 1418986: 10672 CVE-2016-10168 gd: Integer overflow in gd_io.c 10673 10674 CVE-2016-10167: 10675 1418984: 10676 CVE-2016-10167 gd: DoS vulnerability in gdImageCreateFromGd2Ctx() 10677 The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file. 10678 10679 CVE-2016-10161: 10680 The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call. 10681 1419010: 10682 CVE-2016-10161 php: Out-of-bounds heap read on unserialize in finish_nested_data() 10683 10684 CVE-2016-10160: 10685 1419018: 10686 CVE-2016-10160 php: Off-by-one error in phar_parse_pharfile when loading crafted phar archive 10687 Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch. 10688 10689 CVE-2016-10159: 10690 Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive. 10691 1419020: 10692 CVE-2016-10159 php: Integer overflow in phar_parse_pharfile 10693 10694 CVE-2016-10158: 10695 It was found that the exif_convert_any_to_int() function in PHP was vulnerable to floating point exceptions when parsing tags in image files. A remote attacker with the ability to upload a malicious image could crash PHP, causing a Denial of Service. 10696 1419015: 10697 CVE-2016-10158 php: Wrong calculation in exif_convert_any_to_int function 10698 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168" id="CVE-2016-10168" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10161" id="CVE-2016-10161" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10160" id="CVE-2016-10160" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10158" id="CVE-2016-10158" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10159" id="CVE-2016-10159" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167" id="CVE-2016-10167" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-intl" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-intl-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-enchant-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-gmp-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-mcrypt-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-imap-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-gd-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-fpm-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-embedded-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-xml-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-dbg-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-devel-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-mbstring-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-snmp-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-dba-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-tidy-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-xmlrpc-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-opcache-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-bcmath-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-mssql-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-cli-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-mysqlnd-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-pdo-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-debuginfo-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-ldap-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-soap-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-odbc-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-recode-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-common-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-pgsql-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-process-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-pspell-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-mcrypt-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-cli-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-pgsql-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-pdo-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-mbstring-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-recode-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-embedded-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-soap-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-gd-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-gmp-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-fpm-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-tidy-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-enchant-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-common-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-mssql-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-dbg-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-bcmath-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-imap-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-snmp-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-devel-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-xml-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-opcache-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-pspell-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-debuginfo-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-mysqlnd-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-intl-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-ldap-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-odbc-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-dba-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-process-5.6.30-1.133.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.133.amzn1" version="5.6.30"><filename>Packages/php56-xmlrpc-5.6.30-1.133.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-809</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-809: low priority package update for vim</title><issued date="2017-03-29 16:45" /><updated date="2017-03-29 21:43" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10699 CVE-2017-6350: 10700 1427945: 10701 CVE-2017-6350 vim: Integer overflow at an unserialize_uep memory allocation site 10702 An integer overflow flaw was found in the way vim handled tree length values when reading an undo file. This bug could result in vim crashing when trying to process corrupted undo files. 10703 10704 CVE-2017-6349: 10705 An integer overflow flaw was found in the way vim handled undo files. This bug could result in vim crashing when trying to process corrupted undo files. 10706 1427944: 10707 CVE-2017-6349 vim: Integer overflow at a u_read_undo memory allocation site 10708 10709 CVE-2017-5953: 10710 vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow. 10711 1421613: 10712 CVE-2017-5953 vim: Tree length values not validated properly when handling a spell file 10713 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6350" id="CVE-2017-6350" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6349" id="CVE-2017-6349" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953" id="CVE-2017-5953" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="2" name="vim-enhanced" release="1.45.amzn1" version="8.0.0503"><filename>Packages/vim-enhanced-8.0.0503-1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="vim-filesystem" release="1.45.amzn1" version="8.0.0503"><filename>Packages/vim-filesystem-8.0.0503-1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="vim-debuginfo" release="1.45.amzn1" version="8.0.0503"><filename>Packages/vim-debuginfo-8.0.0503-1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="vim-common" release="1.45.amzn1" version="8.0.0503"><filename>Packages/vim-common-8.0.0503-1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="vim-minimal" release="1.45.amzn1" version="8.0.0503"><filename>Packages/vim-minimal-8.0.0503-1.45.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="2" name="vim-debuginfo" release="1.45.amzn1" version="8.0.0503"><filename>Packages/vim-debuginfo-8.0.0503-1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="vim-enhanced" release="1.45.amzn1" version="8.0.0503"><filename>Packages/vim-enhanced-8.0.0503-1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="vim-minimal" release="1.45.amzn1" version="8.0.0503"><filename>Packages/vim-minimal-8.0.0503-1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="vim-filesystem" release="1.45.amzn1" version="8.0.0503"><filename>Packages/vim-filesystem-8.0.0503-1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="vim-common" release="1.45.amzn1" version="8.0.0503"><filename>Packages/vim-common-8.0.0503-1.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-810</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-810: medium priority package update for tomcat6</title><issued date="2017-03-29 16:48" /><updated date="2017-03-29 22:51" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10714 CVE-2016-8745: 10715 1403824: 10716 CVE-2016-8745 tomcat: information disclosure due to incorrect Processor sharing 10717 10718 CVE-2016-6816: 10719 1397484: 10720 CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests 10721 It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. 10722 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745" id="CVE-2016-8745" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" id="CVE-2016-6816" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:0527.html" id="RHSA-2017:0527" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat6-webapps" release="1.10.amzn1" version="6.0.51"><filename>Packages/tomcat6-webapps-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6" release="1.10.amzn1" version="6.0.51"><filename>Packages/tomcat6-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-jsp-2.1-api" release="1.10.amzn1" version="6.0.51"><filename>Packages/tomcat6-jsp-2.1-api-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-servlet-2.5-api" release="1.10.amzn1" version="6.0.51"><filename>Packages/tomcat6-servlet-2.5-api-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-lib" release="1.10.amzn1" version="6.0.51"><filename>Packages/tomcat6-lib-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-el-2.1-api" release="1.10.amzn1" version="6.0.51"><filename>Packages/tomcat6-el-2.1-api-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-docs-webapp" release="1.10.amzn1" version="6.0.51"><filename>Packages/tomcat6-docs-webapp-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-admin-webapps" release="1.10.amzn1" version="6.0.51"><filename>Packages/tomcat6-admin-webapps-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-javadoc" release="1.10.amzn1" version="6.0.51"><filename>Packages/tomcat6-javadoc-6.0.51-1.10.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-811</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-811: important priority package update for kernel</title><issued date="2017-03-29 17:59" /><updated date="2017-03-29 22:53" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10723 CVE-2017-7184: 10724 10725 10726 CVE-2017-6347: 10727 1427984: 10728 CVE-2017-6347 kernel: ipv4: Incorrect IP_CHECKSUM handling 10729 The skbs processed by ip_cmsg_recv() are not guaranteed to be linear (e.g. when sending UDP packets over loopback with MSGMORE). Using csum_partial() on potentially the whole skb len is dangerous; instead be on the safe side and use skb_checksum(). This may lead to an infoleak as the kernel memory may be checksummed and sent as part of the packet. 10730 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7184" id="CVE-2017-7184" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6347" id="CVE-2017-6347" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-debuginfo-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-tools-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="40.60.amzn1" version="4.4.51"><filename>Packages/perf-debuginfo-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-headers-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-tools-devel-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-devel-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="40.60.amzn1" version="4.4.51"><filename>Packages/perf-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-tools-debuginfo-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-tools-devel-4.4.51-40.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-devel-4.4.51-40.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-headers-4.4.51-40.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-tools-debuginfo-4.4.51-40.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-4.4.51-40.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-debuginfo-4.4.51-40.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="40.60.amzn1" version="4.4.51"><filename>Packages/perf-4.4.51-40.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-debuginfo-common-i686-4.4.51-40.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-tools-4.4.51-40.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="40.60.amzn1" version="4.4.51"><filename>Packages/perf-debuginfo-4.4.51-40.60.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="40.60.amzn1" version="4.4.51"><filename>Packages/kernel-doc-4.4.51-40.60.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-812</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-812: medium priority package update for php70</title><issued date="2017-03-29 20:15" /><updated date="2017-03-29 22:49" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10731 CVE-2017-5340: 10732 1412631: 10733 CVE-2017-5340 php: Use of uninitialized memory in unserialize() 10734 Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data. 10735 10736 CVE-2016-7479: 10737 In all versions of PHP 7, during the unserialization process, resizing the &#039;properties&#039; hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution. 10738 1412686: 10739 CVE-2016-7479 php: Use-after-free vulnerability when resizing the 'properties' hash table of a serialized object 10740 10741 CVE-2016-10168: 10742 Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image. 10743 1418986: 10744 CVE-2016-10168 gd: Integer overflow in gd_io.c 10745 10746 CVE-2016-10167: 10747 1418984: 10748 CVE-2016-10167 gd: DoS vulnerability in gdImageCreateFromGd2Ctx() 10749 The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file. 10750 10751 CVE-2016-10162: 10752 1419012: 10753 CVE-2016-10162 php: Null pointer dereference when unserializing PHP object 10754 The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call. 10755 10756 CVE-2016-10161: 10757 The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call. 10758 1419010: 10759 CVE-2016-10161 php: Out-of-bounds heap read on unserialize in finish_nested_data() 10760 10761 CVE-2016-10160: 10762 1419018: 10763 CVE-2016-10160 php: Off-by-one error in phar_parse_pharfile when loading crafted phar archive 10764 Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch. 10765 10766 CVE-2016-10159: 10767 Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive. 10768 1419020: 10769 CVE-2016-10159 php: Integer overflow in phar_parse_pharfile 10770 10771 CVE-2016-10158: 10772 It was found that the exif_convert_any_to_int() function in PHP was vulnerable to floating point exceptions when parsing tags in image files. A remote attacker with the ability to upload a malicious image could crash PHP, causing a Denial of Service. 10773 1419015: 10774 CVE-2016-10158 php: Wrong calculation in exif_convert_any_to_int function 10775 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168" id="CVE-2016-10168" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7479" id="CVE-2016-7479" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10161" id="CVE-2016-10161" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10160" id="CVE-2016-10160" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10162" id="CVE-2016-10162" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10158" id="CVE-2016-10158" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10159" id="CVE-2016-10159" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167" id="CVE-2016-10167" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5340" id="CVE-2017-5340" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php70-process" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-process-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-opcache" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-opcache-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xml" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-xml-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xmlrpc" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-xmlrpc-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-cli" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-cli-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-intl" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-intl-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-tidy" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-tidy-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-common" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-common-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-bcmath" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-bcmath-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-zip" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-zip-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gd" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-gd-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pspell" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-pspell-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-ldap" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-ldap-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-pdo-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-snmp" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-snmp-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mbstring" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-mbstring-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-soap" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-soap-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mcrypt" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-mcrypt-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-recode" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-recode-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-json" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-json-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dbg" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-dbg-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-odbc" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-odbc-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gmp" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-gmp-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-fpm" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-fpm-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dba" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-dba-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pgsql" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-pgsql-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mysqlnd" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-mysqlnd-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo-dblib" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-pdo-dblib-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-debuginfo" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-debuginfo-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-imap" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-imap-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-devel" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-devel-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-enchant" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-enchant-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-embedded" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-embedded-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php70-common" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-common-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-bcmath" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-bcmath-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-zip" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-zip-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xml" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-xml-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gmp" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-gmp-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-ldap" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-ldap-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo-dblib" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-pdo-dblib-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gd" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-gd-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mysqlnd" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-mysqlnd-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-embedded" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-embedded-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-opcache" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-opcache-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-tidy" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-tidy-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-intl" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-intl-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-process" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-process-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-soap" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-soap-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-imap" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-imap-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-pdo-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mcrypt" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-mcrypt-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mbstring" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-mbstring-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-fpm" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-fpm-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dba" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-dba-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-cli" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-cli-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pspell" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-pspell-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dbg" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-dbg-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pgsql" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-pgsql-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-recode" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-recode-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xmlrpc" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-xmlrpc-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-debuginfo" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-debuginfo-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-enchant" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-enchant-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-devel" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-devel-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-json" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-json-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-snmp" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-snmp-7.0.16-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-odbc" release="1.21.amzn1" version="7.0.16"><filename>Packages/php70-odbc-7.0.16-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-813</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-813: medium priority package update for wireshark</title><issued date="2017-04-04 12:00" /><updated date="2017-04-04 12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10776 CVE-2015-3813: 10777 A flaw was found in the way packet reassembly code of wireshark would parse a packet which could leak memory. An attacker could use this flaw to crash wireshark by sending a specially crafted packet onto the wire or by convincing wireshark user to read malformed packet trace file. 10778 1222438: 10779 CVE-2015-3813 wireshark: Reassembly memory leak (wnpa-sec-2015-16) 10780 10781 CVE-2015-3812: 10782 1222437: 10783 CVE-2015-3812 wireshark: X11 memory leak (wnpa-sec-2015-15) 10784 A flaw was found in X11 dissector of wireshark of which an attacker could make wireshark consume excessive CPU resources which could make system unresponsive by injecting specially crafted packet onto the wire or by convincing wireshark user to read malformed packet trace file. 10785 10786 CVE-2015-3811: 10787 A flaw was found in WCP dissector of wireshark of which an attacker could crash wireshark by injecting a specially crafted packet onto the wire or by convincing wireshark user to read malformed packet trace file. 10788 1222436: 10789 CVE-2015-3811 wireshark: WCP dissector crash (wnpa-sec-2015-14) 10790 10791 CVE-2013-4075: 10792 A flaw was found in GMR (Geo-Mobile Radio) 1 BCCH protocol dissector of wireshark which an attacker can trigger a denial of service attack and crash wireshark by sending a specially crafted packet onto the wire or by convincing wireshark user to read malformed packet trace file. 10793 972680: 10794 CVE-2013-4075 wireshark: DoS (crash) in the GMR-1 BCCH dissector (wnpa-sec-2013-33) 10795 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4075" id="CVE-2013-4075" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3811" id="CVE-2015-3811" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3813" id="CVE-2015-3813" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3812" id="CVE-2015-3812" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="wireshark-debuginfo" release="25.22.amzn1" version="1.8.10"><filename>Packages/wireshark-debuginfo-1.8.10-25.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wireshark-devel" release="25.22.amzn1" version="1.8.10"><filename>Packages/wireshark-devel-1.8.10-25.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wireshark" release="25.22.amzn1" version="1.8.10"><filename>Packages/wireshark-1.8.10-25.22.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="wireshark" release="25.22.amzn1" version="1.8.10"><filename>Packages/wireshark-1.8.10-25.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wireshark-debuginfo" release="25.22.amzn1" version="1.8.10"><filename>Packages/wireshark-debuginfo-1.8.10-25.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wireshark-devel" release="25.22.amzn1" version="1.8.10"><filename>Packages/wireshark-devel-1.8.10-25.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-814</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-814: medium priority package update for kernel</title><issued date="2017-04-06 21:16" /><updated date="2017-04-17 16:35" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10796 CVE-2017-6353: 10797 It was found that the code in net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. This vulnerability was introduced by CVE-2017-5986 fix (commit 2dcab5984841). 10798 1428907: 10799 CVE-2017-6353 kernel: Possible double free in stcp_sendmsg() (incorrect fix for CVE-2017-5986) 10800 10801 CVE-2017-5986: 10802 It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. 10803 1420276: 10804 CVE-2017-5986 kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf 10805 10806 CVE-2017-5669: 10807 The do_shmat function in ipc/shm.c in the Linux kernel, through 4.9.12, does not restrict the address calculated by a certain rounding operation. This allows privileged local users to map page zero and, consequently, bypass a protection mechanism that exists for the mmap system call. This is possible by making crafted shmget and shmat system calls in a privileged context. 10808 1427239: 10809 CVE-2017-5669 kernel: Shmat allows mmap null page protection bypass 10810 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6353" id="CVE-2017-6353" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5986" id="CVE-2017-5986" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5669" id="CVE-2017-5669" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-tools-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-headers-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-debuginfo-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-tools-devel-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-tools-debuginfo-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="10.30.amzn1" version="4.9.20"><filename>Packages/perf-debuginfo-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="10.30.amzn1" version="4.9.20"><filename>Packages/perf-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-devel-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="10.30.amzn1" version="4.9.20"><filename>Packages/perf-debuginfo-4.9.20-10.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-tools-devel-4.9.20-10.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-debuginfo-common-i686-4.9.20-10.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-tools-4.9.20-10.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-tools-debuginfo-4.9.20-10.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="10.30.amzn1" version="4.9.20"><filename>Packages/perf-4.9.20-10.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-headers-4.9.20-10.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-debuginfo-4.9.20-10.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-4.9.20-10.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-devel-4.9.20-10.30.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="10.30.amzn1" version="4.9.20"><filename>Packages/kernel-doc-4.9.20-10.30.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-815</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-815: medium priority package update for gnutls</title><issued date="2017-04-06 21:21" /><updated date="2017-04-17 16:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10811 CVE-2017-5337: 10812 * Multiple flaws were found in the way gnutls processed OpenPGP certificates. An attacker could create specially crafted OpenPGP certificates which, when parsed by gnutls, would cause it to crash. 10813 10814 CVE-2017-5336: 10815 * Multiple flaws were found in the way gnutls processed OpenPGP certificates. An attacker could create specially crafted OpenPGP certificates which, when parsed by gnutls, would cause it to crash. 10816 10817 CVE-2017-5335: 10818 * Multiple flaws were found in the way gnutls processed OpenPGP certificates. An attacker could create specially crafted OpenPGP certificates which, when parsed by gnutls, would cause it to crash. 10819 10820 CVE-2016-8610: 10821 * A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. 10822 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5335" id="CVE-2017-5335" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5336" id="CVE-2017-5336" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5337" id="CVE-2017-5337" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8610" id="CVE-2016-8610" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:0574.html" id="RHSA-2017:0574" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnutls-guile" release="21.18.amzn1" version="2.12.23"><filename>Packages/gnutls-guile-2.12.23-21.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-debuginfo" release="21.18.amzn1" version="2.12.23"><filename>Packages/gnutls-debuginfo-2.12.23-21.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-devel" release="21.18.amzn1" version="2.12.23"><filename>Packages/gnutls-devel-2.12.23-21.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls-utils" release="21.18.amzn1" version="2.12.23"><filename>Packages/gnutls-utils-2.12.23-21.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnutls" release="21.18.amzn1" version="2.12.23"><filename>Packages/gnutls-2.12.23-21.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnutls" release="21.18.amzn1" version="2.12.23"><filename>Packages/gnutls-2.12.23-21.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-devel" release="21.18.amzn1" version="2.12.23"><filename>Packages/gnutls-devel-2.12.23-21.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-guile" release="21.18.amzn1" version="2.12.23"><filename>Packages/gnutls-guile-2.12.23-21.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-utils" release="21.18.amzn1" version="2.12.23"><filename>Packages/gnutls-utils-2.12.23-21.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnutls-debuginfo" release="21.18.amzn1" version="2.12.23"><filename>Packages/gnutls-debuginfo-2.12.23-21.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-816</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-816: medium priority package update for ntp</title><issued date="2017-04-20 05:54" /><updated date="2017-04-20 20:45" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10823 CVE-2017-6464: 10824 A vulnerability was discovered in the NTP server&#039;s parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. 10825 1433987: 10826 CVE-2017-6464 ntp: Denial of Service via Malformed Config 10827 10828 CVE-2017-6463: 10829 A vulnerability was discovered in the NTP server&#039;s parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. 10830 1434002: 10831 CVE-2017-6463 ntp: Authenticated DoS via Malicious Config Option 10832 10833 CVE-2017-6462: 10834 1433995: 10835 CVE-2017-6462 ntp: Buffer Overflow in DPTS Clock 10836 A vulnerability was found in NTP, in the parsing of packets from the /dev/datum device. A malicious device could send crafted messages, causing ntpd to crash. 10837 10838 CVE-2017-6458: 10839 1434005: 10840 CVE-2017-6458 ntp: Potential Overflows in ctl_put() functions 10841 A vulnerability was found in NTP, in the building of response packets with custom fields. If custom fields were configured in ntp.conf with particularly long names, inclusion of these fields in the response packet could cause a buffer overflow, leading to a crash. 10842 10843 CVE-2017-6451: 10844 A vulnerability was found in NTP, in the legacy MX4200 refclock implementation. If this refclock was compiled in and used, an attacker may be able to induce stack overflow, leading to a crash or potential code execution. 10845 1434011: 10846 CVE-2017-6451 ntp: Improper use of snprintf() in mx4200_send() 10847 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464" id="CVE-2017-6464" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458" id="CVE-2017-6458" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6451" id="CVE-2017-6451" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463" id="CVE-2017-6463" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462" id="CVE-2017-6462" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ntpdate" release="44.34.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-44.34.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-doc" release="44.34.amzn1" version="4.2.6p5"><filename>Packages/ntp-doc-4.2.6p5-44.34.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-perl" release="44.34.amzn1" version="4.2.6p5"><filename>Packages/ntp-perl-4.2.6p5-44.34.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp" release="44.34.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-44.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp-debuginfo" release="44.34.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-44.34.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ntp" release="44.34.amzn1" version="4.2.6p5"><filename>Packages/ntp-4.2.6p5-44.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntpdate" release="44.34.amzn1" version="4.2.6p5"><filename>Packages/ntpdate-4.2.6p5-44.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp-debuginfo" release="44.34.amzn1" version="4.2.6p5"><filename>Packages/ntp-debuginfo-4.2.6p5-44.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-817</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-817: medium priority package update for cacti</title><issued date="2017-04-20 05:59" /><updated date="2017-04-20 22:11" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10848 CVE-2014-4000: 10849 CVE-2014-4000 10850 An 10851 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4000" id="CVE-2014-4000" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="cacti" release="1.14.amzn1" version="1.0.4"><filename>Packages/cacti-1.0.4-1.14.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-818</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-818: medium priority package update for munin</title><issued date="2017-04-20 06:03" /><updated date="2017-04-20 22:06" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10852 CVE-2017-6188: 10853 CVE-2017-6188 10854 stuff 10855 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6188" id="CVE-2017-6188" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="munin-cgi" release="5.38.amzn1" version="2.0.30"><filename>Packages/munin-cgi-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-ruby-plugins" release="5.38.amzn1" version="2.0.30"><filename>Packages/munin-ruby-plugins-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-node" release="5.38.amzn1" version="2.0.30"><filename>Packages/munin-node-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-netip-plugins" release="5.38.amzn1" version="2.0.30"><filename>Packages/munin-netip-plugins-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin" release="5.38.amzn1" version="2.0.30"><filename>Packages/munin-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-common" release="5.38.amzn1" version="2.0.30"><filename>Packages/munin-common-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-java-plugins" release="5.38.amzn1" version="2.0.30"><filename>Packages/munin-java-plugins-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-nginx" release="5.38.amzn1" version="2.0.30"><filename>Packages/munin-nginx-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="munin-async" release="5.38.amzn1" version="2.0.30"><filename>Packages/munin-async-2.0.30-5.38.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-819</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-819: medium priority package update for R</title><issued date="2017-04-20 06:04" /><updated date="2017-04-20 22:02" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10856 CVE-2017-8714: 10857 1363982: stuff 10858 stuff 10859 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8714" id="CVE-2017-8714" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="R-core-devel" release="1.51.amzn1" version="3.3.3"><filename>Packages/R-core-devel-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="R-devel" release="1.51.amzn1" version="3.3.3"><filename>Packages/R-devel-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="R" release="1.51.amzn1" version="3.3.3"><filename>Packages/R-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="R-debuginfo" release="1.51.amzn1" version="3.3.3"><filename>Packages/R-debuginfo-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="R-java-devel" release="1.51.amzn1" version="3.3.3"><filename>Packages/R-java-devel-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libRmath" release="1.51.amzn1" version="3.3.3"><filename>Packages/libRmath-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="R-java" release="1.51.amzn1" version="3.3.3"><filename>Packages/R-java-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libRmath-devel" release="1.51.amzn1" version="3.3.3"><filename>Packages/libRmath-devel-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="R-core" release="1.51.amzn1" version="3.3.3"><filename>Packages/R-core-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libRmath-static" release="1.51.amzn1" version="3.3.3"><filename>Packages/libRmath-static-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="R-core" release="1.51.amzn1" version="3.3.3"><filename>Packages/R-core-3.3.3-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="R-java-devel" release="1.51.amzn1" version="3.3.3"><filename>Packages/R-java-devel-3.3.3-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="R-core-devel" release="1.51.amzn1" version="3.3.3"><filename>Packages/R-core-devel-3.3.3-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="R-devel" release="1.51.amzn1" version="3.3.3"><filename>Packages/R-devel-3.3.3-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="R-debuginfo" release="1.51.amzn1" version="3.3.3"><filename>Packages/R-debuginfo-3.3.3-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="R-java" release="1.51.amzn1" version="3.3.3"><filename>Packages/R-java-3.3.3-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libRmath-devel" release="1.51.amzn1" version="3.3.3"><filename>Packages/libRmath-devel-3.3.3-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libRmath-static" release="1.51.amzn1" version="3.3.3"><filename>Packages/libRmath-static-3.3.3-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libRmath" release="1.51.amzn1" version="3.3.3"><filename>Packages/libRmath-3.3.3-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="R" release="1.51.amzn1" version="3.3.3"><filename>Packages/R-3.3.3-1.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-820</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-820: medium priority package update for GraphicsMagick</title><issued date="2017-04-20 06:08" /><updated date="2017-04-20 21:54" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10860 CVE-2017-6335: 10861 1427975: 10862 CVE-2017-6335 ImageMagick: Heap out-of-bounds read in tiff.c 10863 The QuantumTransferMode function in coders/tiff.c in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a small samples per pixel value in a CMYKA TIFF file. 10864 10865 CVE-2016-9830: 10866 10867 10868 CVE-2016-8684: 10869 10870 10871 CVE-2016-8683: 10872 10873 10874 CVE-2016-8682: 10875 10876 10877 CVE-2016-7997: 10878 10879 10880 CVE-2016-7996: 10881 10882 10883 CVE-2016-7800: 10884 10885 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6335" id="CVE-2017-6335" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7997" id="CVE-2016-7997" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7996" id="CVE-2016-7996" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8684" id="CVE-2016-8684" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8682" id="CVE-2016-8682" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8683" id="CVE-2016-8683" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9830" id="CVE-2016-9830" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7800" id="CVE-2016-7800" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="GraphicsMagick-devel" release="6.10.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-devel-1.3.25-6.10.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="GraphicsMagick-doc" release="6.10.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-doc-1.3.25-6.10.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-perl" release="6.10.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-perl-1.3.25-6.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-debuginfo" release="6.10.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-debuginfo-1.3.25-6.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick" release="6.10.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-1.3.25-6.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++-devel" release="6.10.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-c++-devel-1.3.25-6.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++" release="6.10.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-c++-1.3.25-6.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++-devel" release="6.10.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-c++-devel-1.3.25-6.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-devel" release="6.10.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-devel-1.3.25-6.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-debuginfo" release="6.10.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-debuginfo-1.3.25-6.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-perl" release="6.10.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-perl-1.3.25-6.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick" release="6.10.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-1.3.25-6.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++" release="6.10.amzn1" version="1.3.25"><filename>Packages/GraphicsMagick-c++-1.3.25-6.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-821</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-821: important priority package update for tomcat6</title><issued date="2017-04-20 06:17" /><updated date="2017-04-20 21:55" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10886 CVE-2017-5647: 10887 1441205: 10888 CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used 10889 A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. 10890 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5647" id="CVE-2017-5647" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat6-docs-webapp" release="1.11.amzn1" version="6.0.53"><filename>Packages/tomcat6-docs-webapp-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-webapps" release="1.11.amzn1" version="6.0.53"><filename>Packages/tomcat6-webapps-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-admin-webapps" release="1.11.amzn1" version="6.0.53"><filename>Packages/tomcat6-admin-webapps-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-el-2.1-api" release="1.11.amzn1" version="6.0.53"><filename>Packages/tomcat6-el-2.1-api-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-servlet-2.5-api" release="1.11.amzn1" version="6.0.53"><filename>Packages/tomcat6-servlet-2.5-api-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-jsp-2.1-api" release="1.11.amzn1" version="6.0.53"><filename>Packages/tomcat6-jsp-2.1-api-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-lib" release="1.11.amzn1" version="6.0.53"><filename>Packages/tomcat6-lib-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6" release="1.11.amzn1" version="6.0.53"><filename>Packages/tomcat6-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat6-javadoc" release="1.11.amzn1" version="6.0.53"><filename>Packages/tomcat6-javadoc-6.0.53-1.11.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-822</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-822: important priority package update for tomcat7 tomcat8</title><issued date="2017-04-20 06:18" /><updated date="2017-04-20 21:56" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10891 CVE-2017-5648: 10892 1441223: 10893 CVE-2017-5648 tomcat: Calls to application listeners did not use the appropriate facade object 10894 While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. 10895 10896 CVE-2017-5647: 10897 1441205: 10898 CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used 10899 A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. 10900 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5647" id="CVE-2017-5647" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5648" id="CVE-2017-5648" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.26.amzn1" version="7.0.77"><filename>Packages/tomcat7-servlet-3.0-api-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.26.amzn1" version="7.0.77"><filename>Packages/tomcat7-lib-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.26.amzn1" version="7.0.77"><filename>Packages/tomcat7-el-2.2-api-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.26.amzn1" version="7.0.77"><filename>Packages/tomcat7-jsp-2.2-api-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.26.amzn1" version="7.0.77"><filename>Packages/tomcat7-log4j-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.26.amzn1" version="7.0.77"><filename>Packages/tomcat7-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.26.amzn1" version="7.0.77"><filename>Packages/tomcat7-javadoc-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.26.amzn1" version="7.0.77"><filename>Packages/tomcat7-webapps-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.26.amzn1" version="7.0.77"><filename>Packages/tomcat7-admin-webapps-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.26.amzn1" version="7.0.77"><filename>Packages/tomcat7-docs-webapp-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8" release="1.70.amzn1" version="8.0.43"><filename>Packages/tomcat8-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.70.amzn1" version="8.0.43"><filename>Packages/tomcat8-servlet-3.1-api-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.70.amzn1" version="8.0.43"><filename>Packages/tomcat8-el-3.0-api-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.70.amzn1" version="8.0.43"><filename>Packages/tomcat8-webapps-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.70.amzn1" version="8.0.43"><filename>Packages/tomcat8-docs-webapp-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.70.amzn1" version="8.0.43"><filename>Packages/tomcat8-javadoc-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.70.amzn1" version="8.0.43"><filename>Packages/tomcat8-jsp-2.3-api-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.70.amzn1" version="8.0.43"><filename>Packages/tomcat8-log4j-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.70.amzn1" version="8.0.43"><filename>Packages/tomcat8-admin-webapps-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.70.amzn1" version="8.0.43"><filename>Packages/tomcat8-lib-8.0.43-1.70.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-823</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-823: medium priority package update for util-linux</title><issued date="2017-04-27 00:00" /><updated date="2017-04-27 19:49" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10901 CVE-2017-2616: 10902 A race condition was found in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. 10903 1418710: 10904 CVE-2017-2616 util-linux: Sending SIGKILL to other processes with root privileges via su 10905 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616" id="CVE-2017-2616" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libuuid-devel" release="33.28.amzn1" version="2.23.2"><filename>Packages/libuuid-devel-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libblkid" release="33.28.amzn1" version="2.23.2"><filename>Packages/libblkid-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="util-linux" release="33.28.amzn1" version="2.23.2"><filename>Packages/util-linux-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libmount" release="33.28.amzn1" version="2.23.2"><filename>Packages/libmount-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libblkid-devel" release="33.28.amzn1" version="2.23.2"><filename>Packages/libblkid-devel-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libuuid" release="33.28.amzn1" version="2.23.2"><filename>Packages/libuuid-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="util-linux-debuginfo" release="33.28.amzn1" version="2.23.2"><filename>Packages/util-linux-debuginfo-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="uuidd" release="33.28.amzn1" version="2.23.2"><filename>Packages/uuidd-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libmount-devel" release="33.28.amzn1" version="2.23.2"><filename>Packages/libmount-devel-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="util-linux" release="33.28.amzn1" version="2.23.2"><filename>Packages/util-linux-2.23.2-33.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libblkid-devel" release="33.28.amzn1" version="2.23.2"><filename>Packages/libblkid-devel-2.23.2-33.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libuuid" release="33.28.amzn1" version="2.23.2"><filename>Packages/libuuid-2.23.2-33.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="uuidd" release="33.28.amzn1" version="2.23.2"><filename>Packages/uuidd-2.23.2-33.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libmount-devel" release="33.28.amzn1" version="2.23.2"><filename>Packages/libmount-devel-2.23.2-33.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="util-linux-debuginfo" release="33.28.amzn1" version="2.23.2"><filename>Packages/util-linux-debuginfo-2.23.2-33.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libuuid-devel" release="33.28.amzn1" version="2.23.2"><filename>Packages/libuuid-devel-2.23.2-33.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libblkid" release="33.28.amzn1" version="2.23.2"><filename>Packages/libblkid-2.23.2-33.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libmount" release="33.28.amzn1" version="2.23.2"><filename>Packages/libmount-2.23.2-33.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-824</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-824: important priority package update for 389-ds-base</title><issued date="2017-04-27 00:02" /><updated date="2017-04-27 19:51" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10906 CVE-2017-2668: 10907 1436575: 10908 CVE-2017-2668 389-ds-base: Remote crash via crafted LDAP messages 10909 An invalid pointer dereference flaw was found in the way 389-ds-base handled LDAP bind requests. A remote unauthenticated attacker could use this flaw to make ns-slapd crash via a specially crafted LDAP bind request, resulting in denial of service. 10910 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2668" id="CVE-2017-2668" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="20.50.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-debuginfo-1.3.5.10-20.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="20.50.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-libs-1.3.5.10-20.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-snmp" release="20.50.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-snmp-1.3.5.10-20.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base" release="20.50.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-1.3.5.10-20.50.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="20.50.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-devel-1.3.5.10-20.50.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="20.50.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-debuginfo-1.3.5.10-20.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="20.50.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-libs-1.3.5.10-20.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="20.50.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-1.3.5.10-20.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="20.50.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-devel-1.3.5.10-20.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-snmp" release="20.50.amzn1" version="1.3.5.10"><filename>Packages/389-ds-base-snmp-1.3.5.10-20.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-825</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-825: critical priority package update for nss nss-util</title><issued date="2017-04-27 00:04" /><updated date="2017-04-27 19:52" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10911 CVE-2017-5461: 10912 * An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. 10913 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5461" id="CVE-2017-5461" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1100.html" id="RHSA-2017:1100" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-util" release="1.0.52.amzn1" version="3.28.4"><filename>Packages/nss-util-3.28.4-1.0.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util-devel" release="1.0.52.amzn1" version="3.28.4"><filename>Packages/nss-util-devel-3.28.4-1.0.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-util-debuginfo" release="1.0.52.amzn1" version="3.28.4"><filename>Packages/nss-util-debuginfo-3.28.4-1.0.52.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-util-debuginfo" release="1.0.52.amzn1" version="3.28.4"><filename>Packages/nss-util-debuginfo-3.28.4-1.0.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-util" release="1.0.52.amzn1" version="3.28.4"><filename>Packages/nss-util-3.28.4-1.0.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-util-devel" release="1.0.52.amzn1" version="3.28.4"><filename>Packages/nss-util-devel-3.28.4-1.0.52.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="1.0.78.amzn1" version="3.28.4"><filename>Packages/nss-sysinit-3.28.4-1.0.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="1.0.78.amzn1" version="3.28.4"><filename>Packages/nss-debuginfo-3.28.4-1.0.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="1.0.78.amzn1" version="3.28.4"><filename>Packages/nss-pkcs11-devel-3.28.4-1.0.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="1.0.78.amzn1" version="3.28.4"><filename>Packages/nss-tools-3.28.4-1.0.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="1.0.78.amzn1" version="3.28.4"><filename>Packages/nss-devel-3.28.4-1.0.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="1.0.78.amzn1" version="3.28.4"><filename>Packages/nss-3.28.4-1.0.78.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="1.0.78.amzn1" version="3.28.4"><filename>Packages/nss-3.28.4-1.0.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="1.0.78.amzn1" version="3.28.4"><filename>Packages/nss-pkcs11-devel-3.28.4-1.0.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="1.0.78.amzn1" version="3.28.4"><filename>Packages/nss-debuginfo-3.28.4-1.0.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="1.0.78.amzn1" version="3.28.4"><filename>Packages/nss-devel-3.28.4-1.0.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="1.0.78.amzn1" version="3.28.4"><filename>Packages/nss-tools-3.28.4-1.0.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="1.0.78.amzn1" version="3.28.4"><filename>Packages/nss-sysinit-3.28.4-1.0.78.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-826</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-826: important priority package update for bind</title><issued date="2017-04-27 00:07" /><updated date="2017-04-27 19:54" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10914 CVE-2017-3137: 10915 * A denial of service flaw was found in the way BIND handled a query response containing CNAME or DNAME resource records in an unusual order. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. 10916 10917 CVE-2017-3136: 10918 * A denial of service flaw was found in the way BIND handled query requests when using DNS64 with "break-dnssec yes" option. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request. 10919 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136" id="CVE-2017-3136" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3137" id="CVE-2017-3137" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1105.html" id="RHSA-2017:1105" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-devel" release="0.62.rc1.54.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.62.rc1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.62.rc1.54.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.62.rc1.54.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.62.rc1.54.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.62.rc1.54.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.62.rc1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.62.rc1.54.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.62.rc1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.62.rc1.54.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.62.rc1.54.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.62.rc1.54.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.62.rc1.54.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.62.rc1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.62.rc1.54.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.62.rc1.54.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.62.rc1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.62.rc1.54.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.62.rc1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.62.rc1.54.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.62.rc1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.62.rc1.54.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-827</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-827: medium priority package update for java-1.8.0-openjdk</title><issued date="2017-05-09 23:21" /><updated date="2017-05-10 23:59" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10920 CVE-2017-3544: 10921 A newline injection flaw was discovered in the SMTP client implementation in the Networking component in OpenJDK. A remote attacker could possibly use this flaw to manipulate SMTP connections established by a Java application. 10922 1443068: 10923 CVE-2017-3544 OpenJDK: newline injection in the SMTP client (Networking, 8171533) 10924 10925 CVE-2017-3539: 10926 1443097: 10927 CVE-2017-3539 OpenJDK: MD5 allowed for jar verification (Security, 8171121) 10928 It was discovered that the Security component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm. 10929 10930 CVE-2017-3533: 10931 A newline injection flaw was discovered in the FTP client implementation in the Networking component in OpenJDK. A remote attacker could possibly use this flaw to manipulate FTP connections established by a Java application. 10932 1443083: 10933 CVE-2017-3533 OpenJDK: newline injection in the FTP client (Networking, 8170222) 10934 10935 CVE-2017-3526: 10936 It was found that the JAXP component of OpenJDK failed to correctly enforce parse tree size limits when parsing XML document. An attacker able to make a Java application parse a specially crafted XML document could use this flaw to make it consume an excessive amount of CPU and memory. 10937 1443252: 10938 CVE-2017-3526 OpenJDK: incomplete XML parse tree size enforcement (JAXP, 8169011) 10939 10940 CVE-2017-3511: 10941 1443007: 10942 CVE-2017-3511 OpenJDK: untrusted extension directories search path in Launcher (JCE, 8163528) 10943 An untrusted library search path flaw was found in the JCE component of OpenJDK. A local attacker could possibly use this flaw to cause a Java application using JCE to load an attacker-controlled library and hence escalate their privileges. 10944 10945 CVE-2017-3509: 10946 It was discovered that the HTTP client implementation in the Networking component of OpenJDK could cache and re-use an NTLM authenticated connection in a different security context. A remote attacker could possibly use this flaw to make a Java application perform HTTP requests authenticated with credentials of a different user. 10947 1443052: 10948 CVE-2017-3509 OpenJDK: improper re-use of NTLM authenticated connections (Networking, 8163520) 10949 10950 CVE-2016-5542: 10951 It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for JAR integrity verification. This flaw could allow an attacker to modify content of the JAR file that used weak signing key or hash algorithm. 10952 1385723: 10953 CVE-2016-5542 OpenJDK: missing algorithm restrictions for jar verification (Libraries, 8155973) 10954 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3509" id="CVE-2017-3509" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544" id="CVE-2017-3544" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533" id="CVE-2017-3533" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5542" id="CVE-2016-5542" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511" id="CVE-2017-3511" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3539" id="CVE-2017-3539" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3526" id="CVE-2017-3526" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc-zip" release="2.b11.30.amzn1" version="1.8.0.131"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.131-2.b11.30.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="2.b11.30.amzn1" version="1.8.0.131"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.131-2.b11.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="2.b11.30.amzn1" version="1.8.0.131"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.131-2.b11.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="2.b11.30.amzn1" version="1.8.0.131"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.131-2.b11.30.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="2.b11.30.amzn1" version="1.8.0.131"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.131-2.b11.30.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="2.b11.30.amzn1" version="1.8.0.131"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.131-2.b11.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="2.b11.30.amzn1" version="1.8.0.131"><filename>Packages/java-1.8.0-openjdk-1.8.0.131-2.b11.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="2.b11.30.amzn1" version="1.8.0.131"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.131-2.b11.30.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="2.b11.30.amzn1" version="1.8.0.131"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.131-2.b11.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="2.b11.30.amzn1" version="1.8.0.131"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.131-2.b11.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="2.b11.30.amzn1" version="1.8.0.131"><filename>Packages/java-1.8.0-openjdk-1.8.0.131-2.b11.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="2.b11.30.amzn1" version="1.8.0.131"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.131-2.b11.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="2.b11.30.amzn1" version="1.8.0.131"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.131-2.b11.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="2.b11.30.amzn1" version="1.8.0.131"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.131-2.b11.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-828</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-828: important priority package update for kernel</title><issued date="2017-05-10 17:06" /><updated date="2017-05-10 23:56" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10955 CVE-2017-7618: 10956 1441093: 10957 CVE-2017-7618 kernel: Infinite recursion in ahash.c by triggering EBUSY on a full queue 10958 A vulnerability was found in crypto/ahash.c in the Linux kernel which allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue. 10959 10960 CVE-2017-7616: 10961 Incorrect error handling in the set_mempolicy() and mbind() compat syscalls in &#039;mm/mempolicy.c&#039; in the Linux kernel allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation. 10962 1441088: 10963 CVE-2017-7616 kernel: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c 10964 10965 CVE-2017-7308: 10966 It was found that the packet_set_ring() function of the Linux kernel&#039;s networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow, resulting in the crash of the system. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. 10967 1437404: 10968 CVE-2017-7308 kernel: net/packet: overflow in check for priv area size 10969 10970 CVE-2017-7187: 10971 1434327: 10972 CVE-2017-7187 kernel: scsi: Stack-based buffer overflow in sg_ioctl function 10973 The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impacts via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function. 10974 10975 CVE-2017-5967: 10976 The time subsystem in the Linux kernel, when CONFIG_TIMER_STATS is enabled, allows local users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the __timer_stats_timer_set_start_info function in kernel/time/timer.c. 10977 1422138: 10978 CVE-2017-5967 kernel: Time subsystem allows local users to discover real PID values 10979 10980 CVE-2017-2671: 10981 A race condition leading to a NULL pointer dereference was found in the Linux kernel&#039;s Link Layer Control implementation. A local attacker with access to ping sockets could use this flaw to crash the system. 10982 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7618" id="CVE-2017-7618" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5967" id="CVE-2017-5967" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7187" id="CVE-2017-7187" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7616" id="CVE-2017-7616" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2671" id="CVE-2017-2671" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308" id="CVE-2017-7308" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-tools-debuginfo-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-headers-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-tools-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="14.31.amzn1" version="4.9.27"><filename>Packages/perf-debuginfo-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="14.31.amzn1" version="4.9.27"><filename>Packages/perf-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-tools-devel-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-debuginfo-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-devel-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="14.31.amzn1" version="4.9.27"><filename>Packages/perf-debuginfo-4.9.27-14.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-headers-4.9.27-14.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-debuginfo-4.9.27-14.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-tools-devel-4.9.27-14.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-tools-4.9.27-14.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-devel-4.9.27-14.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-4.9.27-14.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-debuginfo-common-i686-4.9.27-14.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="14.31.amzn1" version="4.9.27"><filename>Packages/perf-4.9.27-14.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-tools-debuginfo-4.9.27-14.31.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="14.31.amzn1" version="4.9.27"><filename>Packages/kernel-doc-4.9.27-14.31.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-829</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-829: medium priority package update for collectd</title><issued date="2017-05-18 18:58" /><updated date="2017-05-19 03:37" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10983 CVE-2017-7401: 10984 1439674: 10985 CVE-2017-7401 collectd: Infinite loop due to incorrect interaction of parse_packet() and parse_part_sign_sha256() functions 10986 collectd contains an infinite loop due to how the parse_packet() and parse_part_sign_sha256() functions interact. If an instance of collectd is configured with &quot;SecurityLevel None&quot; and with empty &quot;AuthFile&quot; options an attacker can send crafted UDP packets that trigger the infinite loop, causing a denial of service. 10987 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7401" id="CVE-2017-7401" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="collectd-memcachec" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-memcachec-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-curl_xml" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-curl_xml-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-bind" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-bind-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-lua" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-lua-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-java" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-java-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-snmp" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-snmp-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-write_sensu" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-write_sensu-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-dns" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-dns-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcollectdclient" release="3.18.amzn1" version="5.7.1"><filename>Packages/libcollectdclient-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-apache" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-apache-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-ipmi" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-ipmi-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-lvm" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-lvm-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-chrony" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-chrony-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-mysql" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-mysql-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-nginx" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-nginx-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-netlink" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-netlink-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-varnish" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-varnish-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-amqp" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-amqp-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-iptables" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-iptables-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Collectd" release="3.18.amzn1" version="5.7.1"><filename>Packages/perl-Collectd-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-drbd" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-drbd-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-python" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-python-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-generic-jmx" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-generic-jmx-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-email" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-email-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-postgresql" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-postgresql-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-write_http" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-write_http-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-web" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-web-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-debuginfo" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-debuginfo-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-dbi" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-dbi-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-openldap" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-openldap-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-rrdcached" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-rrdcached-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-notify_email" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-notify_email-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcollectdclient-devel" release="3.18.amzn1" version="5.7.1"><filename>Packages/libcollectdclient-devel-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-zookeeper" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-zookeeper-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-rrdtool" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-rrdtool-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-utils" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-utils-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-write_tsdb" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-write_tsdb-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-curl" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-curl-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-ipvs" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-ipvs-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-hugepages" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-hugepages-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-gmond" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-gmond-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="collectd-rrdtool" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-rrdtool-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-memcachec" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-memcachec-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-rrdcached" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-rrdcached-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-curl_xml" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-curl_xml-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-hugepages" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-hugepages-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-python" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-python-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcollectdclient" release="3.18.amzn1" version="5.7.1"><filename>Packages/libcollectdclient-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-chrony" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-chrony-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-gmond" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-gmond-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-email" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-email-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-netlink" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-netlink-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-generic-jmx" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-generic-jmx-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-write_http" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-write_http-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-postgresql" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-postgresql-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-amqp" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-amqp-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-zookeeper" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-zookeeper-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-dns" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-dns-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-apache" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-apache-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-dbi" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-dbi-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-lvm" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-lvm-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-web" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-web-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-bind" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-bind-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-java" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-java-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-varnish" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-varnish-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-iptables" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-iptables-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-debuginfo" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-debuginfo-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-write_sensu" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-write_sensu-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-write_tsdb" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-write_tsdb-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-snmp" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-snmp-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-utils" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-utils-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-ipmi" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-ipmi-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-curl" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-curl-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-drbd" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-drbd-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcollectdclient-devel" release="3.18.amzn1" version="5.7.1"><filename>Packages/libcollectdclient-devel-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-nginx" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-nginx-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-notify_email" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-notify_email-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-mysql" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-mysql-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Collectd" release="3.18.amzn1" version="5.7.1"><filename>Packages/perl-Collectd-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-lua" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-lua-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-ipvs" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-ipvs-5.7.1-3.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-openldap" release="3.18.amzn1" version="5.7.1"><filename>Packages/collectd-openldap-5.7.1-3.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-830</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-830: important priority package update for mysql56</title><issued date="2017-05-18 22:01" /><updated date="2017-05-19 03:44" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 10988 CVE-2017-3599: 10989 An integer overflow flaw leading to a buffer overflow was found in the way MySQL parsed connection handshake packets. An unauthenticated remote attacker with access to the MySQL port could use this flaw to crash the mysqld daemon. 10990 1443386: 10991 CVE-2017-3599 mysql: integer underflow in get_56_lenc_string() leading to DoS (CPU Apr 2017) 10992 10993 CVE-2017-3464: 10994 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). 10995 1443379: 10996 CVE-2017-3464 mysql: Server: DDL unspecified vulnerability (CPU Apr 2017) 10997 10998 CVE-2017-3463: 10999 1443378: 11000 CVE-2017-3463 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017) 11001 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 11002 11003 CVE-2017-3462: 11004 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 11005 1443377: 11006 CVE-2017-3462 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017) 11007 11008 CVE-2017-3461: 11009 1443376: 11010 CVE-2017-3461 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017) 11011 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 11012 11013 CVE-2017-3456: 11014 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 11015 1443369: 11016 CVE-2017-3456 mysql: Server: DML unspecified vulnerability (CPU Apr 2017) 11017 11018 CVE-2017-3453: 11019 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 11020 1443365: 11021 CVE-2017-3453 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2017) 11022 11023 CVE-2017-3450: 11024 1443363: 11025 CVE-2017-3450 mysql: Server: Memcached unspecified vulnerability (CPU Apr 2017) 11026 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 11027 11028 CVE-2017-3309: 11029 1443359: 11030 CVE-2017-3309 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2017) 11031 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). 11032 11033 CVE-2017-3308: 11034 1443358: 11035 CVE-2017-3308 mysql: Server: DML unspecified vulnerability (CPU Apr 2017) 11036 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). 11037 11038 CVE-2017-3265: 11039 1414423: 11040 CVE-2017-3265 mysql: unsafe chmod/chown use in init script (CPU Jan 2017) 11041 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 5.6 (Confidentiality and Availability impacts). 11042 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3462" id="CVE-2017-3462" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3463" id="CVE-2017-3463" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3461" id="CVE-2017-3461" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3464" id="CVE-2017-3464" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3265" id="CVE-2017-3265" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3309" id="CVE-2017-3309" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3308" id="CVE-2017-3308" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3456" id="CVE-2017-3456" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3450" id="CVE-2017-3450" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3453" id="CVE-2017-3453" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3599" id="CVE-2017-3599" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql56-server" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-server-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-test" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-test-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-devel" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-devel-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-libs" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-libs-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-errmsg" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-errmsg-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-debuginfo" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-debuginfo-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-embedded-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded-devel" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-embedded-devel-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-common" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-common-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-bench" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-bench-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql56" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-5.6.36-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-embedded-5.6.36-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-server" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-server-5.6.36-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-common" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-common-5.6.36-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-bench" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-bench-5.6.36-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-libs" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-libs-5.6.36-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-errmsg" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-errmsg-5.6.36-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-test" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-test-5.6.36-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-devel" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-devel-5.6.36-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-debuginfo" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-debuginfo-5.6.36-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded-devel" release="1.25.amzn1" version="5.6.36"><filename>Packages/mysql56-embedded-devel-5.6.36-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-831</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-831: medium priority package update for mysql55</title><issued date="2017-05-19 00:27" /><updated date="2017-05-19 03:44" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11043 CVE-2017-3464: 11044 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). 11045 1443379: 11046 CVE-2017-3464 mysql: Server: DDL unspecified vulnerability (CPU Apr 2017) 11047 11048 CVE-2017-3463: 11049 1443378: 11050 CVE-2017-3463 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017) 11051 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 11052 11053 CVE-2017-3462: 11054 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 11055 1443377: 11056 CVE-2017-3462 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017) 11057 11058 CVE-2017-3461: 11059 1443376: 11060 CVE-2017-3461 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017) 11061 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 11062 11063 CVE-2017-3456: 11064 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 11065 1443369: 11066 CVE-2017-3456 mysql: Server: DML unspecified vulnerability (CPU Apr 2017) 11067 11068 CVE-2017-3453: 11069 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 11070 1443365: 11071 CVE-2017-3453 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2017) 11072 11073 CVE-2017-3450: 11074 1443363: 11075 CVE-2017-3450 mysql: Server: Memcached unspecified vulnerability (CPU Apr 2017) 11076 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 11077 11078 CVE-2017-3309: 11079 1443359: 11080 CVE-2017-3309 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2017) 11081 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). 11082 11083 CVE-2017-3308: 11084 1443358: 11085 CVE-2017-3308 mysql: Server: DML unspecified vulnerability (CPU Apr 2017) 11086 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). 11087 11088 CVE-2017-3265: 11089 1414423: 11090 CVE-2017-3265 mysql: unsafe chmod/chown use in init script (CPU Jan 2017) 11091 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 5.6 (Confidentiality and Availability impacts). 11092 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3462" id="CVE-2017-3462" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3463" id="CVE-2017-3463" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3461" id="CVE-2017-3461" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3464" id="CVE-2017-3464" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3265" id="CVE-2017-3265" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3309" id="CVE-2017-3309" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3308" id="CVE-2017-3308" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3456" id="CVE-2017-3456" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3453" id="CVE-2017-3453" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3450" id="CVE-2017-3450" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql55" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-embedded-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-devel-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-embedded-devel-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-libs-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-server" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-server-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-config" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql-config-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-debuginfo-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-bench" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-bench-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-test" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-test-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-test-5.5.56-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-5.5.56-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-server-5.5.56-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-embedded-5.5.56-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-libs-5.5.56-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-embedded-devel-5.5.56-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-config" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql-config-5.5.56-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-bench-5.5.56-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-debuginfo-5.5.56-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="1.17.amzn1" version="5.5.56"><filename>Packages/mysql55-devel-5.5.56-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-832</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-832: important priority package update for kernel</title><issued date="2017-05-23 23:25" /><updated date="2017-05-31 21:40" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11093 CVE-2016-10229: 11094 1439740: 11095 CVE-2016-10229 kernel: net: Unsafe second checksum calculation in udp.c 11096 The Linux kernel allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag. This may create a kernel panic or memory corruption leading to privilege escalation. 11097 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229" id="CVE-2016-10229" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-headers" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-headers-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="8.31.amzn1" version="4.9.17"><filename>Packages/perf-debuginfo-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="8.31.amzn1" version="4.9.17"><filename>Packages/perf-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-debuginfo-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-tools-devel-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-tools-debuginfo-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-devel-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-tools-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="8.31.amzn1" version="4.9.17"><filename>Packages/perf-debuginfo-4.9.17-8.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="8.31.amzn1" version="4.9.17"><filename>Packages/perf-4.9.17-8.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-tools-debuginfo-4.9.17-8.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-tools-4.9.17-8.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-4.9.17-8.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-headers-4.9.17-8.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-debuginfo-common-i686-4.9.17-8.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-debuginfo-4.9.17-8.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-devel-4.9.17-8.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-tools-devel-4.9.17-8.31.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="8.31.amzn1" version="4.9.17"><filename>Packages/kernel-doc-4.9.17-8.31.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-833</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-833: important priority package update for bind</title><issued date="2017-05-30 23:49" /><updated date="2017-05-31 21:40" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11098 CVE-2017-3139: 11099 * A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. 11100 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3139" id="CVE-2017-3139" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1202.html" id="RHSA-2017:1202" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-chroot" release="0.62.rc1.55.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.62.rc1.55.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.62.rc1.55.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.62.rc1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.62.rc1.55.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.62.rc1.55.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.62.rc1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.62.rc1.55.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.62.rc1.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.62.rc1.55.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.62.rc1.55.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.62.rc1.55.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.62.rc1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.62.rc1.55.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.62.rc1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.62.rc1.55.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.62.rc1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.62.rc1.55.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.62.rc1.55.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.62.rc1.55.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.62.rc1.55.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.62.rc1.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-834</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-834: important priority package update for samba</title><issued date="2017-05-30 23:54" /><updated date="2017-05-31 21:43" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11101 CVE-2017-7494: 11102 * A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root. 11103 11104 CVE-2017-2619: 11105 A race condition was found in samba server. A malicious samba client could use this flaw to access files and directories, in areas of the server file system not exported under the share definitions. 11106 1429472: 11107 CVE-2017-2619 samba: symlink race permits opening files outside share directory 11108 11109 CVE-2016-2126: 11110 1403115: 11111 CVE-2016-2126 samba: Flaws in Kerberos PAC validation can trigger privilege elevation 11112 A flaw was found in the way Samba handled PAC (Privilege Attribute Certificate) checksums. A remote, authenticated attacker could use this flaw to crash the winbindd process. 11113 11114 CVE-2016-2125: 11115 1403114: 11116 CVE-2016-2125 samba: Unconditional privilege delegation to Kerberos servers in trusted realms 11117 It was found that Samba always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users. 11118 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2619" id="CVE-2017-2619" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2126" id="CVE-2016-2126" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2125" id="CVE-2016-2125" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494" id="CVE-2017-7494" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1270.html" id="RHSA-2017:1270" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="samba-python" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-python-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwbclient-devel" release="13.35.amzn1" version="4.4.4"><filename>Packages/libwbclient-devel-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-debuginfo" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-debuginfo-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb" release="13.35.amzn1" version="4.4.4"><filename>Packages/ctdb-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb-tests" release="13.35.amzn1" version="4.4.4"><filename>Packages/ctdb-tests-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-client-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwbclient" release="13.35.amzn1" version="4.4.4"><filename>Packages/libwbclient-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-modules" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-winbind-modules-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-test-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-clients" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-winbind-clients-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient-devel" release="13.35.amzn1" version="4.4.4"><filename>Packages/libsmbclient-devel-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient" release="13.35.amzn1" version="4.4.4"><filename>Packages/libsmbclient-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-krb5-printing" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-krb5-printing-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client-libs" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-client-libs-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-tools" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-common-tools-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-krb5-locator" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-winbind-krb5-locator-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-libs" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-libs-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-common" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-common-4.4.4-13.35.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="samba" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-devel" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-devel-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-libs" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-common-libs-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-winbind-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-pidl" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-pidl-4.4.4-13.35.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test-libs" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-test-libs-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="samba-test-libs" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-test-libs-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb" release="13.35.amzn1" version="4.4.4"><filename>Packages/ctdb-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-krb5-printing" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-krb5-printing-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-winbind-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient" release="13.35.amzn1" version="4.4.4"><filename>Packages/libsmbclient-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-clients" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-winbind-clients-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-test-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-krb5-locator" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-winbind-krb5-locator-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient-devel" release="13.35.amzn1" version="4.4.4"><filename>Packages/libsmbclient-devel-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-modules" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-winbind-modules-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-python" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-python-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-client-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-libs" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-common-libs-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-libs" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-libs-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-tools" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-common-tools-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient-devel" release="13.35.amzn1" version="4.4.4"><filename>Packages/libwbclient-devel-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb-tests" release="13.35.amzn1" version="4.4.4"><filename>Packages/ctdb-tests-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-debuginfo" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-debuginfo-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient" release="13.35.amzn1" version="4.4.4"><filename>Packages/libwbclient-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-devel" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-devel-4.4.4-13.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client-libs" release="13.35.amzn1" version="4.4.4"><filename>Packages/samba-client-libs-4.4.4-13.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-835</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-835: medium priority package update for java-1.7.0-openjdk</title><issued date="2017-06-06 16:33" /><updated date="2017-06-06 22:43" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11119 CVE-2017-3544: 11120 * Newline injection flaws were discovered in FTP and SMTP client implementations in the Networking component in OpenJDK. A remote attacker could possibly use these flaws to manipulate FTP or SMTP connections established by a Java application. 11121 11122 CVE-2017-3539: 11123 * It was discovered that the Security component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm. 11124 11125 CVE-2017-3533: 11126 * Newline injection flaws were discovered in FTP and SMTP client implementations in the Networking component in OpenJDK. A remote attacker could possibly use these flaws to manipulate FTP or SMTP connections established by a Java application. 11127 11128 CVE-2017-3526: 11129 * It was found that the JAXP component of OpenJDK failed to correctly enforce parse tree size limits when parsing XML document. An attacker able to make a Java application parse a specially crafted XML document could use this flaw to make it consume an excessive amount of CPU and memory. 11130 11131 CVE-2017-3511: 11132 * An untrusted library search path flaw was found in the JCE component of OpenJDK. A local attacker could possibly use this flaw to cause a Java application using JCE to load an attacker-controlled library and hence escalate their privileges. 11133 11134 CVE-2017-3509: 11135 * It was discovered that the HTTP client implementation in the Networking component of OpenJDK could cache and re-use an NTLM authenticated connection in a different security context. A remote attacker could possibly use this flaw to make a Java application perform HTTP requests authenticated with credentials of a different user. 11136 11137 CVE-2016-5542: 11138 Note: This updates extends the fix for CVE-2016-5542 released as part of the RHSA-2016:2658 erratum to no longer allow the MD5 hash algorithm during the Jar integrity verification by adding it to the jdk.jar.disabledAlgorithms security property. 11139 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3509" id="CVE-2017-3509" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544" id="CVE-2017-3544" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533" id="CVE-2017-3533" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5542" id="CVE-2016-5542" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511" id="CVE-2017-3511" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3539" id="CVE-2017-3539" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3526" id="CVE-2017-3526" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1204.html" id="RHSA-2017:1204" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.10.1.73.amzn1" version="1.7.0.141"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.141-2.6.10.1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.10.1.73.amzn1" version="1.7.0.141"><filename>Packages/java-1.7.0-openjdk-1.7.0.141-2.6.10.1.73.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.10.1.73.amzn1" version="1.7.0.141"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.141-2.6.10.1.73.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.10.1.73.amzn1" version="1.7.0.141"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.141-2.6.10.1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.10.1.73.amzn1" version="1.7.0.141"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.141-2.6.10.1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.10.1.73.amzn1" version="1.7.0.141"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.141-2.6.10.1.73.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.10.1.73.amzn1" version="1.7.0.141"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.141-2.6.10.1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.10.1.73.amzn1" version="1.7.0.141"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.141-2.6.10.1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.10.1.73.amzn1" version="1.7.0.141"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.141-2.6.10.1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.10.1.73.amzn1" version="1.7.0.141"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.141-2.6.10.1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.10.1.73.amzn1" version="1.7.0.141"><filename>Packages/java-1.7.0-openjdk-1.7.0.141-2.6.10.1.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-836</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-836: important priority package update for jasper</title><issued date="2017-06-06 16:49" /><updated date="2017-07-25 18:15" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11140 CVE-2016-9600: 11141 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11142 11143 CVE-2016-9591: 11144 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 11145 11146 CVE-2016-9583: 11147 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11148 11149 CVE-2016-9560: 11150 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 11151 11152 CVE-2016-9394: 11153 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11154 11155 CVE-2016-9393: 11156 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11157 11158 CVE-2016-9392: 11159 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11160 11161 CVE-2016-9391: 11162 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11163 11164 CVE-2016-9390: 11165 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11166 11167 CVE-2016-9389: 11168 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11169 11170 CVE-2016-9388: 11171 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11172 11173 CVE-2016-9387: 11174 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11175 11176 CVE-2016-9262: 11177 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 11178 11179 CVE-2016-8885: 11180 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 11181 11182 CVE-2016-8884: 11183 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 11184 11185 CVE-2016-8883: 11186 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11187 11188 CVE-2016-8693: 11189 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 11190 11191 CVE-2016-8692: 11192 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11193 11194 CVE-2016-8691: 11195 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11196 11197 CVE-2016-8690: 11198 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 11199 11200 CVE-2016-8654: 11201 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 11202 11203 CVE-2016-2116: 11204 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11205 11206 CVE-2016-2089: 11207 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11208 11209 CVE-2016-1867: 11210 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11211 11212 CVE-2016-1577: 11213 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 11214 11215 CVE-2016-10251: 11216 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash. 11217 11218 CVE-2016-1024: 11219 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 11220 11221 CVE-2015-5221: 11222 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 11223 11224 CVE-2015-5203: 11225 Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. 11226 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2089" id="CVE-2016-2089" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9388" id="CVE-2016-9388" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9389" id="CVE-2016-9389" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9394" id="CVE-2016-9394" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8654" id="CVE-2016-8654" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9391" id="CVE-2016-9391" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9390" id="CVE-2016-9390" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9393" id="CVE-2016-9393" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9392" id="CVE-2016-9392" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5203" id="CVE-2015-5203" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8884" id="CVE-2016-8884" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8885" id="CVE-2016-8885" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8883" id="CVE-2016-8883" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1024" id="CVE-2016-1024" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1577" id="CVE-2016-1577" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9262" id="CVE-2016-9262" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9600" id="CVE-2016-9600" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1867" id="CVE-2016-1867" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10251" id="CVE-2016-10251" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2116" id="CVE-2016-2116" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5221" id="CVE-2015-5221" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9591" id="CVE-2016-9591" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9560" id="CVE-2016-9560" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9387" id="CVE-2016-9387" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9583" id="CVE-2016-9583" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8693" id="CVE-2016-8693" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8692" id="CVE-2016-8692" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8691" id="CVE-2016-8691" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8690" id="CVE-2016-8690" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1208.html" id="RHSA-2017:1208" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="jasper-debuginfo" release="21.9.amzn1" version="1.900.1"><filename>Packages/jasper-debuginfo-1.900.1-21.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper-libs" release="21.9.amzn1" version="1.900.1"><filename>Packages/jasper-libs-1.900.1-21.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper" release="21.9.amzn1" version="1.900.1"><filename>Packages/jasper-1.900.1-21.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper-devel" release="21.9.amzn1" version="1.900.1"><filename>Packages/jasper-devel-1.900.1-21.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="jasper-utils" release="21.9.amzn1" version="1.900.1"><filename>Packages/jasper-utils-1.900.1-21.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="jasper-devel" release="21.9.amzn1" version="1.900.1"><filename>Packages/jasper-devel-1.900.1-21.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper-utils" release="21.9.amzn1" version="1.900.1"><filename>Packages/jasper-utils-1.900.1-21.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper" release="21.9.amzn1" version="1.900.1"><filename>Packages/jasper-1.900.1-21.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper-libs" release="21.9.amzn1" version="1.900.1"><filename>Packages/jasper-libs-1.900.1-21.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="jasper-debuginfo" release="21.9.amzn1" version="1.900.1"><filename>Packages/jasper-debuginfo-1.900.1-21.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-837</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-837: important priority package update for ghostscript</title><issued date="2017-06-06 16:51" /><updated date="2017-06-06 22:44" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11227 CVE-2017-8291: 11228 * It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection. 11229 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8291" id="CVE-2017-8291" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1230.html" id="RHSA-2017:1230" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ghostscript-doc" release="23.25.amzn1" version="8.70"><filename>Packages/ghostscript-doc-8.70-23.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript-devel" release="23.25.amzn1" version="8.70"><filename>Packages/ghostscript-devel-8.70-23.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript-debuginfo" release="23.25.amzn1" version="8.70"><filename>Packages/ghostscript-debuginfo-8.70-23.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript" release="23.25.amzn1" version="8.70"><filename>Packages/ghostscript-8.70-23.25.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript" release="23.25.amzn1" version="8.70"><filename>Packages/ghostscript-8.70-23.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript-debuginfo" release="23.25.amzn1" version="8.70"><filename>Packages/ghostscript-debuginfo-8.70-23.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript-doc" release="23.25.amzn1" version="8.70"><filename>Packages/ghostscript-doc-8.70-23.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript-devel" release="23.25.amzn1" version="8.70"><filename>Packages/ghostscript-devel-8.70-23.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-838</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-838: medium priority package update for postgresql92</title><issued date="2017-06-06 16:53" /><updated date="2017-06-06 22:45" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11230 CVE-2017-7486: 11231 1448089: 11232 CVE-2017-7486 postgresql: pg_user_mappings view discloses foreign server passwords 11233 It was found that the pg_user_mappings view from postgresql could disclose information about user mappings to a foreign database to unprivileged users. An authenticated attacker with USAGE privilege for this mapping could, when querying the view, obtain user mapping data, such as the username and password used to connect to the foreign database. 11234 11235 CVE-2017-7484: 11236 It was found that some selectivity estimation functions did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. 11237 1448078: 11238 CVE-2017-7484 postgresql: Selectivity estimators bypass SELECT privilege checks 11239 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7484" id="CVE-2017-7484" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7486" id="CVE-2017-7486" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql92-plperl" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-plperl-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-libs" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-libs-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-pltcl" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-pltcl-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython26" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-plpython26-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-test" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-test-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-server-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython27" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-plpython27-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-debuginfo" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-debuginfo-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server-compat" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-server-compat-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-contrib" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-contrib-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-devel" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-devel-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-docs" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-docs-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plperl" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-plperl-9.2.21-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-server-9.2.21-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-libs" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-libs-9.2.21-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-9.2.21-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython26" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-plpython26-9.2.21-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-pltcl" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-pltcl-9.2.21-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-docs" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-docs-9.2.21-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-contrib" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-contrib-9.2.21-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-debuginfo" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-debuginfo-9.2.21-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server-compat" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-server-compat-9.2.21-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython27" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-plpython27-9.2.21-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-devel" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-devel-9.2.21-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-test" release="1.60.amzn1" version="9.2.21"><filename>Packages/postgresql92-test-9.2.21-1.60.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-839</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-839: medium priority package update for postgresql93 postgresql94 postgresql95</title><issued date="2017-06-06 16:53" /><updated date="2017-06-06 22:47" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11240 CVE-2017-7486: 11241 1448089: 11242 CVE-2017-7486 postgresql: pg_user_mappings view discloses foreign server passwords 11243 It was found that the pg_user_mappings view from postgresql could disclose information about user mappings to a foreign database to unprivileged users. An authenticated attacker with USAGE privilege for this mapping could, when querying the view, obtain user mapping data, such as the username and password used to connect to the foreign database. 11244 11245 CVE-2017-7485: 11246 It was found that the PGREQUIRESSL was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. 11247 1448086: 11248 CVE-2017-7485 postgresql: libpq ignores PGREQUIRESSL environment variable 11249 11250 CVE-2017-7484: 11251 It was found that some selectivity estimation functions did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. 11252 1448078: 11253 CVE-2017-7484 postgresql: Selectivity estimators bypass SELECT privilege checks 11254 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7484" id="CVE-2017-7484" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7485" id="CVE-2017-7485" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7486" id="CVE-2017-7486" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql93-libs" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-libs-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-devel" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-devel-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-docs" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-docs-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-test" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-test-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython26" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-plpython26-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-server" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-server-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-pltcl" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-pltcl-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython27" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-plpython27-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-contrib" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-contrib-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-debuginfo" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-debuginfo-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plperl" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-plperl-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-devel" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-devel-9.3.17-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-contrib" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-contrib-9.3.17-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-debuginfo" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-debuginfo-9.3.17-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-libs" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-libs-9.3.17-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plperl" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-plperl-9.3.17-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-docs" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-docs-9.3.17-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython27" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-plpython27-9.3.17-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython26" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-plpython26-9.3.17-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-9.3.17-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-pltcl" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-pltcl-9.3.17-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-server" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-server-9.3.17-1.63.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-test" release="1.63.amzn1" version="9.3.17"><filename>Packages/postgresql93-test-9.3.17-1.63.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-contrib" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-contrib-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython27" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-plpython27-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plperl" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-plperl-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython26" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-plpython26-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-docs" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-docs-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-server" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-server-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-debuginfo" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-debuginfo-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-test" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-test-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-libs" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-libs-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-devel" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-devel-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-9.4.12-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-docs" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-docs-9.4.12-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython26" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-plpython26-9.4.12-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython27" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-plpython27-9.4.12-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-libs" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-libs-9.4.12-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-test" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-test-9.4.12-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-server" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-server-9.4.12-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-devel" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-devel-9.4.12-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-debuginfo" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-debuginfo-9.4.12-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plperl" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-plperl-9.4.12-1.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-contrib" release="1.68.amzn1" version="9.4.12"><filename>Packages/postgresql94-contrib-9.4.12-1.68.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-docs" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-docs-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-contrib" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-contrib-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-test" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-test-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plpython27" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-plpython27-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plperl" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-plperl-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-server" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-server-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-static" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-static-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-libs" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-libs-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-debuginfo" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-debuginfo-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plpython26" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-plpython26-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-devel" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-devel-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-9.5.7-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-debuginfo" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-debuginfo-9.5.7-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-contrib" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-contrib-9.5.7-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-static" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-static-9.5.7-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plperl" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-plperl-9.5.7-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plpython27" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-plpython27-9.5.7-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-docs" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-docs-9.5.7-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plpython26" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-plpython26-9.5.7-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-test" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-test-9.5.7-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-libs" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-libs-9.5.7-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-devel" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-devel-9.5.7-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-server" release="1.72.amzn1" version="9.5.7"><filename>Packages/postgresql95-server-9.5.7-1.72.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-840</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-840: important priority package update for libtirpc</title><issued date="2017-06-06 17:00" /><updated date="2017-06-06 22:48" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11255 CVE-2017-8779: 11256 1448124: 11257 CVE-2017-8779 rpcbind, libtirpc, libntirpc: Memory leak when failing to parse XDR strings or bytearrays 11258 It was found that due to the way rpcbind uses libtirpc (libntirpc), a memory leak can occur when parsing specially crafted XDR messages. An attacker sending thousands of messages to rpcbind could cause its memory usage to grow without bound, eventually causing it to be terminated by the OOM killer. 11259 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779" id="CVE-2017-8779" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libtirpc-debuginfo" release="0.8.14.amzn1" version="0.2.4"><filename>Packages/libtirpc-debuginfo-0.2.4-0.8.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtirpc-devel" release="0.8.14.amzn1" version="0.2.4"><filename>Packages/libtirpc-devel-0.2.4-0.8.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtirpc" release="0.8.14.amzn1" version="0.2.4"><filename>Packages/libtirpc-0.2.4-0.8.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libtirpc" release="0.8.14.amzn1" version="0.2.4"><filename>Packages/libtirpc-0.2.4-0.8.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtirpc-devel" release="0.8.14.amzn1" version="0.2.4"><filename>Packages/libtirpc-devel-0.2.4-0.8.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtirpc-debuginfo" release="0.8.14.amzn1" version="0.2.4"><filename>Packages/libtirpc-debuginfo-0.2.4-0.8.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-841</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-841: important priority package update for rpcbind</title><issued date="2017-06-06 17:03" /><updated date="2017-06-06 22:50" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11260 CVE-2017-8779: 11261 1448124: 11262 CVE-2017-8779 rpcbind, libtirpc, libntirpc: Memory leak when failing to parse XDR strings or bytearrays 11263 It was found that due to the way rpcbind uses libtirpc (libntirpc), a memory leak can occur when parsing specially crafted XDR messages. An attacker sending thousands of messages to rpcbind could cause its memory usage to grow without bound, eventually causing it to be terminated by the OOM killer. 11264 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779" id="CVE-2017-8779" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1267.html" id="RHSA-2017:1267" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="rpcbind-debuginfo" release="13.9.amzn1" version="0.2.0"><filename>Packages/rpcbind-debuginfo-0.2.0-13.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rpcbind" release="13.9.amzn1" version="0.2.0"><filename>Packages/rpcbind-0.2.0-13.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rpcbind-debuginfo" release="13.9.amzn1" version="0.2.0"><filename>Packages/rpcbind-debuginfo-0.2.0-13.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rpcbind" release="13.9.amzn1" version="0.2.0"><filename>Packages/rpcbind-0.2.0-13.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-842</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-842: medium priority package update for git</title><issued date="2017-06-06 17:07" /><updated date="2017-06-06 22:51" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11265 CVE-2017-8386: 11266 1450407: 11267 CVE-2017-8386 git: Escape out of git-shell 11268 A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options. 11269 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386" id="CVE-2017-8386" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="perl-Git-SVN" release="1.49.amzn1" version="2.7.5"><filename>Packages/perl-Git-SVN-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-cvs" release="1.49.amzn1" version="2.7.5"><filename>Packages/git-cvs-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git" release="1.49.amzn1" version="2.7.5"><filename>Packages/perl-Git-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-all" release="1.49.amzn1" version="2.7.5"><filename>Packages/git-all-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-p4" release="1.49.amzn1" version="2.7.5"><filename>Packages/git-p4-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-svn" release="1.49.amzn1" version="2.7.5"><filename>Packages/git-svn-2.7.5-1.49.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="gitweb" release="1.49.amzn1" version="2.7.5"><filename>Packages/gitweb-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git" release="1.49.amzn1" version="2.7.5"><filename>Packages/emacs-git-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-hg" release="1.49.amzn1" version="2.7.5"><filename>Packages/git-hg-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git-el" release="1.49.amzn1" version="2.7.5"><filename>Packages/emacs-git-el-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-debuginfo" release="1.49.amzn1" version="2.7.5"><filename>Packages/git-debuginfo-2.7.5-1.49.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-email" release="1.49.amzn1" version="2.7.5"><filename>Packages/git-email-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git" release="1.49.amzn1" version="2.7.5"><filename>Packages/git-2.7.5-1.49.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="git-daemon" release="1.49.amzn1" version="2.7.5"><filename>Packages/git-daemon-2.7.5-1.49.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-bzr" release="1.49.amzn1" version="2.7.5"><filename>Packages/git-bzr-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="git-daemon" release="1.49.amzn1" version="2.7.5"><filename>Packages/git-daemon-2.7.5-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git" release="1.49.amzn1" version="2.7.5"><filename>Packages/git-2.7.5-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-svn" release="1.49.amzn1" version="2.7.5"><filename>Packages/git-svn-2.7.5-1.49.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-debuginfo" release="1.49.amzn1" version="2.7.5"><filename>Packages/git-debuginfo-2.7.5-1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-843</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-843: important priority package update for sudo</title><issued date="2017-06-06 17:08" /><updated date="2017-06-06 22:51" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11270 CVE-2017-1000367: 11271 A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. 11272 1453074: 11273 CVE-2017-1000367 sudo: Privilege escalation in via improper get_process_ttyname() parsing 11274 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000367" id="CVE-2017-1000367" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1382.html" id="RHSA-2017:1382" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="sudo" release="28.25.amzn1" version="1.8.6p3"><filename>Packages/sudo-1.8.6p3-28.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sudo-devel" release="28.25.amzn1" version="1.8.6p3"><filename>Packages/sudo-devel-1.8.6p3-28.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sudo-debuginfo" release="28.25.amzn1" version="1.8.6p3"><filename>Packages/sudo-debuginfo-1.8.6p3-28.25.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="sudo-devel" release="28.25.amzn1" version="1.8.6p3"><filename>Packages/sudo-devel-1.8.6p3-28.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sudo" release="28.25.amzn1" version="1.8.6p3"><filename>Packages/sudo-1.8.6p3-28.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sudo-debuginfo" release="28.25.amzn1" version="1.8.6p3"><filename>Packages/sudo-debuginfo-1.8.6p3-28.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-844</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-844: critical priority package update for glibc</title><issued date="2017-06-19 08:51" /><updated date="2017-06-19 08:51" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11275 CVE-2017-1000366: 11276 Glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier. 11277 CVE-2017-1000366 11278 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366" id="CVE-2017-1000366" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glibc-utils" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-157.170.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-157.170.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-157.170.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="157.170.amzn1" version="2.17"><filename>Packages/nscd-2.17-157.170.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-157.170.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-157.170.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-2.17-157.170.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-157.170.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-157.170.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-157.170.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-157.170.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-157.170.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-157.170.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-157.170.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-157.170.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-2.17-157.170.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="157.170.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-157.170.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="157.170.amzn1" version="2.17"><filename>Packages/nscd-2.17-157.170.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-845</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-845: critical priority package update for kernel</title><issued date="2017-06-19 08:58" /><updated date="2017-06-19 08:58" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11279 CVE-2017-1000371: 11280 CVE-2017-1000371 11281 The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIMIT_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. 11282 11283 CVE-2017-1000364: 11284 CVE-2017-1000364 11285 An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be jmp ed over, this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010). 11286 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364" id="CVE-2017-1000364" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000371" id="CVE-2017-1000371" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-tools-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-devel-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="14.33.amzn1" version="4.9.27"><filename>Packages/perf-debuginfo-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-debuginfo-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-tools-debuginfo-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="14.33.amzn1" version="4.9.27"><filename>Packages/perf-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-headers-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-tools-devel-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-debuginfo-common-i686-4.9.27-14.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="14.33.amzn1" version="4.9.27"><filename>Packages/perf-debuginfo-4.9.27-14.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="14.33.amzn1" version="4.9.27"><filename>Packages/perf-4.9.27-14.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-tools-debuginfo-4.9.27-14.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-debuginfo-4.9.27-14.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-headers-4.9.27-14.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-tools-devel-4.9.27-14.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-tools-4.9.27-14.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-devel-4.9.27-14.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-4.9.27-14.33.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="14.33.amzn1" version="4.9.27"><filename>Packages/kernel-doc-4.9.27-14.33.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-846</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-846: medium priority package update for kernel</title><issued date="2017-06-22 19:10" /><updated date="2017-06-22 22:52" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11287 CVE-2017-9242: 11288 The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls. 11289 1456388: 11290 CVE-2017-9242 kernel: Incorrect overwrite check in __ip6_append_data() 11291 11292 CVE-2017-9077: 11293 The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. 11294 1452744: 11295 CVE-2017-9077 kernel: net: tcp_v6_syn_recv_sock function mishandles inheritance 11296 11297 CVE-2017-9076: 11298 The IPv6 DCCP implementation in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. 11299 1452688: 11300 CVE-2017-9076 kernel: net: IPv6 DCCP implementation mishandles inheritance 11301 11302 CVE-2017-9075: 11303 1452691: 11304 CVE-2017-9075 kernel: net: sctp_v6_create_accept_sk function mishandles inheritance 11305 The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. 11306 11307 CVE-2017-9074: 11308 The IPv6 fragmentation implementation in the Linux kernel does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. 11309 1452679: 11310 CVE-2017-9074 kernel: net: IPv6 fragmentation implementation of nexthdr field may be associated with an invalid option 11311 11312 CVE-2017-9059: 11313 1451386: 11314 CVE-2017-9059 kernel: Module reference leak due to improper shut down of callback channel on umount 11315 The NFSv4 implementation in the Linux kernel through 4.11.1 allows local users to cause a denial of service (resource consumption) by leveraging improper channel callback shutdown when unmounting an NFSv4 filesystem, aka a &quot;module reference and kernel daemon&quot; leak. 11316 11317 CVE-2017-8890: 11318 The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. 11319 1450972: 11320 CVE-2017-8890 kernel: Double free in the inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c 11321 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9059" id="CVE-2017-9059" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242" id="CVE-2017-9242" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890" id="CVE-2017-8890" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077" id="CVE-2017-9077" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076" id="CVE-2017-9076" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075" id="CVE-2017-9075" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074" id="CVE-2017-9074" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-tools-devel-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-tools-debuginfo-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-headers-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-debuginfo-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="15.41.amzn1" version="4.9.32"><filename>Packages/perf-debuginfo-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-devel-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-tools-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="15.41.amzn1" version="4.9.32"><filename>Packages/perf-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-devel-4.9.32-15.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-debuginfo-4.9.32-15.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-tools-devel-4.9.32-15.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-debuginfo-common-i686-4.9.32-15.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-tools-4.9.32-15.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-4.9.32-15.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-tools-debuginfo-4.9.32-15.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="15.41.amzn1" version="4.9.32"><filename>Packages/perf-4.9.32-15.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="15.41.amzn1" version="4.9.32"><filename>Packages/perf-debuginfo-4.9.32-15.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-headers-4.9.32-15.41.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="15.41.amzn1" version="4.9.32"><filename>Packages/kernel-doc-4.9.32-15.41.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-847</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-847: medium priority package update for lynis</title><issued date="2017-06-22 19:19" /><updated date="2017-06-22 23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11322 CVE-2017-8108: 11323 Unspecified tests in Lynis before 2.5.0 allow local users to write to arbitrary files or possibly gain privileges via a symlink attack on a temporary file. 11324 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8108" id="CVE-2017-8108" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="lynis" release="1.6.amzn1" version="2.5.0"><filename>Packages/lynis-2.5.0-1.6.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-848</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-848: important priority package update for nss</title><issued date="2017-06-22 19:20" /><updated date="2017-06-22 22:58" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11325 CVE-2017-7502: 11326 A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library. 11327 1446631: 11328 CVE-2017-7502 nss: Null pointer dereference when handling empty SSLv2 messages 11329 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7502" id="CVE-2017-7502" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-debuginfo" release="1.2.79.amzn1" version="3.28.4"><filename>Packages/nss-debuginfo-3.28.4-1.2.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="1.2.79.amzn1" version="3.28.4"><filename>Packages/nss-3.28.4-1.2.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="1.2.79.amzn1" version="3.28.4"><filename>Packages/nss-pkcs11-devel-3.28.4-1.2.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="1.2.79.amzn1" version="3.28.4"><filename>Packages/nss-sysinit-3.28.4-1.2.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="1.2.79.amzn1" version="3.28.4"><filename>Packages/nss-tools-3.28.4-1.2.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="1.2.79.amzn1" version="3.28.4"><filename>Packages/nss-devel-3.28.4-1.2.79.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="1.2.79.amzn1" version="3.28.4"><filename>Packages/nss-debuginfo-3.28.4-1.2.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="1.2.79.amzn1" version="3.28.4"><filename>Packages/nss-sysinit-3.28.4-1.2.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="1.2.79.amzn1" version="3.28.4"><filename>Packages/nss-devel-3.28.4-1.2.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="1.2.79.amzn1" version="3.28.4"><filename>Packages/nss-pkcs11-devel-3.28.4-1.2.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="1.2.79.amzn1" version="3.28.4"><filename>Packages/nss-tools-3.28.4-1.2.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="1.2.79.amzn1" version="3.28.4"><filename>Packages/nss-3.28.4-1.2.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-849</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-849: important priority package update for puppet3</title><issued date="2017-06-22 19:23" /><updated date="2017-06-22 22:57" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11330 CVE-2017-2295: 11331 1452651: 11332 CVE-2017-2295 puppet: Unsafe YAML deserialization 11333 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2295" id="CVE-2017-2295" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="puppet3" release="1.13.amzn1" version="3.7.4"><filename>Packages/puppet3-3.7.4-1.13.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="puppet3-server" release="1.13.amzn1" version="3.7.4"><filename>Packages/puppet3-server-3.7.4-1.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-850</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-850: low priority package update for curl</title><issued date="2017-06-22 19:24" /><updated date="2017-06-22 23:03" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11334 CVE-2017-7407: 11335 1439190: 11336 CVE-2017-7407 curl: --write-out out of bounds read 11337 The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a &#039;%&#039; character, which leads to a heap-based buffer over-read. 11338 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407" id="CVE-2017-7407" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libcurl" release="6.74.amzn1" version="7.51.0"><filename>Packages/libcurl-7.51.0-6.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl" release="6.74.amzn1" version="7.51.0"><filename>Packages/curl-7.51.0-6.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="6.74.amzn1" version="7.51.0"><filename>Packages/curl-debuginfo-7.51.0-6.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="6.74.amzn1" version="7.51.0"><filename>Packages/libcurl-devel-7.51.0-6.74.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="6.74.amzn1" version="7.51.0"><filename>Packages/curl-debuginfo-7.51.0-6.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="6.74.amzn1" version="7.51.0"><filename>Packages/libcurl-devel-7.51.0-6.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="6.74.amzn1" version="7.51.0"><filename>Packages/libcurl-7.51.0-6.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="6.74.amzn1" version="7.51.0"><filename>Packages/curl-7.51.0-6.74.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-851</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-851: medium priority package update for httpd</title><issued date="2017-06-22 19:25" /><updated date="2017-06-22 22:54" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11339 CVE-2016-8743: 11340 It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. 11341 1406822: 11342 CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects 11343 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743" id="CVE-2016-8743" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="httpd-devel" release="1.9.amzn1" version="2.2.32"><filename>Packages/httpd-devel-2.2.32-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod_ssl" release="1.9.amzn1" version="2.2.32"><filename>Packages/mod_ssl-2.2.32-1.9.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd-manual" release="1.9.amzn1" version="2.2.32"><filename>Packages/httpd-manual-2.2.32-1.9.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-tools" release="1.9.amzn1" version="2.2.32"><filename>Packages/httpd-tools-2.2.32-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd" release="1.9.amzn1" version="2.2.32"><filename>Packages/httpd-2.2.32-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.9.amzn1" version="2.2.32"><filename>Packages/httpd-debuginfo-2.2.32-1.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="httpd-devel" release="1.9.amzn1" version="2.2.32"><filename>Packages/httpd-devel-2.2.32-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-debuginfo" release="1.9.amzn1" version="2.2.32"><filename>Packages/httpd-debuginfo-2.2.32-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd" release="1.9.amzn1" version="2.2.32"><filename>Packages/httpd-2.2.32-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-tools" release="1.9.amzn1" version="2.2.32"><filename>Packages/httpd-tools-2.2.32-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod_ssl" release="1.9.amzn1" version="2.2.32"><filename>Packages/mod_ssl-2.2.32-1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-852</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-852: important priority package update for openvpn</title><issued date="2017-06-27 17:47" /><updated date="2017-07-06 22:56" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11344 CVE-2017-7522: 11345 OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character. 11346 1463642: 11347 CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17 11348 11349 CVE-2017-7521: 11350 1463642: 11351 CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17 11352 OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension(). 11353 11354 CVE-2017-7520: 11355 OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker. 11356 1463642: 11357 CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17 11358 11359 CVE-2017-7508: 11360 OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet. 11361 1463642: 11362 CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17 11363 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7508" id="CVE-2017-7508" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7522" id="CVE-2017-7522" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7521" id="CVE-2017-7521" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7520" id="CVE-2017-7520" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openvpn" release="1.19.amzn1" version="2.4.3"><filename>Packages/openvpn-2.4.3-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openvpn-debuginfo" release="1.19.amzn1" version="2.4.3"><filename>Packages/openvpn-debuginfo-2.4.3-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openvpn-devel" release="1.19.amzn1" version="2.4.3"><filename>Packages/openvpn-devel-2.4.3-1.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openvpn-devel" release="1.19.amzn1" version="2.4.3"><filename>Packages/openvpn-devel-2.4.3-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openvpn-debuginfo" release="1.19.amzn1" version="2.4.3"><filename>Packages/openvpn-debuginfo-2.4.3-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openvpn" release="1.19.amzn1" version="2.4.3"><filename>Packages/openvpn-2.4.3-1.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-853</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-853: important priority package update for tomcat7</title><issued date="2017-07-06 17:24" /><updated date="2017-07-06 22:52" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11364 CVE-2017-5664: 11365 A vulnerability was discovered in the error page mechanism in Tomcat&#039;s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. 11366 1459158: 11367 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism 11368 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664" id="CVE-2017-5664" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.27.amzn1" version="7.0.78"><filename>Packages/tomcat7-webapps-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.27.amzn1" version="7.0.78"><filename>Packages/tomcat7-lib-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.27.amzn1" version="7.0.78"><filename>Packages/tomcat7-javadoc-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.27.amzn1" version="7.0.78"><filename>Packages/tomcat7-log4j-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.27.amzn1" version="7.0.78"><filename>Packages/tomcat7-docs-webapp-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.27.amzn1" version="7.0.78"><filename>Packages/tomcat7-jsp-2.2-api-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.27.amzn1" version="7.0.78"><filename>Packages/tomcat7-servlet-3.0-api-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.27.amzn1" version="7.0.78"><filename>Packages/tomcat7-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.27.amzn1" version="7.0.78"><filename>Packages/tomcat7-admin-webapps-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.27.amzn1" version="7.0.78"><filename>Packages/tomcat7-el-2.2-api-7.0.78-1.27.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-854</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-854: important priority package update for tomcat8</title><issued date="2017-07-06 17:25" /><updated date="2017-07-06 22:53" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11369 CVE-2017-5664: 11370 A vulnerability was discovered in the error page mechanism in Tomcat&#039;s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. 11371 1459158: 11372 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism 11373 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664" id="CVE-2017-5664" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat8" release="1.71.amzn1" version="8.0.44"><filename>Packages/tomcat8-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.71.amzn1" version="8.0.44"><filename>Packages/tomcat8-el-3.0-api-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.71.amzn1" version="8.0.44"><filename>Packages/tomcat8-webapps-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.71.amzn1" version="8.0.44"><filename>Packages/tomcat8-servlet-3.1-api-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.71.amzn1" version="8.0.44"><filename>Packages/tomcat8-docs-webapp-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.71.amzn1" version="8.0.44"><filename>Packages/tomcat8-admin-webapps-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.71.amzn1" version="8.0.44"><filename>Packages/tomcat8-jsp-2.3-api-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.71.amzn1" version="8.0.44"><filename>Packages/tomcat8-javadoc-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.71.amzn1" version="8.0.44"><filename>Packages/tomcat8-log4j-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.71.amzn1" version="8.0.44"><filename>Packages/tomcat8-lib-8.0.44-1.71.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-855</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-855: medium priority package update for sudo</title><issued date="2017-07-06 19:03" /><updated date="2017-07-06 22:56" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11374 CVE-2017-1000368: 11375 * It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. 11376 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368" id="CVE-2017-1000368" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1574.html" id="RHSA-2017:1574" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="sudo" release="29.27.amzn1" version="1.8.6p3"><filename>Packages/sudo-1.8.6p3-29.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sudo-debuginfo" release="29.27.amzn1" version="1.8.6p3"><filename>Packages/sudo-debuginfo-1.8.6p3-29.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sudo-devel" release="29.27.amzn1" version="1.8.6p3"><filename>Packages/sudo-devel-1.8.6p3-29.27.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="sudo" release="29.27.amzn1" version="1.8.6p3"><filename>Packages/sudo-1.8.6p3-29.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sudo-debuginfo" release="29.27.amzn1" version="1.8.6p3"><filename>Packages/sudo-debuginfo-1.8.6p3-29.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sudo-devel" release="29.27.amzn1" version="1.8.6p3"><filename>Packages/sudo-devel-1.8.6p3-29.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-856</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-856: important priority package update for mercurial</title><issued date="2017-07-06 19:06" /><updated date="2017-07-06 22:57" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11377 CVE-2017-9462: 11378 1459482: 11379 CVE-2017-9462 mercurial: Python debugger accessible to authorized users 11380 A flaw was found in the way &quot;hg serve --stdio&quot; command in Mercurial handled command-line options. A remote, authenticated attacker could use this flaw to execute arbitrary code on the Mercurial server by using specially crafted command-line options. 11381 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9462" id="CVE-2017-9462" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mercurial-python27" release="1.28.amzn1" version="3.7.3"><filename>Packages/mercurial-python27-3.7.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mercurial-python26" release="1.28.amzn1" version="3.7.3"><filename>Packages/mercurial-python26-3.7.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="emacs-mercurial" release="1.28.amzn1" version="3.7.3"><filename>Packages/emacs-mercurial-3.7.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mercurial-common" release="1.28.amzn1" version="3.7.3"><filename>Packages/mercurial-common-3.7.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mercurial-debuginfo" release="1.28.amzn1" version="3.7.3"><filename>Packages/mercurial-debuginfo-3.7.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="emacs-mercurial-el" release="1.28.amzn1" version="3.7.3"><filename>Packages/emacs-mercurial-el-3.7.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mercurial-python26" release="1.28.amzn1" version="3.7.3"><filename>Packages/mercurial-python26-3.7.3-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mercurial-debuginfo" release="1.28.amzn1" version="3.7.3"><filename>Packages/mercurial-debuginfo-3.7.3-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mercurial-common" release="1.28.amzn1" version="3.7.3"><filename>Packages/mercurial-common-3.7.3-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mercurial-python27" release="1.28.amzn1" version="3.7.3"><filename>Packages/mercurial-python27-3.7.3-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="emacs-mercurial-el" release="1.28.amzn1" version="3.7.3"><filename>Packages/emacs-mercurial-el-3.7.3-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="emacs-mercurial" release="1.28.amzn1" version="3.7.3"><filename>Packages/emacs-mercurial-3.7.3-1.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-857</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-857: medium priority package update for golang</title><issued date="2017-07-13 19:37" /><updated date="2017-07-14 23:19" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11382 CVE-2017-8932: 11383 1455189: 11384 CVE-2017-8932 golang: Elliptic curves carry propagation issue in x86-64 P-256 11385 A carry propagation flaw was found in the implementation of the P-256 elliptic curve in golang. An attacker could use this flaw to extract private keys when static ECDH is used. 11386 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8932" id="CVE-2017-8932" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="golang-tests" release="2.39.amzn1" version="1.7.5"><filename>Packages/golang-tests-1.7.5-2.39.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-src" release="2.39.amzn1" version="1.7.5"><filename>Packages/golang-src-1.7.5-2.39.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-misc" release="2.39.amzn1" version="1.7.5"><filename>Packages/golang-misc-1.7.5-2.39.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang-bin" release="2.39.amzn1" version="1.7.5"><filename>Packages/golang-bin-1.7.5-2.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="golang" release="2.39.amzn1" version="1.7.5"><filename>Packages/golang-1.7.5-2.39.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-docs" release="2.39.amzn1" version="1.7.5"><filename>Packages/golang-docs-1.7.5-2.39.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="golang" release="2.39.amzn1" version="1.7.5"><filename>Packages/golang-1.7.5-2.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="golang-bin" release="2.39.amzn1" version="1.7.5"><filename>Packages/golang-bin-1.7.5-2.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-858</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-858: important priority package update for bind</title><issued date="2017-07-20 01:20" /><updated date="2017-07-24 23:16" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11387 CVE-2017-3143: 11388 * A flaw was found in the way BIND handled TSIG authentication for dynamic updates. A remote attacker able to communicate with an authoritative BIND server could use this flaw to manipulate the contents of a zone, by forging a valid TSIG or SIG(0) signature for a dynamic update request. 11389 11390 CVE-2017-3142: 11391 * A flaw was found in the way BIND handled TSIG authentication of AXFR requests. A remote attacker, able to communicate with an authoritative BIND server, could use this flaw to view the entire contents of a zone by sending a specially constructed request packet. 11392 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3143" id="CVE-2017-3143" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3142" id="CVE-2017-3142" title="" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1679.html" id="RHSA-2017:1679" title="" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-devel" release="0.62.rc1.56.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.62.rc1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.62.rc1.56.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.62.rc1.56.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.62.rc1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.62.rc1.56.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.62.rc1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.62.rc1.56.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.62.rc1.56.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.62.rc1.56.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.62.rc1.56.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.62.rc1.56.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.62.rc1.56.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.62.rc1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.62.rc1.56.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.62.rc1.56.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.62.rc1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.62.rc1.56.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.62.rc1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.62.rc1.56.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.62.rc1.56.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.62.rc1.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-859</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-859: medium priority package update for c-ares</title><issued date="2017-07-20 01:22" /><updated date="2017-07-24 23:38" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11393 CVE-2017-1000381: 11394 The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. 11395 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381" id="CVE-2017-1000381" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="c-ares-devel" release="1.5.amzn1" version="1.13.0"><filename>Packages/c-ares-devel-1.13.0-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="c-ares" release="1.5.amzn1" version="1.13.0"><filename>Packages/c-ares-1.13.0-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="c-ares-debuginfo" release="1.5.amzn1" version="1.13.0"><filename>Packages/c-ares-debuginfo-1.13.0-1.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="c-ares-devel" release="1.5.amzn1" version="1.13.0"><filename>Packages/c-ares-devel-1.13.0-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="c-ares-debuginfo" release="1.5.amzn1" version="1.13.0"><filename>Packages/c-ares-debuginfo-1.13.0-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="c-ares" release="1.5.amzn1" version="1.13.0"><filename>Packages/c-ares-1.13.0-1.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-860</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-860: critical priority package update for java-1.8.0-openjdk</title><issued date="2017-07-25 17:54" /><updated date="2017-07-25 17:56" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11396 CVE-2017-10198: 11397 It was discovered that the Security component of OpenJDK could fail to properly enforce restrictions defined for processing of X.509 certificate chains. A remote attacker could possibly use this flaw to make Java accept certificate using one of the disabled algorithms. 11398 1472320: 11399 CVE-2017-10198 OpenJDK: incorrect enforcement of certificate path restrictions (Security, 8179998) 11400 11401 CVE-2017-10193: 11402 1471715: 11403 CVE-2017-10193 OpenJDK: incorrect key size constraint check (Security, 8179101) 11404 11405 CVE-2017-10135: 11406 1471871: 11407 CVE-2017-10135 OpenJDK: PKCS#8 implementation timing attack (JCE, 8176760) 11408 A covert timing channel flaw was found in the PKCS#8 implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application repeatedly compare PKCS#8 key against an attacker controlled value could possibly use this flaw to determine the key via a timing side channel. 11409 11410 CVE-2017-10116: 11411 1471738: 11412 CVE-2017-10116 OpenJDK: LDAPCertStore following referrals to non-LDAP URLs (Security, 8176067) 11413 It was discovered that the LDAPCertStore class in the Security component of OpenJDK followed LDAP referrals to arbitrary URLs. A specially crafted LDAP referral URL could cause LDAPCertStore to communicate with non-LDAP servers. 11414 11415 CVE-2017-10115: 11416 A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel. 11417 1471851: 11418 CVE-2017-10115 OpenJDK: DSA implementation timing attack (JCE, 8175106) 11419 11420 CVE-2017-10111: 11421 1471526: 11422 CVE-2017-10111 OpenJDK: incorrect range checks in LambdaFormEditor (Libraries, 8184185) 11423 11424 CVE-2017-10110: 11425 1471523: 11426 CVE-2017-10110 OpenJDK: insufficient access control checks in ImageWatched (AWT, 8174098) 11427 11428 CVE-2017-10109: 11429 1471670: 11430 CVE-2017-10109 OpenJDK: unbounded memory allocation in CodeSource deserialization (Serialization, 8174113) 11431 11432 CVE-2017-10108: 11433 1471888: 11434 CVE-2017-10108 OpenJDK: unbounded memory allocation in BasicAttribute deserialization (Serialization, 8174105) 11435 11436 CVE-2017-10107: 11437 1471266: 11438 CVE-2017-10107 OpenJDK: insufficient access control checks in ActivationID (RMI, 8173697) 11439 11440 CVE-2017-10102: 11441 1472345: 11442 CVE-2017-10102 OpenJDK: incorrect handling of references in DGC (RMI, 8163958) 11443 It was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. 11444 11445 CVE-2017-10101: 11446 1471527: 11447 CVE-2017-10101 OpenJDK: unrestricted access to com.sun.org.apache.xml.internal.resolver (JAXP, 8173286) 11448 11449 CVE-2017-10096: 11450 1471528: 11451 CVE-2017-10096 OpenJDK: insufficient access control checks in XML transformations (JAXP, 8172469) 11452 11453 CVE-2017-10090: 11454 1471517: 11455 CVE-2017-10090 OpenJDK: insufficient access control checks in AsynchronousChannelGroupImpl (8172465, Libraries) 11456 11457 CVE-2017-10074: 11458 1471534: 11459 CVE-2017-10074 OpenJDK: integer overflows in range check loop predicates (Hotspot, 8173770) 11460 11461 CVE-2017-10067: 11462 1471535: 11463 CVE-2017-10067 OpenJDK: JAR verifier incorrect handling of missing digest (Security, 8169392) 11464 11465 CVE-2017-10053: 11466 1471889: 11467 CVE-2017-10053 OpenJDK: reading of unprocessed image data in JPEGImageReader (2D, 8169209) 11468 It was discovered that the JPEGImageReader implementation in the 2D component of OpenJDK would, in certain cases, read all image data even if it was not used later. A specially crafted image could cause a Java application to temporarily use an excessive amount of CPU and memory. 11469 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10198" id="CVE-2017-10198" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10096" id="CVE-2017-10096" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10111" id="CVE-2017-10111" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10090" id="CVE-2017-10090" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10193" id="CVE-2017-10193" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10074" id="CVE-2017-10074" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10135" id="CVE-2017-10135" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10102" id="CVE-2017-10102" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10110" id="CVE-2017-10110" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10101" id="CVE-2017-10101" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10115" id="CVE-2017-10115" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10107" id="CVE-2017-10107" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10116" id="CVE-2017-10116" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10067" id="CVE-2017-10067" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10053" id="CVE-2017-10053" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10109" id="CVE-2017-10109" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10108" id="CVE-2017-10108" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="1.b16.32.amzn1" version="1.8.0.141"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.141-1.b16.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="1.b16.32.amzn1" version="1.8.0.141"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.141-1.b16.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="1.b16.32.amzn1" version="1.8.0.141"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.141-1.b16.32.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc-zip" release="1.b16.32.amzn1" version="1.8.0.141"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.141-1.b16.32.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="1.b16.32.amzn1" version="1.8.0.141"><filename>Packages/java-1.8.0-openjdk-1.8.0.141-1.b16.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="1.b16.32.amzn1" version="1.8.0.141"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.141-1.b16.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="1.b16.32.amzn1" version="1.8.0.141"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.141-1.b16.32.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="1.b16.32.amzn1" version="1.8.0.141"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.141-1.b16.32.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="1.b16.32.amzn1" version="1.8.0.141"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.141-1.b16.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="1.b16.32.amzn1" version="1.8.0.141"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.141-1.b16.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="1.b16.32.amzn1" version="1.8.0.141"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.141-1.b16.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="1.b16.32.amzn1" version="1.8.0.141"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.141-1.b16.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="1.b16.32.amzn1" version="1.8.0.141"><filename>Packages/java-1.8.0-openjdk-1.8.0.141-1.b16.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="1.b16.32.amzn1" version="1.8.0.141"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.141-1.b16.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-861</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-861: important priority package update for aws-cfn-bootstrap</title><issued date="2017-07-25 18:33" /><updated date="2017-08-04 03:33" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11470 CVE-2017-9450: 11471 A vulnerability was reported in the CloudFormation bootstrap tools that allows an attacker to execute arbitrary code as root if they have local access to the system and are able to create files in a specific directory (CVE-2017-9450 ) 11472 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9450" id="CVE-2017-9450" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="aws-cfn-bootstrap" release="19.10.amzn1" version="1.4"><filename>Packages/aws-cfn-bootstrap-1.4-19.10.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-862</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-862: important priority package update for tomcat8</title><issued date="2017-08-03 18:49" /><updated date="2017-08-31 23:17" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11473 CVE-2017-7674: 11474 1480618: 11475 CVE-2017-7674 tomcat: Vary header not added by CORS filter leading to cache poisoning 11476 The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. 11477 11478 CVE-2017-5664: 11479 A vulnerability was discovered in the error page mechanism in Tomcat&#039;s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. 11480 1459158: 11481 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism 11482 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664" id="CVE-2017-5664" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7674" id="CVE-2017-7674" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.72.amzn1" version="8.0.45"><filename>Packages/tomcat8-webapps-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.72.amzn1" version="8.0.45"><filename>Packages/tomcat8-docs-webapp-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8" release="1.72.amzn1" version="8.0.45"><filename>Packages/tomcat8-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.72.amzn1" version="8.0.45"><filename>Packages/tomcat8-javadoc-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.72.amzn1" version="8.0.45"><filename>Packages/tomcat8-lib-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.72.amzn1" version="8.0.45"><filename>Packages/tomcat8-servlet-3.1-api-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.72.amzn1" version="8.0.45"><filename>Packages/tomcat8-admin-webapps-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.72.amzn1" version="8.0.45"><filename>Packages/tomcat8-el-3.0-api-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.72.amzn1" version="8.0.45"><filename>Packages/tomcat8-jsp-2.3-api-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.72.amzn1" version="8.0.45"><filename>Packages/tomcat8-log4j-8.0.45-1.72.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-863</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-863: medium priority package update for httpd24</title><issued date="2017-08-03 18:53" /><updated date="2017-08-04 00:44" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11483 CVE-2017-7679: 11484 A buffer over-read flaw was found in the httpd&#039;s mod_mime module. A user permitted to modify httpd&#039;s MIME configuration could use this flaw to cause httpd child process to crash. 11485 1463207: 11486 CVE-2017-7679 httpd: mod_mime buffer overread 11487 11488 CVE-2017-7668: 11489 1463205: 11490 CVE-2017-7668 httpd: ap_find_token() buffer overread 11491 A buffer over-read flaw was found in the httpd&#039;s ap_find_token() function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request. 11492 11493 CVE-2017-7659: 11494 1463199: 11495 CVE-2017-7659 httpd: mod_http2 NULL pointer dereference 11496 A NULL pointer dereference flaw was found in the mod_http2 module of httpd. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP/2 request. 11497 11498 CVE-2017-3169: 11499 1463197: 11500 CVE-2017-3169 httpd: mod_ssl NULL pointer dereference 11501 A NULL pointer dereference flaw was found in the httpd&#039;s mod_ssl module. A remote attacker could use this flaw to cause a httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. 11502 11503 CVE-2017-3167: 11504 It was discovered that the use of httpd&#039;s ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. 11505 1463194: 11506 CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass 11507 11508 CVE-2016-8743: 11509 It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. 11510 1406822: 11511 CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects 11512 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668" id="CVE-2017-7668" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743" id="CVE-2016-8743" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167" id="CVE-2017-3167" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679" id="CVE-2017-7679" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7659" id="CVE-2017-7659" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169" id="CVE-2017-3169" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod24_ldap" release="3.71.amzn1" version="2.4.27"><filename>Packages/mod24_ldap-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-tools" release="3.71.amzn1" version="2.4.27"><filename>Packages/httpd24-tools-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd24-manual" release="3.71.amzn1" version="2.4.27"><filename>Packages/httpd24-manual-2.4.27-3.71.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="3.71.amzn1" version="2.4.27"><filename>Packages/mod24_proxy_html-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24" release="3.71.amzn1" version="2.4.27"><filename>Packages/httpd24-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="3.71.amzn1" version="2.4.27"><filename>Packages/httpd24-debuginfo-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_ssl" release="3.71.amzn1" version="2.4.27"><filename>Packages/mod24_ssl-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="3.71.amzn1" version="2.4.27"><filename>Packages/mod24_session-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-devel" release="3.71.amzn1" version="2.4.27"><filename>Packages/httpd24-devel-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="3.71.amzn1" version="2.4.27"><filename>Packages/mod24_session-2.4.27-3.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="3.71.amzn1" version="2.4.27"><filename>Packages/mod24_proxy_html-2.4.27-3.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="3.71.amzn1" version="2.4.27"><filename>Packages/httpd24-devel-2.4.27-3.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="3.71.amzn1" version="2.4.27"><filename>Packages/httpd24-2.4.27-3.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="3.71.amzn1" version="2.4.27"><filename>Packages/httpd24-tools-2.4.27-3.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="3.71.amzn1" version="2.4.27"><filename>Packages/httpd24-debuginfo-2.4.27-3.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="3.71.amzn1" version="2.4.27"><filename>Packages/mod24_ssl-2.4.27-3.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="3.71.amzn1" version="2.4.27"><filename>Packages/mod24_ldap-2.4.27-3.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-864</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-864: medium priority package update for libtommath libtomcrypt</title><issued date="2017-08-03 18:56" /><updated date="2017-08-04 00:45" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11513 CVE-2016-6129: 11514 1370955: 11515 CVE-2016-6129 libtomcrypt: possible OP-TEE Bleichenbacher attack 11516 The rsa_verify_hash_ex function in rsa_verify_hash.c in LibTomCrypt, as used in OP-TEE before 2.2.0, does not validate that the message length is equal to the ASN.1 encoded data length, which makes it easier for remote attackers to forge RSA signatures or public certificates by leveraging a Bleichenbacher signature forgery attack. 11517 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6129" id="CVE-2016-6129" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libtomcrypt" release="25.4.amzn1" version="1.17"><filename>Packages/libtomcrypt-1.17-25.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtomcrypt-debuginfo" release="25.4.amzn1" version="1.17"><filename>Packages/libtomcrypt-debuginfo-1.17-25.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtomcrypt-devel" release="25.4.amzn1" version="1.17"><filename>Packages/libtomcrypt-devel-1.17-25.4.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libtomcrypt" release="25.4.amzn1" version="1.17"><filename>Packages/libtomcrypt-1.17-25.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtomcrypt-debuginfo" release="25.4.amzn1" version="1.17"><filename>Packages/libtomcrypt-debuginfo-1.17-25.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtomcrypt-devel" release="25.4.amzn1" version="1.17"><filename>Packages/libtomcrypt-devel-1.17-25.4.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="libtommath-debuginfo" release="5.3.3.amzn1" version="0.42.0"><filename>Packages/libtommath-debuginfo-0.42.0-5.3.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtommath" release="5.3.3.amzn1" version="0.42.0"><filename>Packages/libtommath-0.42.0-5.3.3.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libtommath-devel" release="5.3.3.amzn1" version="0.42.0"><filename>Packages/libtommath-devel-0.42.0-5.3.3.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libtommath-debuginfo" release="5.3.3.amzn1" version="0.42.0"><filename>Packages/libtommath-debuginfo-0.42.0-5.3.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtommath" release="5.3.3.amzn1" version="0.42.0"><filename>Packages/libtommath-0.42.0-5.3.3.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libtommath-devel" release="5.3.3.amzn1" version="0.42.0"><filename>Packages/libtommath-devel-0.42.0-5.3.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-865</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-865: important priority package update for freeradius</title><issued date="2017-08-03 19:11" /><updated date="2017-08-04 00:47" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11518 CVE-2017-10983: 11519 An out-of-bounds read flaw was found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted DHCP request. 11520 1468503: 11521 CVE-2017-10983 freeradius: Out-of-bounds read in fr_dhcp_decode() when decoding option 63 11522 11523 CVE-2017-10982: 11524 1468498: 11525 CVE-2017-10982 freeradius: Out-of-bounds read in fr_dhcp_decode_options() 11526 An out-of-bounds read flaw was found in the way FreeRADIUS server handles decoding of DHCP packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted DHCP request. 11527 11528 CVE-2017-10981: 11529 1468495: 11530 CVE-2017-10981 freeradius: Memory leak in fr_dhcp_decode() 11531 A memory leak flaw was found in the way FreeRADIUS server handles decoding of DHCP packets. A remote attacker could use this flaw to cause the FreeRADIUS server to consume an increasing amount of memory resources over time, possibly leading to a crash due to memory exhaustion, by sending specially crafted DHCP packets. 11532 11533 CVE-2017-10980: 11534 A memory leak flaw was found in the way FreeRADIUS server handles decoding of DHCP packets. A remote attacker could use this flaw to cause the FreeRADIUS server to consume an increasing amount of memory resources over time possibly leading to a crash due to memory exhaustion. 11535 1468493: 11536 CVE-2017-10980 freeradius: Memory leak in decode_tlv() 11537 11538 CVE-2017-10979: 11539 1468490: 11540 CVE-2017-10979 freeradius: Out-of-bounds write in rad_coalesce() 11541 An out-of-bounds write flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to crash the FreeRADIUS server or to execute arbitrary code in the context of the FreeRADIUS server process by sending a specially crafted request packet. 11542 11543 CVE-2017-10978: 11544 1468487: 11545 CVE-2017-10978 freeradius: Out-of-bounds read/write due to improper output buffer size check in make_secret() 11546 An out-of-bounds read and write flaw was found in the way FreeRADIUS server handled RADIUS packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted RADIUS packet. 11547 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10982" id="CVE-2017-10982" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10983" id="CVE-2017-10983" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10980" id="CVE-2017-10980" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10981" id="CVE-2017-10981" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10979" id="CVE-2017-10979" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10978" id="CVE-2017-10978" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="freeradius-python" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-python-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-utils" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-utils-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-mysql" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-mysql-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-debuginfo" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-debuginfo-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-perl" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-perl-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-postgresql" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-postgresql-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-unixODBC" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-unixODBC-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-ldap" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-ldap-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="freeradius-krb5" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-krb5-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-mysql" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-mysql-2.2.6-7.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-ldap" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-ldap-2.2.6-7.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-krb5" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-krb5-2.2.6-7.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-python" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-python-2.2.6-7.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-unixODBC" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-unixODBC-2.2.6-7.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-postgresql" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-postgresql-2.2.6-7.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-debuginfo" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-debuginfo-2.2.6-7.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-utils" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-utils-2.2.6-7.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius-perl" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-perl-2.2.6-7.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="freeradius" release="7.16.amzn1" version="2.2.6"><filename>Packages/freeradius-2.2.6-7.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-866</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-866: important priority package update for aws-cfn-bootstrap</title><issued date="2017-08-03 19:21" /><updated date="2017-08-04 03:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11548 CVE-Pending: 11549 1370955: 11550 CVE-2016-6129 libtomcrypt: possible OP-TEE Bleichenbacher attack 11551 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-Pending" id="CVE-Pending" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="aws-cfn-bootstrap" release="20.12.amzn1" version="1.4"><filename>Packages/aws-cfn-bootstrap-1.4-20.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-867</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-867: medium priority package update for php70</title><issued date="2017-08-03 20:38" /><updated date="2017-08-04 02:34" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11552 CVE-2017-9229: 11553 An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg-&gt;dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition. 11554 1466746: 11555 CVE-2017-9229 oniguruma: Invalid pointer dereference in left_adjust_char_head() 11556 11557 CVE-2017-9228: 11558 1466740: 11559 CVE-2017-9228 oniguruma: Out-of-bounds heap write in bitset_set_range() 11560 An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it&#039;s used as an index, resulting in an out-of-bounds write memory corruption. 11561 11562 CVE-2017-9227: 11563 1466739: 11564 CVE-2017-9227 oniguruma: Out-of-bounds stack read in mbc_enc_len() during regular expression searching 11565 An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg-&gt;dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer. 11566 11567 CVE-2017-9226: 11568 1466736: 11569 CVE-2017-9226 oniguruma: Heap buffer overflow in next_state_val() during regular expression compilation 11570 An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of &#039;\\700&#039; would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption. 11571 11572 CVE-2017-9224: 11573 1466730: 11574 CVE-2017-9224 oniguruma: Out-of-bounds stack read in match_at() during regular expression searching 11575 An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer. 11576 11577 CVE-2017-7890: 11578 1473822: 11579 CVE-2017-7890 php: Buffer over-read from unitialized data in gdImageCreateFromGifCtx function 11580 The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information. 11581 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9228" id="CVE-2017-9228" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7890" id="CVE-2017-7890" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9229" id="CVE-2017-9229" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9226" id="CVE-2017-9226" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9227" id="CVE-2017-9227" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9224" id="CVE-2017-9224" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php70-mysqlnd" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-mysqlnd-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xml" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-xml-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-cli" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-cli-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pspell" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-pspell-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-fpm" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-fpm-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-embedded" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-embedded-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-intl" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-intl-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-recode" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-recode-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-common" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-common-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pgsql" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-pgsql-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-odbc" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-odbc-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mbstring" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-mbstring-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dbg" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-dbg-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-pdo-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-devel" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-devel-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-enchant" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-enchant-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-snmp" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-snmp-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-process" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-process-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-debuginfo" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-debuginfo-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-imap" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-imap-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-zip" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-zip-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-ldap" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-ldap-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-json" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-json-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xmlrpc" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-xmlrpc-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-tidy" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-tidy-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-opcache" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-opcache-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-bcmath" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-bcmath-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dba" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-dba-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-soap" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-soap-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mcrypt" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-mcrypt-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gd" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-gd-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo-dblib" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-pdo-dblib-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gmp" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-gmp-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php70-imap" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-imap-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gd" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-gd-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-fpm" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-fpm-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo-dblib" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-pdo-dblib-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-debuginfo" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-debuginfo-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-common" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-common-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gmp" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-gmp-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-ldap" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-ldap-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-odbc" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-odbc-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-devel" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-devel-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-enchant" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-enchant-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-snmp" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-snmp-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-json" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-json-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mcrypt" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-mcrypt-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-process" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-process-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-intl" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-intl-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-soap" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-soap-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mysqlnd" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-mysqlnd-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dbg" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-dbg-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dba" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-dba-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pgsql" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-pgsql-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-recode" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-recode-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-pdo-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-zip" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-zip-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-embedded" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-embedded-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mbstring" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-mbstring-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pspell" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-pspell-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-opcache" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-opcache-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xmlrpc" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-xmlrpc-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-bcmath" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-bcmath-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-tidy" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-tidy-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xml" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-xml-7.0.21-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-cli" release="1.23.amzn1" version="7.0.21"><filename>Packages/php70-cli-7.0.21-1.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-868</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-868: critical priority package update for kernel</title><issued date="2017-08-10 16:31" /><updated date="2017-10-26 23:11" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11582 CVE-2017-11176: 11583 1470659: 11584 CVE-2017-11176 kernel: Use-after-free in sys_mq_notify() 11585 The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. 11586 11587 CVE-2017-1000112: 11588 Exploitable memory corruption due to UFO to non-UFO path switch 11589 11590 CVE-2017-1000111: 11591 heap out-of-bounds in AF_PACKET sockets 11592 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11176" id="CVE-2017-11176" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000112" id="CVE-2017-1000112" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000111" id="CVE-2017-1000111" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perf-debuginfo" release="16.35.amzn1" version="4.9.38"><filename>Packages/perf-debuginfo-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-tools-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="16.35.amzn1" version="4.9.38"><filename>Packages/perf-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-devel-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-tools-devel-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-headers-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-debuginfo-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-tools-debuginfo-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-tools-debuginfo-4.9.38-16.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-tools-4.9.38-16.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-debuginfo-4.9.38-16.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-debuginfo-common-i686-4.9.38-16.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-tools-devel-4.9.38-16.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-devel-4.9.38-16.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-4.9.38-16.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="16.35.amzn1" version="4.9.38"><filename>Packages/perf-debuginfo-4.9.38-16.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="16.35.amzn1" version="4.9.38"><filename>Packages/perf-4.9.38-16.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-headers-4.9.38-16.35.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="16.35.amzn1" version="4.9.38"><filename>Packages/kernel-doc-4.9.38-16.35.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-869</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-869: critical priority package update for java-1.7.0-openjdk</title><issued date="2017-08-15 17:30" /><updated date="2017-08-15 17:30" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11593 CVE-2017-10243: 11594 It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use secure XML parser settings when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak information. 11595 1472666: 11596 CVE-2017-10243 OpenJDK: insecure XML parsing in wsdlimport (JAX-WS, 8182054) 11597 11598 CVE-2017-10135: 11599 1471871: 11600 CVE-2017-10135 OpenJDK: PKCS#8 implementation timing attack (JCE, 8176760) 11601 A covert timing channel flaw was found in the PKCS#8 implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application repeatedly compare PKCS#8 key against an attacker controlled value could possibly use this flaw to determine the key via a timing side channel. 11602 11603 CVE-2017-10116: 11604 1471738: 11605 CVE-2017-10116 OpenJDK: LDAPCertStore following referrals to non-LDAP URLs (Security, 8176067) 11606 It was discovered that the LDAPCertStore class in the Security component of OpenJDK followed LDAP referrals to arbitrary URLs. A specially crafted LDAP referral URL could cause LDAPCertStore to communicate with non-LDAP servers. 11607 11608 CVE-2017-10115: 11609 A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel. 11610 1471851: 11611 CVE-2017-10115 OpenJDK: DSA implementation timing attack (JCE, 8175106) 11612 11613 CVE-2017-10110: 11614 1471523: 11615 CVE-2017-10110 OpenJDK: insufficient access control checks in ImageWatched (AWT, 8174098) 11616 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). 11617 11618 CVE-2017-10109: 11619 1471670: 11620 CVE-2017-10109 OpenJDK: unbounded memory allocation in CodeSource deserialization (Serialization, 8174113) 11621 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 11622 11623 CVE-2017-10108: 11624 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 11625 1471888: 11626 CVE-2017-10108 OpenJDK: unbounded memory allocation in BasicAttribute deserialization (Serialization, 8174105) 11627 11628 CVE-2017-10107: 11629 1471266: 11630 CVE-2017-10107 OpenJDK: insufficient access control checks in ActivationID (RMI, 8173697) 11631 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). 11632 11633 CVE-2017-10102: 11634 1472345: 11635 CVE-2017-10102 OpenJDK: incorrect handling of references in DGC (RMI, 8163958) 11636 It was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. 11637 11638 CVE-2017-10101: 11639 1471527: 11640 CVE-2017-10101 OpenJDK: unrestricted access to com.sun.org.apache.xml.internal.resolver (JAXP, 8173286) 11641 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). 11642 11643 CVE-2017-10096: 11644 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). 11645 1471528: 11646 CVE-2017-10096 OpenJDK: insufficient access control checks in XML transformations (JAXP, 8172469) 11647 11648 CVE-2017-10090: 11649 1471517: 11650 CVE-2017-10090 OpenJDK: insufficient access control checks in AsynchronousChannelGroupImpl (8172465, Libraries) 11651 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). 11652 11653 CVE-2017-10089: 11654 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: ImageIO). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). 11655 1471270: 11656 CVE-2017-10089 OpenJDK: insufficient access control checks in ServiceRegistry (ImageIO, 8172461) 11657 11658 CVE-2017-10087: 11659 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). 11660 1471521: 11661 CVE-2017-10087 OpenJDK: insufficient access control checks in ThreadPoolExecutor (Libraries, 8172204) 11662 11663 CVE-2017-10081: 11664 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). 11665 1471711: 11666 CVE-2017-10081 OpenJDK: incorrect bracket processing in function signature handling (Hotspot, 8170966) 11667 11668 CVE-2017-10074: 11669 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). 11670 1471534: 11671 CVE-2017-10074 OpenJDK: integer overflows in range check loop predicates (Hotspot, 8173770) 11672 11673 CVE-2017-10067: 11674 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). 11675 1471535: 11676 CVE-2017-10067 OpenJDK: JAR verifier incorrect handling of missing digest (Security, 8169392) 11677 11678 CVE-2017-10053: 11679 1471889: 11680 CVE-2017-10053 OpenJDK: reading of unprocessed image data in JPEGImageReader (2D, 8169209) 11681 It was discovered that the JPEGImageReader implementation in the 2D component of OpenJDK would, in certain cases, read all image data even if it was not used later. A specially crafted image could cause a Java application to temporarily use an excessive amount of CPU and memory. 11682 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10081" id="CVE-2017-10081" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10053" id="CVE-2017-10053" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10087" id="CVE-2017-10087" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10089" id="CVE-2017-10089" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10074" id="CVE-2017-10074" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10096" id="CVE-2017-10096" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10243" id="CVE-2017-10243" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10090" id="CVE-2017-10090" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10135" id="CVE-2017-10135" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10102" id="CVE-2017-10102" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10110" id="CVE-2017-10110" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10101" id="CVE-2017-10101" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10115" id="CVE-2017-10115" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10107" id="CVE-2017-10107" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10116" id="CVE-2017-10116" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10067" id="CVE-2017-10067" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10109" id="CVE-2017-10109" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10108" id="CVE-2017-10108" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.11.0.74.amzn1" version="1.7.0.151"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.151-2.6.11.0.74.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.11.0.74.amzn1" version="1.7.0.151"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.151-2.6.11.0.74.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.11.0.74.amzn1" version="1.7.0.151"><filename>Packages/java-1.7.0-openjdk-1.7.0.151-2.6.11.0.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.11.0.74.amzn1" version="1.7.0.151"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.151-2.6.11.0.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.11.0.74.amzn1" version="1.7.0.151"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.151-2.6.11.0.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.11.0.74.amzn1" version="1.7.0.151"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.151-2.6.11.0.74.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.11.0.74.amzn1" version="1.7.0.151"><filename>Packages/java-1.7.0-openjdk-1.7.0.151-2.6.11.0.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.11.0.74.amzn1" version="1.7.0.151"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.151-2.6.11.0.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.11.0.74.amzn1" version="1.7.0.151"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.151-2.6.11.0.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.11.0.74.amzn1" version="1.7.0.151"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.151-2.6.11.0.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.11.0.74.amzn1" version="1.7.0.151"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.151-2.6.11.0.74.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-870</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-870: important priority package update for kernel</title><issued date="2017-08-17 18:09" /><updated date="2017-11-03 05:45" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11683 CVE-2017-8831: 11684 The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.10.14 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a &quot;double fetch&quot; vulnerability. 11685 1449980: 11686 CVE-2017-8831 kernel: Double fetch vulnerability in saa7164_bus_get function 11687 11688 CVE-2017-7542: 11689 1473649: 11690 CVE-2017-7542 kernel: Integer overflow in ip6_find_1stfragopt() causes infinite loop 11691 An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. 11692 11693 CVE-2017-7533: 11694 1468283: 11695 CVE-2017-7533 kernel: a race between inotify_handle_event() and sys_rename() 11696 A race condition was found in the Linux kernel, present since v3.14-rc1 through v4.12. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race the next slab data or the slab&#039;s free list pointer can be corrupted with attacker-controlled data, which may lead to the privilege escalation. 11697 11698 CVE-2017-11473: 11699 Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 4.12.2 allows local users to gain privileges via a crafted ACPI table. 11700 1473209: 11701 CVE-2017-11473 kernel: Buffer overflow in mp_override_legacy_irq() 11702 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8831" id="CVE-2017-8831" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11473" id="CVE-2017-11473" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7533" id="CVE-2017-7533" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7542" id="CVE-2017-7542" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-headers" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-headers-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="17.38.amzn1" version="4.9.43"><filename>Packages/perf-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-debuginfo-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-tools-debuginfo-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-tools-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="17.38.amzn1" version="4.9.43"><filename>Packages/perf-debuginfo-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-devel-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-tools-devel-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="17.38.amzn1" version="4.9.43"><filename>Packages/perf-4.9.43-17.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-tools-devel-4.9.43-17.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-tools-4.9.43-17.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-tools-debuginfo-4.9.43-17.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-headers-4.9.43-17.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-debuginfo-common-i686-4.9.43-17.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-debuginfo-4.9.43-17.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-devel-4.9.43-17.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="17.38.amzn1" version="4.9.43"><filename>Packages/perf-debuginfo-4.9.43-17.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-4.9.43-17.38.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="17.38.amzn1" version="4.9.43"><filename>Packages/kernel-doc-4.9.43-17.38.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-871</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-871: medium priority package update for php56</title><issued date="2017-08-17 18:16" /><updated date="2017-08-17 22:43" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11703 CVE-2017-9229: 11704 An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg-&gt;dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition. 11705 1466746: 11706 CVE-2017-9229 oniguruma: Invalid pointer dereference in left_adjust_char_head() 11707 11708 CVE-2017-9228: 11709 1466740: 11710 CVE-2017-9228 oniguruma: Out-of-bounds heap write in bitset_set_range() 11711 An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it&#039;s used as an index, resulting in an out-of-bounds write memory corruption. 11712 11713 CVE-2017-9227: 11714 1466739: 11715 CVE-2017-9227 oniguruma: Out-of-bounds stack read in mbc_enc_len() during regular expression searching 11716 An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg-&gt;dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer. 11717 11718 CVE-2017-9226: 11719 1466736: 11720 CVE-2017-9226 oniguruma: Heap buffer overflow in next_state_val() during regular expression compilation 11721 An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of &#039;\\700&#039; would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption. 11722 11723 CVE-2017-9224: 11724 1466730: 11725 CVE-2017-9224 oniguruma: Out-of-bounds stack read in match_at() during regular expression searching 11726 An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer. 11727 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9228" id="CVE-2017-9228" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9229" id="CVE-2017-9229" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9226" id="CVE-2017-9226" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9227" id="CVE-2017-9227" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9224" id="CVE-2017-9224" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-ldap" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-ldap-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-mcrypt-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-devel-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-gd-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-recode-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-pdo-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-tidy-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-intl-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-imap-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-fpm-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-soap-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-snmp-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-pgsql-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-xmlrpc-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-process-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-dbg-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-embedded-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-mssql-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-dba-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-debuginfo-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-mysqlnd-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-gmp-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-odbc-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-mbstring-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-bcmath-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-pspell-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-opcache-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-cli-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-common-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-enchant-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-xml-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-xmlrpc-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-recode-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-enchant-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-intl-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-odbc-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-bcmath-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-mcrypt-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-mssql-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-cli-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-mysqlnd-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-dbg-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-tidy-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-fpm-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-gd-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-process-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-pgsql-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-dba-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-pdo-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-pspell-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-common-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-gmp-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-ldap-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-mbstring-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-imap-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-opcache-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-soap-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-xml-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-embedded-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-snmp-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-devel-5.6.31-1.134.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.134.amzn1" version="5.6.31"><filename>Packages/php56-debuginfo-5.6.31-1.134.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-872</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-872: important priority package update for graphite2</title><issued date="2017-08-17 18:27" /><updated date="2017-08-17 22:46" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11728 CVE-2017-7778: 11729 1461260: 11730 CVE-2017-7778 Mozilla: Vulnerabilities in the Graphite 2 library (MFSA 2017-16) 11731 11732 CVE-2017-7777: 11733 The use of uninitialized memory related to &quot;graphite2::GlyphCache::Loader::read_glyph&quot; has been reported in graphite2. An attacker could possibly exploit this flaw to negatively impact the execution of an application using graphite2 in unknown ways. 11734 1472225: 11735 CVE-2017-7777 graphite2: use of uninitialized memory "graphite2::GlyphCache::Loader::read_glyph" 11736 11737 CVE-2017-7776: 11738 An out of bounds read flaw related to &quot;graphite2::Silf::getClassGlyph&quot; has been reported in graphite2. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. 11739 1472223: 11740 CVE-2017-7776 graphite2: heap-buffer-overflow read "graphite2::Silf::getClassGlyph" 11741 11742 CVE-2017-7775: 11743 1472221: 11744 CVE-2017-7775 graphite2: assertion error "size() > n" 11745 An assertion error has been reported in graphite2. An attacker could possibly exploit this flaw to cause an application crash. 11746 11747 CVE-2017-7774: 11748 1472219: 11749 CVE-2017-7774 graphite2: out of bounds read "graphite2::Silf::readGraphite" 11750 An out of bounds read flaw related to &quot;graphite2::Silf::readGraphite&quot; has been reported in graphite2. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. 11751 11752 CVE-2017-7773: 11753 1472215: 11754 CVE-2017-7773 graphite2: heap-buffer-overflow write "lz4::decompress" (src/Decompressor) 11755 A heap-based buffer overflow flaw related to &quot;lz4::decompress&quot; (src/Decompressor) has been reported in graphite2. An attacker could exploit this issue to cause a crash or, possibly, execute arbitrary code. 11756 11757 CVE-2017-7772: 11758 A heap-based buffer overflow flaw related to &quot;lz4::decompress&quot; has been reported in graphite2. An attacker could exploit this issue to cause a crash or, possibly, execute arbitrary code. 11759 1472213: 11760 CVE-2017-7772 graphite2: heap-buffer-overflow write "lz4::decompress" (CVE-2017-7772) 11761 11762 CVE-2017-7771: 11763 An out of bounds read flaw related to &quot;graphite2::Pass::readPass&quot; has been reported in graphite2. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. 11764 1472212: 11765 CVE-2017-7771 graphite2: out of bounds read in "graphite2::Pass::readPass" 11766 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7778" id="CVE-2017-7778" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7772" id="CVE-2017-7772" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7773" id="CVE-2017-7773" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7771" id="CVE-2017-7771" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7776" id="CVE-2017-7776" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7777" id="CVE-2017-7777" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7774" id="CVE-2017-7774" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7775" id="CVE-2017-7775" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="graphite2-devel" release="1.7.amzn1" version="1.3.10"><filename>Packages/graphite2-devel-1.3.10-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphite2-debuginfo" release="1.7.amzn1" version="1.3.10"><filename>Packages/graphite2-debuginfo-1.3.10-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphite2" release="1.7.amzn1" version="1.3.10"><filename>Packages/graphite2-1.3.10-1.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="graphite2-devel" release="1.7.amzn1" version="1.3.10"><filename>Packages/graphite2-devel-1.3.10-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphite2" release="1.7.amzn1" version="1.3.10"><filename>Packages/graphite2-1.3.10-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphite2-debuginfo" release="1.7.amzn1" version="1.3.10"><filename>Packages/graphite2-debuginfo-1.3.10-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-873</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-873: important priority package update for tomcat7</title><issued date="2017-08-17 18:30" /><updated date="2017-08-31 23:16" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11767 CVE-2017-7674: 11768 1480618: 11769 CVE-2017-7674 tomcat: Vary header not added by CORS filter leading to cache poisoning 11770 The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. 11771 11772 CVE-2017-5664: 11773 A vulnerability was discovered in the error page mechanism in Tomcat&#039;s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. 11774 1459158: 11775 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism 11776 11777 CVE-2017-5648: 11778 1441223: 11779 CVE-2017-5648 tomcat: Calls to application listeners did not use the appropriate facade object 11780 While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. 11781 A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application. 11782 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664" id="CVE-2017-5664" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5648" id="CVE-2017-5648" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7674" id="CVE-2017-7674" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.28.amzn1" version="7.0.79"><filename>Packages/tomcat7-admin-webapps-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.28.amzn1" version="7.0.79"><filename>Packages/tomcat7-jsp-2.2-api-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.28.amzn1" version="7.0.79"><filename>Packages/tomcat7-webapps-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.28.amzn1" version="7.0.79"><filename>Packages/tomcat7-lib-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.28.amzn1" version="7.0.79"><filename>Packages/tomcat7-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.28.amzn1" version="7.0.79"><filename>Packages/tomcat7-el-2.2-api-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.28.amzn1" version="7.0.79"><filename>Packages/tomcat7-servlet-3.0-api-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.28.amzn1" version="7.0.79"><filename>Packages/tomcat7-docs-webapp-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.28.amzn1" version="7.0.79"><filename>Packages/tomcat7-log4j-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.28.amzn1" version="7.0.79"><filename>Packages/tomcat7-javadoc-7.0.79-1.28.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-874</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-874: important priority package update for cacti</title><issued date="2017-08-17 18:36" /><updated date="2017-08-31 23:15" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11783 CVE-2017-12066: 11784 11785 11786 CVE-2017-12065: 11787 11788 11789 CVE-2017-10970: 11790 Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php 11791 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12066" id="CVE-2017-12066" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12065" id="CVE-2017-12065" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10970" id="CVE-2017-10970" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="cacti" release="1.16.amzn1" version="1.1.16"><filename>Packages/cacti-1.1.16-1.16.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-875</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-875: medium priority package update for authconfig</title><issued date="2017-08-30 23:37" /><updated date="2017-09-14 22:22" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11792 CVE-2017-7488: 11793 A flaw was found where authconfig could configure sssd in a way that treats existing and non-existing logins differently, leaking information on existence of a user. An attacker with physical or network access to the machine could enumerate users via a timing attack. 11794 1441604: 11795 CVE-2017-7488 authconfig: Information leak when SSSD is used for authentication against remote server 11796 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7488" id="CVE-2017-7488" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="authconfig" release="30.31.amzn1" version="6.2.8"><filename>Packages/authconfig-6.2.8-30.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="authconfig-debuginfo" release="30.31.amzn1" version="6.2.8"><filename>Packages/authconfig-debuginfo-6.2.8-30.31.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="authconfig" release="30.31.amzn1" version="6.2.8"><filename>Packages/authconfig-6.2.8-30.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="authconfig-debuginfo" release="30.31.amzn1" version="6.2.8"><filename>Packages/authconfig-debuginfo-6.2.8-30.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-876</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-876: medium priority package update for libnl3</title><issued date="2017-08-30 23:38" /><updated date="2017-08-31 22:53" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11797 CVE-2017-0553: 11798 1440788: 11799 CVE-2017-0553 libnl: Integer overflow in nlmsg_reserve() 11800 An integer overflow leading to a heap-buffer overflow was found in the libnl library. An attacker could use this flaw to cause an application compiled with libnl to crash or possibly execute arbitrary code in the context of the user running such an application. 11801 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0553" id="CVE-2017-0553" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libnl3-debuginfo" release="4.6.amzn1" version="3.2.28"><filename>Packages/libnl3-debuginfo-3.2.28-4.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libnl3" release="4.6.amzn1" version="3.2.28"><filename>Packages/libnl3-3.2.28-4.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libnl3-cli" release="4.6.amzn1" version="3.2.28"><filename>Packages/libnl3-cli-3.2.28-4.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libnl3-doc" release="4.6.amzn1" version="3.2.28"><filename>Packages/libnl3-doc-3.2.28-4.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libnl3-devel" release="4.6.amzn1" version="3.2.28"><filename>Packages/libnl3-devel-3.2.28-4.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libnl3-doc" release="4.6.amzn1" version="3.2.28"><filename>Packages/libnl3-doc-3.2.28-4.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libnl3-cli" release="4.6.amzn1" version="3.2.28"><filename>Packages/libnl3-cli-3.2.28-4.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libnl3-debuginfo" release="4.6.amzn1" version="3.2.28"><filename>Packages/libnl3-debuginfo-3.2.28-4.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libnl3-devel" release="4.6.amzn1" version="3.2.28"><filename>Packages/libnl3-devel-3.2.28-4.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libnl3" release="4.6.amzn1" version="3.2.28"><filename>Packages/libnl3-3.2.28-4.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-877</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-877: medium priority package update for glibc</title><issued date="2017-08-31 15:52" /><updated date="2017-08-31 23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11802 CVE-2015-8779: 11803 A stack based buffer overflow vulnerability was found in the catopen() function. An excessively long string passed to the function could cause it to crash or, potentially, execute arbitrary code. 11804 1300312: 11805 CVE-2015-8779 glibc: Unbounded stack allocation in catopen function 11806 11807 CVE-2015-8778: 11808 1300303: 11809 CVE-2015-8778 glibc: Integer overflow in hcreate and hcreate_r 11810 An integer overflow vulnerability was found in hcreate() and hcreate_r() functions which could result in an out-of-bounds memory access. This could lead to application crash or, potentially, arbitrary code execution. 11811 11812 CVE-2015-8777: 11813 It was found that the dynamic loader did not sanitize the LD_POINTER_GUARD environment variable. An attacker could use this flaw to bypass the pointer guarding protection on set-user-ID or set-group-ID programs to execute arbitrary code with the permissions of the user running the application. 11814 1260581: 11815 CVE-2015-8777 glibc: LD_POINTER_GUARD in the environment is not sanitized 11816 11817 CVE-2015-8776: 11818 It was found that out-of-range time values passed to the strftime() function could result in an out-of-bounds memory access. This could lead to application crash or, potentially, information disclosure. 11819 1300299: 11820 CVE-2015-8776 glibc: Segmentation fault caused by passing out-of-range data to strftime() 11821 11822 CVE-2014-9761: 11823 1300310: 11824 CVE-2014-9761 glibc: Unbounded stack allocation in nan* functions 11825 A stack overflow vulnerability was found in nan* functions that could cause applications, which process long strings with the nan function, to crash or, potentially, execute arbitrary code. 11826 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8779" id="CVE-2015-8779" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8778" id="CVE-2015-8778" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9761" id="CVE-2014-9761" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8777" id="CVE-2015-8777" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8776" id="CVE-2015-8776" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glibc-devel" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-196.172.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="196.172.amzn1" version="2.17"><filename>Packages/nscd-2.17-196.172.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-196.172.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-196.172.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-196.172.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-196.172.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-196.172.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-2.17-196.172.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-196.172.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-196.172.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-196.172.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-196.172.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-196.172.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-2.17-196.172.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="196.172.amzn1" version="2.17"><filename>Packages/nscd-2.17-196.172.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-196.172.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-196.172.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="196.172.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-196.172.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-878</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-878: medium priority package update for bash</title><issued date="2017-08-31 15:53" /><updated date="2017-08-31 23:02" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11827 CVE-2016-9401: 11828 A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. 11829 1396383: 11830 CVE-2016-9401 bash: popd controlled free 11831 11832 CVE-2016-7543: 11833 An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. 11834 1379630: 11835 CVE-2016-7543 bash: Specially crafted SHELLOPTS+PS4 variables allows command substitution 11836 11837 CVE-2016-0634: 11838 1377613: 11839 CVE-2016-0634 bash: Arbitrary code execution via malicious hostname 11840 An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances. 11841 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9401" id="CVE-2016-9401" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634" id="CVE-2016-0634" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7543" id="CVE-2016-7543" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="bash-debuginfo" release="28.37.amzn1" version="4.2.46"><filename>Packages/bash-debuginfo-4.2.46-28.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="bash" release="28.37.amzn1" version="4.2.46"><filename>Packages/bash-4.2.46-28.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="bash-doc" release="28.37.amzn1" version="4.2.46"><filename>Packages/bash-doc-4.2.46-28.37.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="bash-doc" release="28.37.amzn1" version="4.2.46"><filename>Packages/bash-doc-4.2.46-28.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="bash" release="28.37.amzn1" version="4.2.46"><filename>Packages/bash-4.2.46-28.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="bash-debuginfo" release="28.37.amzn1" version="4.2.46"><filename>Packages/bash-debuginfo-4.2.46-28.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-879</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-879: medium priority package update for tigervnc</title><issued date="2017-08-31 15:56" /><updated date="2017-08-31 23:05" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11842 CVE-2017-7396: 11843 A memory leak flaw was found in the way TigerVNC handled client connections. A remote unauthenticated attacker could repeatedly send connection requests to the Xvnc server, causing it to consume large amounts of memory resources over time, and ultimately leading to a denial of service due to memory exhaustion. 11844 1438703: 11845 CVE-2017-7396 tigervnc: SecurityServer and ClientServer memory leaks 11846 11847 CVE-2017-7395: 11848 1438701: 11849 CVE-2017-7395 tigervnc: Integer overflow in SMsgReader::readClientCutText 11850 An integer overflow flaw was found in the way TigerVNC handled ClientCutText messages. A remote, authenticated attacker could use this flaw to make Xvnc crash by sending specially crafted ClientCutText messages, resulting in denial of service. 11851 11852 CVE-2017-7394: 11853 A missing input sanitization flaw was found in the way TigerVNC handled credentials. A remote unauthenticated attacker could use this flaw to make Xvnc crash by sending specially crafted usernames, resulting in denial of service. 11854 1438700: 11855 CVE-2017-7394 tigervnc: Server crash via long usernames 11856 11857 CVE-2017-7393: 11858 A double free flaw was found in the way TigerVNC handled ClientFence messages. A remote, authenticated attacker could use this flaw to make Xvnc crash by sending specially crafted ClientFence messages, resulting in denial of service. 11859 1438697: 11860 CVE-2017-7393 tigervnc: Double free via crafted fences 11861 11862 CVE-2017-7392: 11863 A memory leak flaw was found in the way TigerVNC handled termination of VeNCrypt connections. A remote unauthenticated attacker could repeatedly send connection requests to the Xvnc server, causing it to consume large amounts of memory resources over time, and ultimately leading to a denial of service due to memory exhaustion. 11864 1438694: 11865 CVE-2017-7392 tigervnc: SSecurityVeNCrypt memory leak 11866 11867 CVE-2017-5581: 11868 A buffer overflow flaw, leading to memory corruption, was found in TigerVNC viewer. A remote malicious VNC server could use this flaw to crash the client vncviewer process resulting in denial of service. 11869 1415712: 11870 CVE-2017-5581 tigervnc: Buffer overflow in ModifiablePixelBuffer::fillRect 11871 11872 CVE-2016-10207: 11873 A denial of service flaw was found in the TigerVNC&#039;s Xvnc server. A remote unauthenticated attacker could use this flaw to make Xvnc crash by terminating the TLS handshake process early. 11874 1418761: 11875 CVE-2016-10207 tigervnc: VNC server can crash when TLS handshake terminates early 11876 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5581" id="CVE-2017-5581" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10207" id="CVE-2016-10207" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7392" id="CVE-2017-7392" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7393" id="CVE-2017-7393" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7394" id="CVE-2017-7394" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7395" id="CVE-2017-7395" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7396" id="CVE-2017-7396" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="tigervnc" release="1.32.amzn1" version="1.8.0"><filename>Packages/tigervnc-1.8.0-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="tigervnc-server-module" release="1.32.amzn1" version="1.8.0"><filename>Packages/tigervnc-server-module-1.8.0-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="tigervnc-server" release="1.32.amzn1" version="1.8.0"><filename>Packages/tigervnc-server-1.8.0-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="tigervnc-debuginfo" release="1.32.amzn1" version="1.8.0"><filename>Packages/tigervnc-debuginfo-1.8.0-1.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="tigervnc-debuginfo" release="1.32.amzn1" version="1.8.0"><filename>Packages/tigervnc-debuginfo-1.8.0-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="tigervnc-server-module" release="1.32.amzn1" version="1.8.0"><filename>Packages/tigervnc-server-module-1.8.0-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="tigervnc-server" release="1.32.amzn1" version="1.8.0"><filename>Packages/tigervnc-server-1.8.0-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="tigervnc" release="1.32.amzn1" version="1.8.0"><filename>Packages/tigervnc-1.8.0-1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-880</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-880: medium priority package update for ruby23</title><issued date="2017-08-31 15:57" /><updated date="2017-08-31 23:06" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11877 CVE-2016-7798: 11878 The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism. 11879 1381526: 11880 CVE-2016-7798 ruby: IV Reuse in GCM Mode 11881 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7798" id="CVE-2016-7798" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ruby23" release="1.15.amzn1" version="2.3.4"><filename>Packages/ruby23-2.3.4-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-io-console" release="1.15.amzn1" version="0.4.5"><filename>Packages/rubygem23-io-console-0.4.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby23-doc" release="1.15.amzn1" version="2.3.4"><filename>Packages/ruby23-doc-2.3.4-1.15.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23-devel" release="1.15.amzn1" version="2.3.4"><filename>Packages/ruby23-devel-2.3.4-1.15.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems23-devel" release="1.15.amzn1" version="2.5.2"><filename>Packages/rubygems23-devel-2.5.2-1.15.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-bigdecimal" release="1.15.amzn1" version="1.2.8"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23-debuginfo" release="1.15.amzn1" version="2.3.4"><filename>Packages/ruby23-debuginfo-2.3.4-1.15.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem23-did_you_mean" release="1.15.amzn1" version="1.0.0"><filename>Packages/rubygem23-did_you_mean-1.0.0-1.15.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby23-irb" release="1.15.amzn1" version="2.3.4"><filename>Packages/ruby23-irb-2.3.4-1.15.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23-libs" release="1.15.amzn1" version="2.3.4"><filename>Packages/ruby23-libs-2.3.4-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-psych" release="1.15.amzn1" version="2.1.0"><filename>Packages/rubygem23-psych-2.1.0-1.15.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems23" release="1.15.amzn1" version="2.5.2"><filename>Packages/rubygems23-2.5.2-1.15.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-debuginfo" release="1.15.amzn1" version="2.3.4"><filename>Packages/ruby23-debuginfo-2.3.4-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-devel" release="1.15.amzn1" version="2.3.4"><filename>Packages/ruby23-devel-2.3.4-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-psych" release="1.15.amzn1" version="2.1.0"><filename>Packages/rubygem23-psych-2.1.0-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-io-console" release="1.15.amzn1" version="0.4.5"><filename>Packages/rubygem23-io-console-0.4.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23" release="1.15.amzn1" version="2.3.4"><filename>Packages/ruby23-2.3.4-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-bigdecimal" release="1.15.amzn1" version="1.2.8"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-libs" release="1.15.amzn1" version="2.3.4"><filename>Packages/ruby23-libs-2.3.4-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-881</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-881: low priority package update for wget</title><issued date="2017-08-31 15:58" /><updated date="2017-08-31 23:07" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11882 CVE-2017-6508: 11883 1429984: 11884 CVE-2017-6508 wget: CRLF injection in the url_parse function in url.c 11885 A CRLF injection flaw was found in the way wget handled URLs. A remote attacker could use this flaw to inject arbitrary HTTP headers in requests, via CRLF sequences in the host sub-component of a URL, by tricking a user running wget into processing crafted URLs. 11886 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508" id="CVE-2017-6508" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="wget" release="3.27.amzn1" version="1.18"><filename>Packages/wget-1.18-3.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wget-debuginfo" release="3.27.amzn1" version="1.18"><filename>Packages/wget-debuginfo-1.18-3.27.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="wget-debuginfo" release="3.27.amzn1" version="1.18"><filename>Packages/wget-debuginfo-1.18-3.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wget" release="3.27.amzn1" version="1.18"><filename>Packages/wget-1.18-3.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-882</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-882: important priority package update for git</title><issued date="2017-08-31 16:00" /><updated date="2017-08-31 23:09" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11887 CVE-2017-1000117: 11888 1480386: 11889 CVE-2017-1000117 git: Command injection via malicious ssh URLs 11890 A shell command injection flaw related to the handling of &quot;ssh&quot; URLs has been discovered in Git. An attacker could use this flaw to execute shell commands with the privileges of the user running the Git client, for example, when performing a &quot;clone&quot; action on a malicious repository or a legitimate repository containing a malicious commit. 11891 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117" id="CVE-2017-1000117" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="git-daemon" release="1.53.amzn1" version="2.13.5"><filename>Packages/git-daemon-2.13.5-1.53.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-email" release="1.53.amzn1" version="2.13.5"><filename>Packages/git-email-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git" release="1.53.amzn1" version="2.13.5"><filename>Packages/git-2.13.5-1.53.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="git-debuginfo" release="1.53.amzn1" version="2.13.5"><filename>Packages/git-debuginfo-2.13.5-1.53.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-bzr" release="1.53.amzn1" version="2.13.5"><filename>Packages/git-bzr-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-p4" release="1.53.amzn1" version="2.13.5"><filename>Packages/git-p4-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-cvs" release="1.53.amzn1" version="2.13.5"><filename>Packages/git-cvs-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git-el" release="1.53.amzn1" version="2.13.5"><filename>Packages/emacs-git-el-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-svn" release="1.53.amzn1" version="2.13.5"><filename>Packages/git-svn-2.13.5-1.53.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-all" release="1.53.amzn1" version="2.13.5"><filename>Packages/git-all-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-hg" release="1.53.amzn1" version="2.13.5"><filename>Packages/git-hg-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git-SVN" release="1.53.amzn1" version="2.13.5"><filename>Packages/perl-Git-SVN-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="gitweb" release="1.53.amzn1" version="2.13.5"><filename>Packages/gitweb-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git" release="1.53.amzn1" version="2.13.5"><filename>Packages/emacs-git-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git" release="1.53.amzn1" version="2.13.5"><filename>Packages/perl-Git-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="git" release="1.53.amzn1" version="2.13.5"><filename>Packages/git-2.13.5-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-daemon" release="1.53.amzn1" version="2.13.5"><filename>Packages/git-daemon-2.13.5-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-debuginfo" release="1.53.amzn1" version="2.13.5"><filename>Packages/git-debuginfo-2.13.5-1.53.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-svn" release="1.53.amzn1" version="2.13.5"><filename>Packages/git-svn-2.13.5-1.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-883</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-883: important priority package update for subversion mod_dav_svn</title><issued date="2017-08-31 16:11" /><updated date="2017-08-31 23:10" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11892 CVE-2017-9800: 11893 1479686: 11894 CVE-2017-9800 subversion: Command injection through clients via malicious svn+ssh URLs 11895 A shell command injection flaw related to the handling of &quot;svn+ssh&quot; URLs has been discovered in Subversion. An attacker could use this flaw to execute shell commands with the privileges of the user running the Subversion client, for example when performing a &quot;checkout&quot; or &quot;update&quot; action on a malicious repository, or a legitimate repository containing a malicious commit. 11896 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800" id="CVE-2017-9800" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod_dav_svn" release="1.54.amzn1" version="1.9.7"><filename>Packages/mod_dav_svn-1.9.7-1.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_dav_svn-debuginfo" release="1.54.amzn1" version="1.9.7"><filename>Packages/mod_dav_svn-debuginfo-1.9.7-1.54.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn" release="1.54.amzn1" version="1.9.7"><filename>Packages/mod_dav_svn-1.9.7-1.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_dav_svn-debuginfo" release="1.54.amzn1" version="1.9.7"><filename>Packages/mod_dav_svn-debuginfo-1.9.7-1.54.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-tools" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-tools-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-ruby" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-ruby-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python27" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-python27-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_dav_svn" release="1.58.amzn1" version="1.9.7"><filename>Packages/mod24_dav_svn-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-perl" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-perl-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-libs" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-libs-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-javahl" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-javahl-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-python26" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-python26-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-devel" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-devel-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="subversion-debuginfo" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-debuginfo-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="subversion-tools" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-tools-1.9.7-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-libs" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-libs-1.9.7-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-devel" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-devel-1.9.7-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python27" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-python27-1.9.7-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-perl" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-perl-1.9.7-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-debuginfo" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-debuginfo-1.9.7-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-1.9.7-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-javahl" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-javahl-1.9.7-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_dav_svn" release="1.58.amzn1" version="1.9.7"><filename>Packages/mod24_dav_svn-1.9.7-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-ruby" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-ruby-1.9.7-1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="subversion-python26" release="1.58.amzn1" version="1.9.7"><filename>Packages/subversion-python26-1.9.7-1.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-884</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-884: medium priority package update for postgresql93 postgresql92</title><issued date="2017-08-31 16:20" /><updated date="2017-08-31 23:11" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11897 CVE-2017-7547: 11898 1477185: 11899 CVE-2017-7547 postgresql: pg_user_mappings view discloses passwords to users lacking server privileges 11900 An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. 11901 11902 CVE-2017-7546: 11903 1477184: 11904 CVE-2017-7546 postgresql: Empty password accepted in some authentication methods 11905 It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq&#039;s refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. 11906 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7547" id="CVE-2017-7547" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7546" id="CVE-2017-7546" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql93-plpython26" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-plpython26-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-pltcl" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-pltcl-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-devel" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-devel-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-libs" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-libs-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython27" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-plpython27-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plperl" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-plperl-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-contrib" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-contrib-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-server" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-server-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-debuginfo" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-debuginfo-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-test" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-test-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-docs" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-docs-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-debuginfo" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-debuginfo-9.3.18-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-test" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-test-9.3.18-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython27" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-plpython27-9.3.18-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-contrib" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-contrib-9.3.18-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-9.3.18-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-devel" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-devel-9.3.18-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-docs" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-docs-9.3.18-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-pltcl" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-pltcl-9.3.18-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython26" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-plpython26-9.3.18-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-libs" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-libs-9.3.18-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-server" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-server-9.3.18-1.64.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plperl" release="1.64.amzn1" version="9.3.18"><filename>Packages/postgresql93-plperl-9.3.18-1.64.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-contrib" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-contrib-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-test" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-test-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-pltcl" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-pltcl-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-libs" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-libs-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server-compat" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-server-compat-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-server-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plperl" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-plperl-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-devel" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-devel-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-debuginfo" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-debuginfo-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython26" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-plpython26-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-docs" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-docs-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython27" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-plpython27-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-server-9.2.22-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython27" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-plpython27-9.2.22-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-debuginfo" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-debuginfo-9.2.22-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-contrib" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-contrib-9.2.22-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-9.2.22-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython26" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-plpython26-9.2.22-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-docs" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-docs-9.2.22-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-libs" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-libs-9.2.22-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-devel" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-devel-9.2.22-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-pltcl" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-pltcl-9.2.22-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plperl" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-plperl-9.2.22-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server-compat" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-server-compat-9.2.22-1.61.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-test" release="1.61.amzn1" version="9.2.22"><filename>Packages/postgresql92-test-9.2.22-1.61.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-885</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-885: medium priority package update for postgresql94 postgresql95</title><issued date="2017-08-31 16:22" /><updated date="2017-08-31 23:13" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11907 CVE-2017-7548: 11908 1477187: 11909 CVE-2017-7548 postgresql: lo_put() function ignores ACLs 11910 An authorization flaw was found in the way PostgreSQL handled large objects. A remote authenticated attacker with no privileges on a large object could potentially use this flaw to overwrite the entire content of the object, thus resulting in denial of service. 11911 11912 CVE-2017-7547: 11913 1477185: 11914 CVE-2017-7547 postgresql: pg_user_mappings view discloses passwords to users lacking server privileges 11915 An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. 11916 11917 CVE-2017-7546: 11918 1477184: 11919 CVE-2017-7546 postgresql: Empty password accepted in some authentication methods 11920 It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq&#039;s refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. 11921 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7547" id="CVE-2017-7547" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7546" id="CVE-2017-7546" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7548" id="CVE-2017-7548" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql94" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-debuginfo" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-debuginfo-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython27" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-plpython27-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-devel" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-devel-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-docs" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-docs-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython26" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-plpython26-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-test" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-test-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plperl" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-plperl-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-server" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-server-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-contrib" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-contrib-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-libs" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-libs-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython26" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-plpython26-9.4.13-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-contrib" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-contrib-9.4.13-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plperl" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-plperl-9.4.13-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-server" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-server-9.4.13-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-devel" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-devel-9.4.13-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-9.4.13-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-libs" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-libs-9.4.13-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython27" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-plpython27-9.4.13-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-test" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-test-9.4.13-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-debuginfo" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-debuginfo-9.4.13-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-docs" release="1.69.amzn1" version="9.4.13"><filename>Packages/postgresql94-docs-9.4.13-1.69.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-libs" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-libs-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-contrib" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-contrib-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-docs" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-docs-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plperl" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-plperl-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-devel" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-devel-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-test" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-test-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plpython26" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-plpython26-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plpython27" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-plpython27-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-server" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-server-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-debuginfo" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-debuginfo-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-static" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-static-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-debuginfo" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-debuginfo-9.5.8-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-test" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-test-9.5.8-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plperl" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-plperl-9.5.8-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-libs" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-libs-9.5.8-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plpython26" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-plpython26-9.5.8-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-static" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-static-9.5.8-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-devel" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-devel-9.5.8-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-contrib" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-contrib-9.5.8-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-server" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-server-9.5.8-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plpython27" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-plpython27-9.5.8-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-docs" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-docs-9.5.8-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95" release="1.73.amzn1" version="9.5.8"><filename>Packages/postgresql95-9.5.8-1.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-886</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-886: important priority package update for aws-cfn-bootstrap</title><issued date="2017-08-31 17:03" /><updated date="2017-08-31 23:24" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11922 CVE-PENDING: 11923 New optional parameter "umask" introduced into cfn-hup.conf file in order to configure the cfn-hup daemon's umask.;' 11924 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-PENDING" id="CVE-PENDING" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="aws-cfn-bootstrap" release="21.13.amzn1" version="1.4"><filename>Packages/aws-cfn-bootstrap-1.4-21.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-887</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-887: medium priority package update for mysql55</title><issued date="2017-08-31 17:08" /><updated date="2017-08-31 23:29" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11925 CVE-2017-3653: 11926 1472711: 11927 CVE-2017-3653 mysql: Server: DDL unspecified vulnerability (CPU Jul 2017) 11928 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N). 11929 11930 CVE-2017-3652: 11931 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N). 11932 1472710: 11933 CVE-2017-3652 mysql: Server: DDL unspecified vulnerability (CPU Jul 2017) 11934 11935 CVE-2017-3651: 11936 1472708: 11937 CVE-2017-3651 mysql: Client mysqldump unspecified vulnerability (CPU Jul 2017) 11938 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). 11939 11940 CVE-2017-3648: 11941 1472704: 11942 CVE-2017-3648 mysql: Server: Charsets unspecified vulnerability (CPU Jul 2017) 11943 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Charsets). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 11944 11945 CVE-2017-3641: 11946 1472693: 11947 CVE-2017-3641 mysql: Server: DML unspecified vulnerability (CPU Jul 2017) 11948 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 11949 11950 CVE-2017-3636: 11951 1472686: 11952 CVE-2017-3636 mysql: Client programs unspecified vulnerability (CPU Jul 2017) 11953 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). 11954 11955 CVE-2017-3635: 11956 Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/C). Supported versions that are affected are 6.1.10 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. Note: The documentation has also been updated for the correct way to use mysql_stmt_close(). Please see: https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-execute.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-fetch.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-error.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html, and https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-sqlstate.html. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). 11957 1472685: 11958 CVE-2017-3635 mysql: C API unspecified vulnerability (CPU Jul 2017) 11959 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3648" id="CVE-2017-3648" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3641" id="CVE-2017-3641" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3636" id="CVE-2017-3636" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3635" id="CVE-2017-3635" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3651" id="CVE-2017-3651" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3653" id="CVE-2017-3653" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3652" id="CVE-2017-3652" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-debuginfo-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-libs-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-test" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-test-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-embedded-devel-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-config" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql-config-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-embedded-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-bench" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-bench-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-server" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-server-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-devel-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-bench-5.5.57-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-test-5.5.57-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-embedded-devel-5.5.57-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-devel-5.5.57-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-server-5.5.57-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-debuginfo-5.5.57-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-libs-5.5.57-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-embedded-5.5.57-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql55-5.5.57-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-config" release="1.18.amzn1" version="5.5.57"><filename>Packages/mysql-config-5.5.57-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-888</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-888: medium priority package update for mysql56</title><issued date="2017-08-31 17:11" /><updated date="2017-08-31 23:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 11960 CVE-2017-3653: 11961 1472711: 11962 CVE-2017-3653 mysql: Server: DDL unspecified vulnerability (CPU Jul 2017) 11963 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N). 11964 11965 CVE-2017-3652: 11966 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N). 11967 1472710: 11968 CVE-2017-3652 mysql: Server: DDL unspecified vulnerability (CPU Jul 2017) 11969 11970 CVE-2017-3651: 11971 1472708: 11972 CVE-2017-3651 mysql: Client mysqldump unspecified vulnerability (CPU Jul 2017) 11973 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). 11974 11975 CVE-2017-3649: 11976 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 11977 1472705: 11978 CVE-2017-3649 mysql: Server: Replication unspecified vulnerability (CPU Jul 2017) 11979 11980 CVE-2017-3648: 11981 1472704: 11982 CVE-2017-3648 mysql: Server: Charsets unspecified vulnerability (CPU Jul 2017) 11983 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Charsets). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 11984 11985 CVE-2017-3647: 11986 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 11987 1472703: 11988 CVE-2017-3647 mysql: Server: Replication unspecified vulnerability (CPU Jul 2017) 11989 11990 CVE-2017-3641: 11991 1472693: 11992 CVE-2017-3641 mysql: Server: DML unspecified vulnerability (CPU Jul 2017) 11993 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 11994 11995 CVE-2017-3635: 11996 Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/C). Supported versions that are affected are 6.1.10 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. Note: The documentation has also been updated for the correct way to use mysql_stmt_close(). Please see: https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-execute.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-fetch.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-error.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html, and https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-sqlstate.html. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). 11997 1472685: 11998 CVE-2017-3635 mysql: C API unspecified vulnerability (CPU Jul 2017) 11999 12000 CVE-2017-3634: 12001 1472684: 12002 CVE-2017-3634 mysql: Server: DML unspecified vulnerability (CPU Jul 2017) 12003 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 12004 12005 CVE-2017-3633: 12006 1472683: 12007 CVE-2017-3633 mysql: Server: Memcached unspecified vulnerability (CPU Jul 2017) 12008 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Memcached to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H). 12009 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3648" id="CVE-2017-3648" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3649" id="CVE-2017-3649" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3651" id="CVE-2017-3651" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3653" id="CVE-2017-3653" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3641" id="CVE-2017-3641" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3647" id="CVE-2017-3647" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3633" id="CVE-2017-3633" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3635" id="CVE-2017-3635" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3634" id="CVE-2017-3634" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3652" id="CVE-2017-3652" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql56-embedded-devel" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-embedded-devel-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-common" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-common-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-embedded-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-devel" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-devel-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-test" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-test-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-libs" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-libs-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-bench" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-bench-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-debuginfo" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-debuginfo-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-server" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-server-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-errmsg" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-errmsg-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-common" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-common-5.6.37-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-errmsg" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-errmsg-5.6.37-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-test" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-test-5.6.37-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-debuginfo" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-debuginfo-5.6.37-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-5.6.37-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-libs" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-libs-5.6.37-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-server" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-server-5.6.37-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-bench" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-bench-5.6.37-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded-devel" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-embedded-devel-5.6.37-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-devel" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-devel-5.6.37-1.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded" release="1.26.amzn1" version="5.6.37"><filename>Packages/mysql56-embedded-5.6.37-1.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-889</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-889: medium priority package update for curl</title><issued date="2017-08-31 17:19" /><updated date="2017-08-31 23:34" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12010 CVE-2017-1000101: 12011 1478309: 12012 CVE-2017-1000101 curl: URL globbing out of bounds read 12013 Details pending 12014 12015 CVE-2017-1000100: 12016 Details pending 12017 1478310: 12018 CVE-2017-1000100 curl: TFTP sends more than buffer size 12019 12020 CVE-2017-1000099: 12021 1478316: 12022 CVE-2017-1000099 curl: FILE buffer read out of bounds 12023 Details pending 12024 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000099" id="CVE-2017-1000099" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100" id="CVE-2017-1000100" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101" id="CVE-2017-1000101" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libcurl-devel" release="9.75.amzn1" version="7.51.0"><filename>Packages/libcurl-devel-7.51.0-9.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl" release="9.75.amzn1" version="7.51.0"><filename>Packages/curl-7.51.0-9.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="9.75.amzn1" version="7.51.0"><filename>Packages/curl-debuginfo-7.51.0-9.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="9.75.amzn1" version="7.51.0"><filename>Packages/libcurl-7.51.0-9.75.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="9.75.amzn1" version="7.51.0"><filename>Packages/curl-7.51.0-9.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="9.75.amzn1" version="7.51.0"><filename>Packages/curl-debuginfo-7.51.0-9.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="9.75.amzn1" version="7.51.0"><filename>Packages/libcurl-devel-7.51.0-9.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="9.75.amzn1" version="7.51.0"><filename>Packages/libcurl-7.51.0-9.75.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-890</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-890: medium priority package update for xmlsec1</title><issued date="2017-09-13 22:22" /><updated date="2017-09-14 22:19" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12025 CVE-2017-1000061: 12026 It was discovered xmlsec1&#039;s use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service. 12027 1437311: 12028 CVE-2017-1000061 xmlsec1: xmlsec vulnerable to external entity expansion 12029 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000061" id="CVE-2017-1000061" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="xmlsec1-openssl" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-openssl-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xmlsec1" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xmlsec1-openssl-devel" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-openssl-devel-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xmlsec1-nss" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-nss-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xmlsec1-gcrypt-devel" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-gcrypt-devel-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xmlsec1-devel" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-devel-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xmlsec1-gnutls" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-gnutls-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xmlsec1-nss-devel" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-nss-devel-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xmlsec1-debuginfo" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-debuginfo-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xmlsec1-gnutls-devel" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-gnutls-devel-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="xmlsec1-gcrypt" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-gcrypt-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="xmlsec1-openssl" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-openssl-1.2.20-7.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xmlsec1-gnutls" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-gnutls-1.2.20-7.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xmlsec1-debuginfo" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-debuginfo-1.2.20-7.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xmlsec1-nss" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-nss-1.2.20-7.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xmlsec1" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-1.2.20-7.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xmlsec1-gcrypt" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-gcrypt-1.2.20-7.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xmlsec1-openssl-devel" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-openssl-devel-1.2.20-7.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xmlsec1-gcrypt-devel" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-gcrypt-devel-1.2.20-7.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xmlsec1-devel" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-devel-1.2.20-7.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xmlsec1-nss-devel" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-nss-devel-1.2.20-7.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="xmlsec1-gnutls-devel" release="7.4.amzn1" version="1.2.20"><filename>Packages/xmlsec1-gnutls-devel-1.2.20-7.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-891</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-891: medium priority package update for GraphicsMagick</title><issued date="2017-09-13 22:44" /><updated date="2017-09-14 22:19" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12030 CVE-2017-11403: 12031 The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 has an out-of-order CloseBlob call, resulting in a use-after-free via a crafted file. 12032 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11403" id="CVE-2017-11403" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="GraphicsMagick-doc" release="3.11.amzn1" version="1.3.26"><filename>Packages/GraphicsMagick-doc-1.3.26-3.11.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++" release="3.11.amzn1" version="1.3.26"><filename>Packages/GraphicsMagick-c++-1.3.26-3.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-devel" release="3.11.amzn1" version="1.3.26"><filename>Packages/GraphicsMagick-devel-1.3.26-3.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-debuginfo" release="3.11.amzn1" version="1.3.26"><filename>Packages/GraphicsMagick-debuginfo-1.3.26-3.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-perl" release="3.11.amzn1" version="1.3.26"><filename>Packages/GraphicsMagick-perl-1.3.26-3.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++-devel" release="3.11.amzn1" version="1.3.26"><filename>Packages/GraphicsMagick-c++-devel-1.3.26-3.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick" release="3.11.amzn1" version="1.3.26"><filename>Packages/GraphicsMagick-1.3.26-3.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++-devel" release="3.11.amzn1" version="1.3.26"><filename>Packages/GraphicsMagick-c++-devel-1.3.26-3.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-devel" release="3.11.amzn1" version="1.3.26"><filename>Packages/GraphicsMagick-devel-1.3.26-3.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-perl" release="3.11.amzn1" version="1.3.26"><filename>Packages/GraphicsMagick-perl-1.3.26-3.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick" release="3.11.amzn1" version="1.3.26"><filename>Packages/GraphicsMagick-1.3.26-3.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++" release="3.11.amzn1" version="1.3.26"><filename>Packages/GraphicsMagick-c++-1.3.26-3.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-debuginfo" release="3.11.amzn1" version="1.3.26"><filename>Packages/GraphicsMagick-debuginfo-1.3.26-3.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-892</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-892: important priority package update for httpd</title><issued date="2017-09-13 22:50" /><updated date="2017-09-14 22:21" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12033 CVE-2017-9788: 12034 1470748: 12035 CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest 12036 It was discovered that the httpd&#039;s mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. 12037 12038 CVE-2017-7679: 12039 A buffer over-read flaw was found in the httpd&#039;s mod_mime module. A user permitted to modify httpd&#039;s MIME configuration could use this flaw to cause httpd child process to crash. 12040 1463207: 12041 CVE-2017-7679 httpd: mod_mime buffer overread 12042 12043 CVE-2017-3169: 12044 A NULL pointer dereference flaw was found in the httpd&#039;s mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. 12045 1463197: 12046 CVE-2017-3169 httpd: mod_ssl NULL pointer dereference 12047 A NULL pointer dereference flaw was found in the httpd&#039;s mod_ssl module. A remote attacker could use this flaw to cause a httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. 12048 12049 CVE-2017-3167: 12050 It was discovered that the use of httpd&#039;s ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. 12051 1463194: 12052 CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass 12053 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169" id="CVE-2017-3169" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167" id="CVE-2017-3167" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679" id="CVE-2017-7679" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788" id="CVE-2017-9788" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="mod_ssl" release="1.12.amzn1" version="2.2.34"><filename>Packages/mod_ssl-2.2.34-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-devel" release="1.12.amzn1" version="2.2.34"><filename>Packages/httpd-devel-2.2.34-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.12.amzn1" version="2.2.34"><filename>Packages/httpd-debuginfo-2.2.34-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-tools" release="1.12.amzn1" version="2.2.34"><filename>Packages/httpd-tools-2.2.34-1.12.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd-manual" release="1.12.amzn1" version="2.2.34"><filename>Packages/httpd-manual-2.2.34-1.12.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd" release="1.12.amzn1" version="2.2.34"><filename>Packages/httpd-2.2.34-1.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="httpd-tools" release="1.12.amzn1" version="2.2.34"><filename>Packages/httpd-tools-2.2.34-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod_ssl" release="1.12.amzn1" version="2.2.34"><filename>Packages/mod_ssl-2.2.34-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-debuginfo" release="1.12.amzn1" version="2.2.34"><filename>Packages/httpd-debuginfo-2.2.34-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-devel" release="1.12.amzn1" version="2.2.34"><filename>Packages/httpd-devel-2.2.34-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd" release="1.12.amzn1" version="2.2.34"><filename>Packages/httpd-2.2.34-1.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-893</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-893: important priority package update for mercurial</title><issued date="2017-09-13 22:52" /><updated date="2017-09-14 22:21" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12054 CVE-2017-1000116: 12055 A shell command injection flaw related to the handling of &quot;ssh&quot; URLs has been discovered in Mercurial. This can be exploited to execute shell commands with the privileges of the user running the Mercurial client, for example, when performing a &quot;checkout&quot; or &quot;update&quot; action on a sub-repository within a malicious repository or a legitimate repository containing a malicious commit. 12056 1479915: 12057 CVE-2017-1000116 mercurial: command injection on clients through malicious ssh URLs 12058 12059 CVE-2017-1000115: 12060 1480330: 12061 CVE-2017-1000115 Mercurial: pathaudit: path traversal via symlink 12062 A vulnerability was found in the way Mercurial handles path auditing and caches the results. An attacker could abuse a repository with a series of commits mixing symlinks and regular files/directories to trick Mercurial into writing outside of a given repository. 12063 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116" id="CVE-2017-1000116" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115" id="CVE-2017-1000115" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mercurial-python27" release="1.29.amzn1" version="4.2.3"><filename>Packages/mercurial-python27-4.2.3-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="emacs-mercurial" release="1.29.amzn1" version="4.2.3"><filename>Packages/emacs-mercurial-4.2.3-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mercurial-debuginfo" release="1.29.amzn1" version="4.2.3"><filename>Packages/mercurial-debuginfo-4.2.3-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mercurial-common" release="1.29.amzn1" version="4.2.3"><filename>Packages/mercurial-common-4.2.3-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mercurial-python26" release="1.29.amzn1" version="4.2.3"><filename>Packages/mercurial-python26-4.2.3-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="emacs-mercurial-el" release="1.29.amzn1" version="4.2.3"><filename>Packages/emacs-mercurial-el-4.2.3-1.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mercurial-common" release="1.29.amzn1" version="4.2.3"><filename>Packages/mercurial-common-4.2.3-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="emacs-mercurial" release="1.29.amzn1" version="4.2.3"><filename>Packages/emacs-mercurial-4.2.3-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mercurial-python26" release="1.29.amzn1" version="4.2.3"><filename>Packages/mercurial-python26-4.2.3-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mercurial-debuginfo" release="1.29.amzn1" version="4.2.3"><filename>Packages/mercurial-debuginfo-4.2.3-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mercurial-python27" release="1.29.amzn1" version="4.2.3"><filename>Packages/mercurial-python27-4.2.3-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="emacs-mercurial-el" release="1.29.amzn1" version="4.2.3"><filename>Packages/emacs-mercurial-el-4.2.3-1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-894</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-894: low priority package update for nginx</title><issued date="2017-09-13 23:19" /><updated date="2017-09-14 22:22" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12064 CVE-2017-7529: 12065 1468584: 12066 CVE-2017-7529 nginx: Integer overflow in nginx range filter module leading to memory disclosure 12067 A flaw within the processing of ranged HTTP requests has been discovered in the range filter module of nginx. A remote attacker could possibly exploit this flaw to disclose parts of the cache file header, or, if used in combination with third party modules, disclose potentially sensitive memory by sending specially crafted HTTP requests. 12068 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7529" id="CVE-2017-7529" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="nginx-all-modules" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-all-modules-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-mod-http-geoip" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-mod-http-geoip-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-debuginfo" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-debuginfo-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-mod-mail" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-mod-mail-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-mod-stream" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-mod-stream-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-mod-http-xslt-filter" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-mod-http-xslt-filter-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-mod-http-image-filter" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-mod-http-image-filter-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-mod-http-perl" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-mod-http-perl-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="nginx-all-modules" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-all-modules-1.12.1-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-1.12.1-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-mod-http-geoip" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-mod-http-geoip-1.12.1-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-mod-mail" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-mod-mail-1.12.1-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-debuginfo" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-debuginfo-1.12.1-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-mod-http-xslt-filter" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-mod-http-xslt-filter-1.12.1-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-mod-http-perl" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-mod-http-perl-1.12.1-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-mod-stream" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-mod-stream-1.12.1-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-mod-http-image-filter" release="1.32.amzn1" version="1.12.1"><filename>Packages/nginx-mod-http-image-filter-1.12.1-1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-895</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-895: important priority package update for aws-cfn-bootstrap</title><issued date="2017-09-14 17:08" /><updated date="2017-09-14 22:32" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12069 CVE-PENDING: 12070 New optional parameter "umask" introduced into cfn-hup.conf file in order to configure the cfn-hup daemon's umask.;' 12071 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-PENDING" id="CVE-PENDING" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="aws-cfn-bootstrap" release="22.14.amzn1" version="1.4"><filename>Packages/aws-cfn-bootstrap-1.4-22.14.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-896</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-896: important priority package update for httpd24 httpd</title><issued date="2017-09-18 15:32" /><updated date="2017-09-18 18:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12072 CVE-2017-9798: 12073 Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c. 12074 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798" id="CVE-2017-9798" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="httpd-tools" release="1.15.amzn1" version="2.2.34"><filename>Packages/httpd-tools-2.2.34-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-devel" release="1.15.amzn1" version="2.2.34"><filename>Packages/httpd-devel-2.2.34-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd" release="1.15.amzn1" version="2.2.34"><filename>Packages/httpd-2.2.34-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod_ssl" release="1.15.amzn1" version="2.2.34"><filename>Packages/mod_ssl-2.2.34-1.15.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd-manual" release="1.15.amzn1" version="2.2.34"><filename>Packages/httpd-manual-2.2.34-1.15.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.15.amzn1" version="2.2.34"><filename>Packages/httpd-debuginfo-2.2.34-1.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="httpd-tools" release="1.15.amzn1" version="2.2.34"><filename>Packages/httpd-tools-2.2.34-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-devel" release="1.15.amzn1" version="2.2.34"><filename>Packages/httpd-devel-2.2.34-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod_ssl" release="1.15.amzn1" version="2.2.34"><filename>Packages/mod_ssl-2.2.34-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd" release="1.15.amzn1" version="2.2.34"><filename>Packages/httpd-2.2.34-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-debuginfo" release="1.15.amzn1" version="2.2.34"><filename>Packages/httpd-debuginfo-2.2.34-1.15.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_ldap" release="3.73.amzn1" version="2.4.27"><filename>Packages/mod24_ldap-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="3.73.amzn1" version="2.4.27"><filename>Packages/httpd24-debuginfo-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-tools" release="3.73.amzn1" version="2.4.27"><filename>Packages/httpd24-tools-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="3.73.amzn1" version="2.4.27"><filename>Packages/mod24_proxy_html-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-devel" release="3.73.amzn1" version="2.4.27"><filename>Packages/httpd24-devel-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24" release="3.73.amzn1" version="2.4.27"><filename>Packages/httpd24-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd24-manual" release="3.73.amzn1" version="2.4.27"><filename>Packages/httpd24-manual-2.4.27-3.73.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_ssl" release="3.73.amzn1" version="2.4.27"><filename>Packages/mod24_ssl-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="3.73.amzn1" version="2.4.27"><filename>Packages/mod24_session-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="3.73.amzn1" version="2.4.27"><filename>Packages/mod24_proxy_html-2.4.27-3.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="3.73.amzn1" version="2.4.27"><filename>Packages/mod24_session-2.4.27-3.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="3.73.amzn1" version="2.4.27"><filename>Packages/httpd24-devel-2.4.27-3.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="3.73.amzn1" version="2.4.27"><filename>Packages/httpd24-2.4.27-3.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="3.73.amzn1" version="2.4.27"><filename>Packages/httpd24-debuginfo-2.4.27-3.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="3.73.amzn1" version="2.4.27"><filename>Packages/httpd24-tools-2.4.27-3.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="3.73.amzn1" version="2.4.27"><filename>Packages/mod24_ssl-2.4.27-3.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="3.73.amzn1" version="2.4.27"><filename>Packages/mod24_ldap-2.4.27-3.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-897</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-897: medium priority package update for kernel</title><issued date="2017-09-18 15:41" /><updated date="2017-09-18 18:28" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12075 CVE-2017-12134: 12076 The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation. 12077 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12134" id="CVE-2017-12134" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-tools-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="17.39.amzn1" version="4.9.43"><filename>Packages/perf-debuginfo-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="17.39.amzn1" version="4.9.43"><filename>Packages/perf-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-tools-devel-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-tools-debuginfo-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-headers-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-devel-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-debuginfo-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-devel-4.9.43-17.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-tools-4.9.43-17.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="17.39.amzn1" version="4.9.43"><filename>Packages/perf-debuginfo-4.9.43-17.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-headers-4.9.43-17.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-tools-devel-4.9.43-17.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="17.39.amzn1" version="4.9.43"><filename>Packages/perf-4.9.43-17.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-debuginfo-4.9.43-17.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-debuginfo-common-i686-4.9.43-17.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-4.9.43-17.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-tools-debuginfo-4.9.43-17.39.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="17.39.amzn1" version="4.9.43"><filename>Packages/kernel-doc-4.9.43-17.39.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-898</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-898: medium priority package update for openssh</title><issued date="2017-10-03 11:00" /><updated date="2017-10-03 11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12078 CVE-2016-6515: 12079 1364935: 12080 CVE-2016-6515 openssh: Denial of service via very long passwords 12081 It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords. 12082 12083 CVE-2016-6210: 12084 A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses. 12085 1357442: 12086 CVE-2016-6210 openssh: User enumeration via covert timing channel 12087 12088 CVE-2016-10012: 12089 It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process. 12090 1406293: 12091 CVE-2016-10012 openssh: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support 12092 12093 CVE-2016-10011: 12094 1406286: 12095 CVE-2016-10011 openssh: Leak of host private key material to privilege-separated child process via realloc() 12096 It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information. 12097 12098 CVE-2016-10009: 12099 1406269: 12100 CVE-2016-10009 openssh: loading of untrusted PKCS#11 modules in ssh-agent 12101 It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent. 12102 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009" id="CVE-2016-10009" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210" id="CVE-2016-6210" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6515" id="CVE-2016-6515" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011" id="CVE-2016-10011" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012" id="CVE-2016-10012" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openssh-ldap" release="11.68.amzn1" version="7.4p1"><filename>Packages/openssh-ldap-7.4p1-11.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-server" release="11.68.amzn1" version="7.4p1"><filename>Packages/openssh-server-7.4p1-11.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh" release="11.68.amzn1" version="7.4p1"><filename>Packages/openssh-7.4p1-11.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-keycat" release="11.68.amzn1" version="7.4p1"><filename>Packages/openssh-keycat-7.4p1-11.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam_ssh_agent_auth" release="1.11.68.amzn1" version="0.10.3"><filename>Packages/pam_ssh_agent_auth-0.10.3-1.11.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-cavs" release="11.68.amzn1" version="7.4p1"><filename>Packages/openssh-cavs-7.4p1-11.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-debuginfo" release="11.68.amzn1" version="7.4p1"><filename>Packages/openssh-debuginfo-7.4p1-11.68.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-clients" release="11.68.amzn1" version="7.4p1"><filename>Packages/openssh-clients-7.4p1-11.68.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssh-ldap" release="11.68.amzn1" version="7.4p1"><filename>Packages/openssh-ldap-7.4p1-11.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam_ssh_agent_auth" release="1.11.68.amzn1" version="0.10.3"><filename>Packages/pam_ssh_agent_auth-0.10.3-1.11.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-cavs" release="11.68.amzn1" version="7.4p1"><filename>Packages/openssh-cavs-7.4p1-11.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh" release="11.68.amzn1" version="7.4p1"><filename>Packages/openssh-7.4p1-11.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-debuginfo" release="11.68.amzn1" version="7.4p1"><filename>Packages/openssh-debuginfo-7.4p1-11.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-keycat" release="11.68.amzn1" version="7.4p1"><filename>Packages/openssh-keycat-7.4p1-11.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-server" release="11.68.amzn1" version="7.4p1"><filename>Packages/openssh-server-7.4p1-11.68.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-clients" release="11.68.amzn1" version="7.4p1"><filename>Packages/openssh-clients-7.4p1-11.68.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-899</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-899: important priority package update for nagios</title><issued date="2017-10-03 11:00" /><updated date="2017-10-03 11:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12103 CVE-2016-9566: 12104 1402869: 12105 CVE-2016-9566 nagios: Privilege escalation issue 12106 A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration (the &#039;nagios&#039; user/group) could use this flaw to elevate their privileges to root. 12107 12108 CVE-2014-5009: 12109 Various command-execution flaws were found in the Snoopy library included with Nagios. These flaws allowed remote attackers to execute arbitrary commands by manipulating Nagios HTTP headers. 12110 1121497: 12111 CVE-2008-7313 CVE-2014-5008 CVE-2014-5009 snoopy: incomplete fixes for command execution flaws 12112 12113 CVE-2014-5008: 12114 Various command-execution flaws were found in the Snoopy library included with Nagios. These flaws allowed remote attackers to execute arbitrary commands by manipulating Nagios HTTP headers. 12115 1121497: 12116 CVE-2008-7313 CVE-2014-5008 CVE-2014-5009 snoopy: incomplete fixes for command execution flaws 12117 12118 CVE-2014-1878: 12119 Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi. 12120 1066578: 12121 CVE-2014-1878 nagios: possible buffer overflows in cmd.cgi 12122 12123 CVE-2013-7205: 12124 1046113: 12125 CVE-2013-7108 CVE-2013-7205 nagios: denial of service due to off-by-one flaw in process_cgivars() 12126 Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list, which triggers a heap-based buffer over-read. 12127 12128 CVE-2013-7108: 12129 1046113: 12130 CVE-2013-7108 CVE-2013-7205 nagios: denial of service due to off-by-one flaw in process_cgivars() 12131 Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read. 12132 12133 CVE-2013-4214: 12134 958002: 12135 CVE-2013-4214 Nagios core: html/rss-newsfeed.php insecure temporary file usage 12136 rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE_CACHE_ON is set to 1, allows local users to overwrite arbitrary files via a symlink attack on /tmp/magpie_cache. 12137 12138 CVE-2008-7313: 12139 Various command-execution flaws were found in the Snoopy library included with Nagios. These flaws allowed remote attackers to execute arbitrary commands by manipulating Nagios HTTP headers. 12140 1121497: 12141 CVE-2008-7313 CVE-2014-5008 CVE-2014-5009 snoopy: incomplete fixes for command execution flaws 12142 12143 CVE-2008-4796: 12144 The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs. 12145 469320: 12146 CVE-2008-4796 snoopy: command execution via shell metacharacters 12147 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7108" id="CVE-2013-7108" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1878" id="CVE-2014-1878" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5009" id="CVE-2014-5009" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5008" id="CVE-2014-5008" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9566" id="CVE-2016-9566" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7205" id="CVE-2013-7205" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4214" id="CVE-2013-4214" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796" id="CVE-2008-4796" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7313" id="CVE-2008-7313" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nagios" release="2.10.amzn1" version="3.5.1"><filename>Packages/nagios-3.5.1-2.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nagios-common" release="2.10.amzn1" version="3.5.1"><filename>Packages/nagios-common-3.5.1-2.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nagios-debuginfo" release="2.10.amzn1" version="3.5.1"><filename>Packages/nagios-debuginfo-3.5.1-2.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nagios-devel" release="2.10.amzn1" version="3.5.1"><filename>Packages/nagios-devel-3.5.1-2.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nagios-devel" release="2.10.amzn1" version="3.5.1"><filename>Packages/nagios-devel-3.5.1-2.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nagios-common" release="2.10.amzn1" version="3.5.1"><filename>Packages/nagios-common-3.5.1-2.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nagios-debuginfo" release="2.10.amzn1" version="3.5.1"><filename>Packages/nagios-debuginfo-3.5.1-2.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nagios" release="2.10.amzn1" version="3.5.1"><filename>Packages/nagios-3.5.1-2.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-900</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-900: important priority package update for file</title><issued date="2017-10-03 11:00" /><updated date="2017-10-03 11:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12148 CVE-2017-1000249: 12149 1488053: 12150 CVE-2017-1000249 file: Stack-based buffer overflow in do_bid_note() 12151 An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary. This was fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017). 12152 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000249" id="CVE-2017-1000249" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="file-debuginfo" release="11.34.amzn1" version="5.30"><filename>Packages/file-debuginfo-5.30-11.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file" release="11.34.amzn1" version="5.30"><filename>Packages/file-5.30-11.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-static" release="11.34.amzn1" version="5.30"><filename>Packages/file-static-5.30-11.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-devel" release="11.34.amzn1" version="5.30"><filename>Packages/file-devel-5.30-11.34.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="python27-magic" release="11.34.amzn1" version="5.30"><filename>Packages/python27-magic-5.30-11.34.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="python26-magic" release="11.34.amzn1" version="5.30"><filename>Packages/python26-magic-5.30-11.34.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="file-libs" release="11.34.amzn1" version="5.30"><filename>Packages/file-libs-5.30-11.34.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="file-debuginfo" release="11.34.amzn1" version="5.30"><filename>Packages/file-debuginfo-5.30-11.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file" release="11.34.amzn1" version="5.30"><filename>Packages/file-5.30-11.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-devel" release="11.34.amzn1" version="5.30"><filename>Packages/file-devel-5.30-11.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-libs" release="11.34.amzn1" version="5.30"><filename>Packages/file-libs-5.30-11.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-static" release="11.34.amzn1" version="5.30"><filename>Packages/file-static-5.30-11.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-901</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-901: medium priority package update for kernel</title><issued date="2017-10-03 11:00" /><updated date="2017-10-03 11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12153 CVE-2017-7558: 12154 1480266: 12155 CVE-2017-7558 kernel: Out of bounds read in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() in SCTP stack 12156 A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket&#039;s diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace. 12157 12158 CVE-2017-14497: 12159 1492593: 12160 CVE-2017-14497 kernel: buffer overflow in tpacket_rcv() in net/packet/af_packet.c 12161 A buffer overflow was discovered in tpacket_rcv() function in the Linux kernel since v4.6-rc1 through v4.13. A number of socket-related syscalls can be made to set up a configuration when each packet received by a network interface can cause writing up to 10 bytes to a kernel memory outside of a kernel buffer. This can cause unspecified kernel data corruption effects, including damage of in-memory and on-disk XFS data. 12162 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14497" id="CVE-2017-14497" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7558" id="CVE-2017-7558" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-debuginfo-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="10.52.amzn1" version="4.9.51"><filename>Packages/perf-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-headers-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="10.52.amzn1" version="4.9.51"><filename>Packages/perf-debuginfo-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-tools-devel-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-devel-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-tools-debuginfo-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-tools-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-debuginfo-common-i686-4.9.51-10.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="10.52.amzn1" version="4.9.51"><filename>Packages/perf-4.9.51-10.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-debuginfo-4.9.51-10.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-tools-debuginfo-4.9.51-10.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-4.9.51-10.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-tools-4.9.51-10.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-headers-4.9.51-10.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-tools-devel-4.9.51-10.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-devel-4.9.51-10.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="10.52.amzn1" version="4.9.51"><filename>Packages/perf-debuginfo-4.9.51-10.52.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="10.52.amzn1" version="4.9.51"><filename>Packages/kernel-doc-4.9.51-10.52.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-902</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-902: medium priority package update for poppler</title><issued date="2017-09-28 22:45" /><updated date="2017-09-29 21:05" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12163 CVE-2017-9776: 12164 1466443: 12165 CVE-2017-9776 poppler: Integer overflow in JBIG2Stream.cc 12166 An integer overflow leading to heap-based buffer overflow was found in the poppler library. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash, or potentially execute arbitrary code when opened. 12167 12168 CVE-2017-9775: 12169 1466442: 12170 CVE-2017-9775 poppler: Stack-buffer overflow in GfxState.cc 12171 A stack-based buffer overflow was found in the poppler library. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash, or potentially execute arbitrary code when opened. 12172 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9775" id="CVE-2017-9775" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9776" id="CVE-2017-9776" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="poppler-cpp" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-cpp-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-glib-devel" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-glib-devel-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-devel" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-devel-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-glib" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-glib-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-debuginfo" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-debuginfo-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-utils" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-utils-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-cpp-devel" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-cpp-devel-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="poppler-cpp-devel" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-cpp-devel-0.26.5-17.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-cpp" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-cpp-0.26.5-17.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-0.26.5-17.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-debuginfo" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-debuginfo-0.26.5-17.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-glib-devel" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-glib-devel-0.26.5-17.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-glib" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-glib-0.26.5-17.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-utils" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-utils-0.26.5-17.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-devel" release="17.17.amzn1" version="0.26.5"><filename>Packages/poppler-devel-0.26.5-17.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-903</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-903: medium priority package update for tomcat7 tomcat8</title><issued date="2017-10-02 16:47" /><updated date="2017-10-02 21:44" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12173 CVE-2017-7674: 12174 1480618: 12175 CVE-2017-7674 tomcat: Vary header not added by CORS filter leading to cache poisoning 12176 The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. 12177 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7674" id="CVE-2017-7674" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7" release="1.29.amzn1" version="7.0.81"><filename>Packages/tomcat7-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.29.amzn1" version="7.0.81"><filename>Packages/tomcat7-lib-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.29.amzn1" version="7.0.81"><filename>Packages/tomcat7-webapps-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.29.amzn1" version="7.0.81"><filename>Packages/tomcat7-javadoc-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.29.amzn1" version="7.0.81"><filename>Packages/tomcat7-servlet-3.0-api-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.29.amzn1" version="7.0.81"><filename>Packages/tomcat7-docs-webapp-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.29.amzn1" version="7.0.81"><filename>Packages/tomcat7-log4j-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.29.amzn1" version="7.0.81"><filename>Packages/tomcat7-el-2.2-api-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.29.amzn1" version="7.0.81"><filename>Packages/tomcat7-jsp-2.2-api-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.29.amzn1" version="7.0.81"><filename>Packages/tomcat7-admin-webapps-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.76.amzn1" version="8.0.46"><filename>Packages/tomcat8-servlet-3.1-api-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.76.amzn1" version="8.0.46"><filename>Packages/tomcat8-docs-webapp-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.76.amzn1" version="8.0.46"><filename>Packages/tomcat8-el-3.0-api-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.76.amzn1" version="8.0.46"><filename>Packages/tomcat8-log4j-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.76.amzn1" version="8.0.46"><filename>Packages/tomcat8-webapps-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8" release="1.76.amzn1" version="8.0.46"><filename>Packages/tomcat8-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.76.amzn1" version="8.0.46"><filename>Packages/tomcat8-admin-webapps-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.76.amzn1" version="8.0.46"><filename>Packages/tomcat8-javadoc-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.76.amzn1" version="8.0.46"><filename>Packages/tomcat8-jsp-2.3-api-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.76.amzn1" version="8.0.46"><filename>Packages/tomcat8-lib-8.0.46-1.76.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-904</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-904: medium priority package update for cacti</title><issued date="2017-10-02 16:54" /><updated date="2017-10-02 22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12178 CVE-2017-12978: 12179 lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user. 12180 12181 CVE-2017-12927: 12182 A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php. 12183 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12927" id="CVE-2017-12927" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12978" id="CVE-2017-12978" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="cacti" release="1.17.amzn1" version="1.1.19"><filename>Packages/cacti-1.1.19-1.17.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-905</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-905: medium priority package update for 389-ds-base</title><issued date="2017-10-02 16:55" /><updated date="2017-10-02 21:44" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12184 CVE-2017-7551: 12185 1477669: 12186 CVE-2017-7551 389-ds-base: Password brute-force possible for locked account due to different return codes 12187 A flaw was found in the way 389-ds-base handled authentication attempts against locked accounts. A remote attacker could potentially use this flaw to continue password brute-forcing attacks against LDAP accounts, thereby bypassing the protection offered by the directory server&#039;s password lockout policy. 12188 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7551" id="CVE-2017-7551" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="19.51.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-libs-1.3.6.1-19.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-snmp" release="19.51.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-snmp-1.3.6.1-19.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="19.51.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-devel-1.3.6.1-19.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="19.51.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-debuginfo-1.3.6.1-19.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base" release="19.51.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-1.3.6.1-19.51.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="19.51.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-libs-1.3.6.1-19.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="19.51.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-devel-1.3.6.1-19.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="19.51.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-1.3.6.1-19.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-snmp" release="19.51.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-snmp-1.3.6.1-19.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="19.51.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-debuginfo-1.3.6.1-19.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-906</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-906: medium priority package update for ruby22 ruby23</title><issued date="2017-10-02 17:01" /><updated date="2018-01-18 20:17" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12189 CVE-2017-14064: 12190 Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a &#039;\\0&#039; byte, returning a pointer to a string of length zero, which is not the length stored in space_len. 12191 1487552: 12192 CVE-2017-14064 ruby: Arbitrary heap exposure during a JSON.generate call 12193 12194 CVE-2017-14033: 12195 1491866: 12196 CVE-2017-14033 ruby: Buffer underrun in OpenSSL ASN1 decode 12197 The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string. 12198 12199 CVE-2017-10784: 12200 The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name. 12201 1492012: 12202 CVE-2017-10784 ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick 12203 12204 CVE-2017-0903: 12205 A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. 12206 1500488: 12207 CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications 12208 12209 CVE-2017-0902: 12210 RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. 12211 1487589: 12212 CVE-2017-0902 rubygems: DNS hijacking vulnerability 12213 12214 CVE-2017-0901: 12215 RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. 12216 1487587: 12217 CVE-2017-0901 rubygems: Arbitrary file overwrite due to incorrect validation of specification name 12218 12219 CVE-2017-0900: 12220 1487588: 12221 CVE-2017-0900 rubygems: No size limit in summary length of gem spec 12222 RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. 12223 12224 CVE-2017-0899: 12225 1487590: 12226 CVE-2017-0899 rubygems: Escape sequence in the "summary" field of gemspec 12227 RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. 12228 12229 CVE-2017-0898: 12230 Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap. 12231 1492015: 12232 CVE-2017-0898 ruby: Buffer underrun vulnerability in Kernel.sprintf 12233 12234 CVE-2015-9096: 12235 A SMTP command injection flaw was found in the way Ruby&#039;s Net::SMTP module handled CRLF sequences in certain SMTP commands. An attacker could potentially use this flaw to inject SMTP commands in a SMTP session in order to facilitate phishing attacks or spam campaigns. 12236 1461846: 12237 CVE-2015-9096 ruby: SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP 12238 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9096" id="CVE-2015-9096" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10784" id="CVE-2017-10784" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14033" id="CVE-2017-14033" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0900" id="CVE-2017-0900" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901" id="CVE-2017-0901" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902" id="CVE-2017-0902" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903" id="CVE-2017-0903" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0898" id="CVE-2017-0898" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899" id="CVE-2017-0899" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14064" id="CVE-2017-14064" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ruby22" release="1.9.amzn1" version="2.2.8"><filename>Packages/ruby22-2.2.8-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-devel" release="1.9.amzn1" version="2.2.8"><filename>Packages/ruby22-devel-2.2.8-1.9.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby22-irb" release="1.9.amzn1" version="2.2.8"><filename>Packages/ruby22-irb-2.2.8-1.9.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-debuginfo" release="1.9.amzn1" version="2.2.8"><filename>Packages/ruby22-debuginfo-2.2.8-1.9.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems22-devel" release="1.9.amzn1" version="2.4.5.2"><filename>Packages/rubygems22-devel-2.4.5.2-1.9.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems22" release="1.9.amzn1" version="2.4.5.2"><filename>Packages/rubygems22-2.4.5.2-1.9.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-bigdecimal" release="1.9.amzn1" version="1.2.6"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-libs" release="1.9.amzn1" version="2.2.8"><filename>Packages/ruby22-libs-2.2.8-1.9.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby22-doc" release="1.9.amzn1" version="2.2.8"><filename>Packages/ruby22-doc-2.2.8-1.9.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-psych" release="1.9.amzn1" version="2.0.8.1"><filename>Packages/rubygem22-psych-2.0.8.1-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-io-console" release="1.9.amzn1" version="0.4.3"><filename>Packages/rubygem22-io-console-0.4.3-1.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-libs" release="1.9.amzn1" version="2.2.8"><filename>Packages/ruby22-libs-2.2.8-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-psych" release="1.9.amzn1" version="2.0.8.1"><filename>Packages/rubygem22-psych-2.0.8.1-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-debuginfo" release="1.9.amzn1" version="2.2.8"><filename>Packages/ruby22-debuginfo-2.2.8-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22" release="1.9.amzn1" version="2.2.8"><filename>Packages/ruby22-2.2.8-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-devel" release="1.9.amzn1" version="2.2.8"><filename>Packages/ruby22-devel-2.2.8-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-io-console" release="1.9.amzn1" version="0.4.3"><filename>Packages/rubygem22-io-console-0.4.3-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-bigdecimal" release="1.9.amzn1" version="1.2.6"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.9.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-json" release="1.17.amzn1" version="1.8.3.1"><filename>Packages/rubygem23-json-1.8.3.1-1.17.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby23-doc" release="1.17.amzn1" version="2.3.5"><filename>Packages/ruby23-doc-2.3.5-1.17.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem23-did_you_mean" release="1.17.amzn1" version="1.0.0"><filename>Packages/rubygem23-did_you_mean-1.0.0-1.17.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems23-devel" release="1.17.amzn1" version="2.5.2.1"><filename>Packages/rubygems23-devel-2.5.2.1-1.17.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems23" release="1.17.amzn1" version="2.5.2.1"><filename>Packages/rubygems23-2.5.2.1-1.17.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23-debuginfo" release="1.17.amzn1" version="2.3.5"><filename>Packages/ruby23-debuginfo-2.3.5-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-psych" release="1.17.amzn1" version="2.1.0.1"><filename>Packages/rubygem23-psych-2.1.0.1-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23-libs" release="1.17.amzn1" version="2.3.5"><filename>Packages/ruby23-libs-2.3.5-1.17.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby23-irb" release="1.17.amzn1" version="2.3.5"><filename>Packages/ruby23-irb-2.3.5-1.17.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23" release="1.17.amzn1" version="2.3.5"><filename>Packages/ruby23-2.3.5-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-bigdecimal" release="1.17.amzn1" version="1.2.8"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-io-console" release="1.17.amzn1" version="0.4.5"><filename>Packages/rubygem23-io-console-0.4.5-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23-devel" release="1.17.amzn1" version="2.3.5"><filename>Packages/ruby23-devel-2.3.5-1.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-psych" release="1.17.amzn1" version="2.1.0.1"><filename>Packages/rubygem23-psych-2.1.0.1-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-io-console" release="1.17.amzn1" version="0.4.5"><filename>Packages/rubygem23-io-console-0.4.5-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-json" release="1.17.amzn1" version="1.8.3.1"><filename>Packages/rubygem23-json-1.8.3.1-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-devel" release="1.17.amzn1" version="2.3.5"><filename>Packages/ruby23-devel-2.3.5-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-debuginfo" release="1.17.amzn1" version="2.3.5"><filename>Packages/ruby23-debuginfo-2.3.5-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23" release="1.17.amzn1" version="2.3.5"><filename>Packages/ruby23-2.3.5-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-bigdecimal" release="1.17.amzn1" version="1.2.8"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-libs" release="1.17.amzn1" version="2.3.5"><filename>Packages/ruby23-libs-2.3.5-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-907</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-907: critical priority package update for dnsmasq</title><issued date="2017-10-02 17:05" /><updated date="2017-10-02 21:47" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12239 CVE-2017-14496: 12240 An integer underflow flaw leading to a buffer over-read was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet. 12241 1495416: 12242 CVE-2017-14496 dnsmasq: integer underflow leading to buffer over-read in the EDNS0 code 12243 12244 CVE-2017-14495: 12245 1495415: 12246 CVE-2017-14495 dnsmasq: memory exhaustion vulnerability in the EDNS0 code 12247 A memory exhaustion flaw was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets which would trigger memory allocations which would never be freed, leading to unbounded memory consumption and eventually a crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet. 12248 12249 CVE-2017-14494: 12250 An information leak was found in dnsmasq in the DHCPv6 relay code. An attacker on the local network could send crafted DHCPv6 packets to dnsmasq causing it to forward the contents of process memory, potentially leaking sensitive data. 12251 1495412: 12252 CVE-2017-14494 dnsmasq: information leak in the DHCPv6 relay code 12253 12254 CVE-2017-14493: 12255 A stack buffer overflow was found in dnsmasq in the DHCPv6 code. An attacker on the local network could send a crafted DHCPv6 request to dnsmasq which would cause it to a crash or, potentially, execute arbitrary code. 12256 1495411: 12257 CVE-2017-14493 dnsmasq: stack buffer overflow in the DHCPv6 code 12258 12259 CVE-2017-14492: 12260 1495410: 12261 CVE-2017-14492 dnsmasq: heap overflow in the IPv6 router advertisement code 12262 A heap buffer overflow was discovered in dnsmasq in the IPv6 router advertisement (RA) handling code. An attacker on the local network segment could send crafted RAs to dnsmasq which would cause it to crash or, potentially, execute arbitrary code. This issue only affected configurations using one of these options: enable-ra, ra-only, slaac, ra-names, ra-advrouter, or ra-stateless. 12263 12264 CVE-2017-14491: 12265 1495409: 12266 CVE-2017-14491 dnsmasq: heap overflow in the code responsible for building DNS replies 12267 A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, execute arbitrary code. 12268 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14494" id="CVE-2017-14494" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14495" id="CVE-2017-14495" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14496" id="CVE-2017-14496" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14491" id="CVE-2017-14491" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14492" id="CVE-2017-14492" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14493" id="CVE-2017-14493" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="dnsmasq-utils" release="2.14.amzn1" version="2.76"><filename>Packages/dnsmasq-utils-2.76-2.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="dnsmasq-debuginfo" release="2.14.amzn1" version="2.76"><filename>Packages/dnsmasq-debuginfo-2.76-2.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="dnsmasq" release="2.14.amzn1" version="2.76"><filename>Packages/dnsmasq-2.76-2.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="dnsmasq" release="2.14.amzn1" version="2.76"><filename>Packages/dnsmasq-2.76-2.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="dnsmasq-debuginfo" release="2.14.amzn1" version="2.76"><filename>Packages/dnsmasq-debuginfo-2.76-2.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="dnsmasq-utils" release="2.14.amzn1" version="2.76"><filename>Packages/dnsmasq-utils-2.76-2.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-908</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-908: medium priority package update for postgresql96</title><issued date="2017-10-06 16:51" /><updated date="2017-10-10 20:01" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12269 CVE-2017-7547: 12270 1477185: 12271 CVE-2017-7547 postgresql: pg_user_mappings view discloses passwords to users lacking server privileges 12272 An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. 12273 An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. 12274 12275 CVE-2017-7546: 12276 1477184: 12277 CVE-2017-7546 postgresql: Empty password accepted in some authentication methods 12278 It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq&#039;s refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. 12279 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7547" id="CVE-2017-7547" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7546" id="CVE-2017-7546" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql96-devel" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-devel-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-debuginfo" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-debuginfo-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-plpython26" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-plpython26-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-docs" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-docs-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-libs" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-libs-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-plperl" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-plperl-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-test" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-test-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-plpython27" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-plpython27-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-static" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-static-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-contrib" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-contrib-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-server" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-server-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-test" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-test-9.6.4-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-debuginfo" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-debuginfo-9.6.4-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-devel" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-devel-9.6.4-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plperl" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-plperl-9.6.4-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plpython26" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-plpython26-9.6.4-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-docs" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-docs-9.6.4-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-server" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-server-9.6.4-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-contrib" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-contrib-9.6.4-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-static" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-static-9.6.4-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-9.6.4-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-libs" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-libs-9.6.4-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plpython27" release="1.77.amzn1" version="9.6.4"><filename>Packages/postgresql96-plpython27-9.6.4-1.77.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-909</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-909: medium priority package update for samba</title><issued date="2017-10-12 19:37" /><updated date="2017-10-13 00:09" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12280 CVE-2017-12163: 12281 An information leak flaw was found in the way SMB1 protocol was implemented by Samba. A malicious client could use this flaw to dump server memory contents to a file on the samba share or to a shared printer, though the exact area of server memory cannot be controlled by the attacker. 12282 1491206: 12283 CVE-2017-12163 Samba: Server memory information leak over SMB1 12284 12285 CVE-2017-12151: 12286 A flaw was found in the way samba client used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack. 12287 1488197: 12288 CVE-2017-12151 samba: SMB2 connections don't keep encryption across DFS redirects 12289 12290 CVE-2017-12150: 12291 1488400: 12292 CVE-2017-12150 samba: Some code path don't enforce smb signing, when they should 12293 It was found that samba did not enforce &quot;SMB signing&quot; when certain configuration options were enabled. A remote attacker could launch a man-in-the-middle attack and retrieve information in plain-text. 12294 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12163" id="CVE-2017-12163" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12151" id="CVE-2017-12151" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12150" id="CVE-2017-12150" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ctdb-tests" release="11.36.amzn1" version="4.6.2"><filename>Packages/ctdb-tests-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient-devel" release="11.36.amzn1" version="4.6.2"><filename>Packages/libsmbclient-devel-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-devel" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-devel-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-test-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-tools" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-common-tools-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-debuginfo" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-debuginfo-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test-libs" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-test-libs-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb" release="11.36.amzn1" version="4.6.2"><filename>Packages/ctdb-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client-libs" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-client-libs-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient" release="11.36.amzn1" version="4.6.2"><filename>Packages/libsmbclient-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-client-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwbclient" release="11.36.amzn1" version="4.6.2"><filename>Packages/libwbclient-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-winbind-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwbclient-devel" release="11.36.amzn1" version="4.6.2"><filename>Packages/libwbclient-devel-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-pidl" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-pidl-4.6.2-11.36.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-libs" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-libs-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-krb5-locator" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-winbind-krb5-locator-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-krb5-printing" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-krb5-printing-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-common" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-common-4.6.2-11.36.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-python" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-python-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-libs" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-common-libs-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-clients" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-winbind-clients-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-modules" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-winbind-modules-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="samba-libs" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-libs-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test-libs" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-test-libs-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client-libs" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-client-libs-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient-devel" release="11.36.amzn1" version="4.6.2"><filename>Packages/libsmbclient-devel-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb" release="11.36.amzn1" version="4.6.2"><filename>Packages/ctdb-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-krb5-locator" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-winbind-krb5-locator-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-test-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-clients" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-winbind-clients-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-tools" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-common-tools-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb-tests" release="11.36.amzn1" version="4.6.2"><filename>Packages/ctdb-tests-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient" release="11.36.amzn1" version="4.6.2"><filename>Packages/libsmbclient-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-libs" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-common-libs-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-winbind-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient-devel" release="11.36.amzn1" version="4.6.2"><filename>Packages/libwbclient-devel-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient" release="11.36.amzn1" version="4.6.2"><filename>Packages/libwbclient-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-python" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-python-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-debuginfo" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-debuginfo-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-client-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-devel" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-devel-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-krb5-printing" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-krb5-printing-4.6.2-11.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-modules" release="11.36.amzn1" version="4.6.2"><filename>Packages/samba-winbind-modules-4.6.2-11.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-910</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-910: medium priority package update for git</title><issued date="2017-10-12 19:39" /><updated date="2017-10-13 00:20" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12295 CVE-2017-NONE: 12296 git cvsserver no longer is invoked by git shell by default, as it is old and largely unmaintained. 12297 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-NONE" id="CVE-2017-NONE" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="git-all" release="1.55.amzn1" version="2.13.6"><filename>Packages/git-all-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-debuginfo" release="1.55.amzn1" version="2.13.6"><filename>Packages/git-debuginfo-2.13.6-1.55.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-p4" release="1.55.amzn1" version="2.13.6"><filename>Packages/git-p4-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git" release="1.55.amzn1" version="2.13.6"><filename>Packages/emacs-git-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git" release="1.55.amzn1" version="2.13.6"><filename>Packages/git-2.13.6-1.55.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-email" release="1.55.amzn1" version="2.13.6"><filename>Packages/git-email-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-svn" release="1.55.amzn1" version="2.13.6"><filename>Packages/git-svn-2.13.6-1.55.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="gitweb" release="1.55.amzn1" version="2.13.6"><filename>Packages/gitweb-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-hg" release="1.55.amzn1" version="2.13.6"><filename>Packages/git-hg-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-bzr" release="1.55.amzn1" version="2.13.6"><filename>Packages/git-bzr-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git" release="1.55.amzn1" version="2.13.6"><filename>Packages/perl-Git-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git-el" release="1.55.amzn1" version="2.13.6"><filename>Packages/emacs-git-el-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-daemon" release="1.55.amzn1" version="2.13.6"><filename>Packages/git-daemon-2.13.6-1.55.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-cvs" release="1.55.amzn1" version="2.13.6"><filename>Packages/git-cvs-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git-SVN" release="1.55.amzn1" version="2.13.6"><filename>Packages/perl-Git-SVN-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="git-svn" release="1.55.amzn1" version="2.13.6"><filename>Packages/git-svn-2.13.6-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-daemon" release="1.55.amzn1" version="2.13.6"><filename>Packages/git-daemon-2.13.6-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git" release="1.55.amzn1" version="2.13.6"><filename>Packages/git-2.13.6-1.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-debuginfo" release="1.55.amzn1" version="2.13.6"><filename>Packages/git-debuginfo-2.13.6-1.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-911</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-911: important priority package update for nss</title><issued date="2017-10-12 19:41" /><updated date="2017-10-13 00:10" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12298 CVE-2017-7805: 12299 1471171: 12300 CVE-2017-7805 nss: Potential use-after-free in TLS 1.2 server when verifying client authentication 12301 A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application. 12302 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7805" id="CVE-2017-7805" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="12.80.amzn1" version="3.28.4"><filename>Packages/nss-pkcs11-devel-3.28.4-12.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="12.80.amzn1" version="3.28.4"><filename>Packages/nss-devel-3.28.4-12.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="12.80.amzn1" version="3.28.4"><filename>Packages/nss-3.28.4-12.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-debuginfo" release="12.80.amzn1" version="3.28.4"><filename>Packages/nss-debuginfo-3.28.4-12.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="12.80.amzn1" version="3.28.4"><filename>Packages/nss-sysinit-3.28.4-12.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="12.80.amzn1" version="3.28.4"><filename>Packages/nss-tools-3.28.4-12.80.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="12.80.amzn1" version="3.28.4"><filename>Packages/nss-tools-3.28.4-12.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="12.80.amzn1" version="3.28.4"><filename>Packages/nss-debuginfo-3.28.4-12.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="12.80.amzn1" version="3.28.4"><filename>Packages/nss-3.28.4-12.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="12.80.amzn1" version="3.28.4"><filename>Packages/nss-sysinit-3.28.4-12.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="12.80.amzn1" version="3.28.4"><filename>Packages/nss-pkcs11-devel-3.28.4-12.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="12.80.amzn1" version="3.28.4"><filename>Packages/nss-devel-3.28.4-12.80.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-912</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-912: important priority package update for emacs</title><issued date="2017-10-12 20:38" /><updated date="2017-10-13 00:11" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12303 CVE-2017-14482: 12304 A command injection flaw within the Emacs &quot;enriched mode&quot; handling has been discovered. By tricking an unsuspecting user into opening a specially crafted file using Emacs, a remote attacker could exploit this flaw to execute arbitrary commands with the privileges of the Emacs user. 12305 1490409: 12306 CVE-2017-14482 emacs: command injection flaw within "enriched mode" handling 12307 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14482" id="CVE-2017-14482" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="emacs" release="20.22.amzn1" version="24.3"><filename>Packages/emacs-24.3-20.22.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="emacs-el" release="20.22.amzn1" version="24.3"><filename>Packages/emacs-el-24.3-20.22.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="emacs-common" release="20.22.amzn1" version="24.3"><filename>Packages/emacs-common-24.3-20.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="emacs-debuginfo" release="20.22.amzn1" version="24.3"><filename>Packages/emacs-debuginfo-24.3-20.22.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="emacs-common" release="20.22.amzn1" version="24.3"><filename>Packages/emacs-common-24.3-20.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="emacs" release="20.22.amzn1" version="24.3"><filename>Packages/emacs-24.3-20.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="emacs-debuginfo" release="20.22.amzn1" version="24.3"><filename>Packages/emacs-debuginfo-24.3-20.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-913</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-913: important priority package update for tomcat8 tomcat80 tomcat7</title><issued date="2017-10-26 16:29" /><updated date="2017-10-26 22:56" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12308 CVE-2017-12617: 12309 1494283: 12310 CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615 12311 A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution. 12312 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617" id="CVE-2017-12617" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.75.amzn1" version="8.5.23"><filename>Packages/tomcat8-admin-webapps-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.75.amzn1" version="8.5.23"><filename>Packages/tomcat8-javadoc-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.75.amzn1" version="8.5.23"><filename>Packages/tomcat8-el-3.0-api-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.75.amzn1" version="8.5.23"><filename>Packages/tomcat8-docs-webapp-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.75.amzn1" version="8.5.23"><filename>Packages/tomcat8-log4j-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.75.amzn1" version="8.5.23"><filename>Packages/tomcat8-webapps-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8" release="1.75.amzn1" version="8.5.23"><filename>Packages/tomcat8-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.75.amzn1" version="8.5.23"><filename>Packages/tomcat8-jsp-2.3-api-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.75.amzn1" version="8.5.23"><filename>Packages/tomcat8-lib-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.75.amzn1" version="8.5.23"><filename>Packages/tomcat8-servlet-3.1-api-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80" release="1.78.amzn1" version="8.0.47"><filename>Packages/tomcat80-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-log4j" release="1.78.amzn1" version="8.0.47"><filename>Packages/tomcat80-log4j-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-jsp-2.3-api" release="1.78.amzn1" version="8.0.47"><filename>Packages/tomcat80-jsp-2.3-api-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-admin-webapps" release="1.78.amzn1" version="8.0.47"><filename>Packages/tomcat80-admin-webapps-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-webapps" release="1.78.amzn1" version="8.0.47"><filename>Packages/tomcat80-webapps-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-el-3.0-api" release="1.78.amzn1" version="8.0.47"><filename>Packages/tomcat80-el-3.0-api-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-lib" release="1.78.amzn1" version="8.0.47"><filename>Packages/tomcat80-lib-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-servlet-3.1-api" release="1.78.amzn1" version="8.0.47"><filename>Packages/tomcat80-servlet-3.1-api-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-docs-webapp" release="1.78.amzn1" version="8.0.47"><filename>Packages/tomcat80-docs-webapp-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-javadoc" release="1.78.amzn1" version="8.0.47"><filename>Packages/tomcat80-javadoc-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.30.amzn1" version="7.0.82"><filename>Packages/tomcat7-javadoc-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.30.amzn1" version="7.0.82"><filename>Packages/tomcat7-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.30.amzn1" version="7.0.82"><filename>Packages/tomcat7-lib-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.30.amzn1" version="7.0.82"><filename>Packages/tomcat7-admin-webapps-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.30.amzn1" version="7.0.82"><filename>Packages/tomcat7-webapps-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.30.amzn1" version="7.0.82"><filename>Packages/tomcat7-log4j-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.30.amzn1" version="7.0.82"><filename>Packages/tomcat7-el-2.2-api-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.30.amzn1" version="7.0.82"><filename>Packages/tomcat7-docs-webapp-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.30.amzn1" version="7.0.82"><filename>Packages/tomcat7-jsp-2.2-api-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.30.amzn1" version="7.0.82"><filename>Packages/tomcat7-servlet-3.0-api-7.0.82-1.30.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-914</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-914: important priority package update for kernel</title><issued date="2017-10-26 16:43" /><updated date="2017-10-26 23:04" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12313 CVE-2017-15274: 12314 1500391: 12315 CVE-2017-15274 kernel: dereferencing NULL payload with nonzero length 12316 A flaw was found in the implementation of associative arrays where the add_key systemcall and KEYCTL_UPDATE operations allowed for a NULL payload with a nonzero length. When accessing the payload within this length parameters value, an unprivileged user could trivially cause a NULL pointer dereference (kernel oops). 12317 12318 CVE-2017-14991: 12319 The sg_ioctl() function in &#039;drivers/scsi/sg.c&#039; in the Linux kernel, from version 4.12-rc1 to 4.14-rc2, allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for &#039;/dev/sg0&#039;. 12320 1500366: 12321 CVE-2017-14991 kernel: Information leak in the scsi driver 12322 12323 CVE-2017-14340: 12324 A flaw was found where the XFS filesystem code mishandles a user-settable inode flag in the Linux kernel prior to 4.14-rc1. This can cause a local denial of service via a kernel panic. 12325 1491344: 12326 CVE-2017-14340 kernel: xfs: unprivileged user kernel oops 12327 12328 CVE-2017-12192: 12329 12330 12331 CVE-2017-12154: 12332 Linux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization (nVMX) feature enabled (nested=1), is vulnerable to a crash due to disabled external interrupts. As L2 guest could access (r/w) hardware CR8 register of the host(L0). In a nested visualization setup, L2 guest user could use this flaw to potentially crash the host(L0) resulting in DoS. 12333 1491224: 12334 CVE-2017-12154 Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register 12335 12336 CVE-2017-1000251: 12337 A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. 12338 1489716: 12339 CVE-2017-1000251 kernel: stack buffer overflow in the native Bluetooth stack 12340 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251" id="CVE-2017-1000251" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15274" id="CVE-2017-15274" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14340" id="CVE-2017-14340" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14991" id="CVE-2017-14991" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12192" id="CVE-2017-12192" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12154" id="CVE-2017-12154" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-tools-debuginfo-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-devel-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-debuginfo-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="18.51.amzn1" version="4.9.58"><filename>Packages/perf-debuginfo-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-tools-devel-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-tools-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="18.51.amzn1" version="4.9.58"><filename>Packages/perf-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-headers-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-headers-4.9.58-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="18.51.amzn1" version="4.9.58"><filename>Packages/perf-4.9.58-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="18.51.amzn1" version="4.9.58"><filename>Packages/perf-debuginfo-4.9.58-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-4.9.58-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-devel-4.9.58-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-tools-debuginfo-4.9.58-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-debuginfo-4.9.58-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-tools-4.9.58-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-tools-devel-4.9.58-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-debuginfo-common-i686-4.9.58-18.51.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="18.51.amzn1" version="4.9.58"><filename>Packages/kernel-doc-4.9.58-18.51.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-915</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-915: medium priority package update for ruby24</title><issued date="2017-10-26 17:01" /><updated date="2018-01-18 20:17" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12341 CVE-2017-14064: 12342 Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a &#039;\\0&#039; byte, returning a pointer to a string of length zero, which is not the length stored in space_len. 12343 1487552: 12344 CVE-2017-14064 ruby: Arbitrary heap exposure during a JSON.generate call 12345 12346 CVE-2017-14033: 12347 1491866: 12348 CVE-2017-14033 ruby: Buffer underrun in OpenSSL ASN1 decode 12349 The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string. 12350 12351 CVE-2017-10784: 12352 The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name. 12353 1492012: 12354 CVE-2017-10784 ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick 12355 12356 CVE-2017-0903: 12357 A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. 12358 1500488: 12359 CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications 12360 12361 CVE-2017-0902: 12362 RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. 12363 1487589: 12364 CVE-2017-0902 rubygems: DNS hijacking vulnerability 12365 12366 CVE-2017-0901: 12367 RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. 12368 1487587: 12369 CVE-2017-0901 rubygems: Arbitrary file overwrite due to incorrect validation of specification name 12370 12371 CVE-2017-0900: 12372 1487588: 12373 CVE-2017-0900 rubygems: No size limit in summary length of gem spec 12374 RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. 12375 12376 CVE-2017-0899: 12377 1487590: 12378 CVE-2017-0899 rubygems: Escape sequence in the "summary" field of gemspec 12379 RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. 12380 12381 CVE-2017-0898: 12382 Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap. 12383 1492015: 12384 CVE-2017-0898 ruby: Buffer underrun vulnerability in Kernel.sprintf 12385 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14064" id="CVE-2017-14064" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10784" id="CVE-2017-10784" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14033" id="CVE-2017-14033" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0900" id="CVE-2017-0900" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901" id="CVE-2017-0901" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902" id="CVE-2017-0902" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903" id="CVE-2017-0903" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0898" id="CVE-2017-0898" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899" id="CVE-2017-0899" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ruby24-devel" release="1.30.4.amzn1" version="2.4.2"><filename>Packages/ruby24-devel-2.4.2-1.30.4.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem24-did_you_mean" release="1.30.4.amzn1" version="1.1.0"><filename>Packages/rubygem24-did_you_mean-1.1.0-1.30.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems24" release="1.30.4.amzn1" version="2.6.13"><filename>Packages/rubygems24-2.6.13-1.30.4.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-xmlrpc" release="1.30.4.amzn1" version="0.2.1"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.4.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems24-devel" release="1.30.4.amzn1" version="2.6.13"><filename>Packages/rubygems24-devel-2.6.13-1.30.4.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-json" release="1.30.4.amzn1" version="2.0.4"><filename>Packages/rubygem24-json-2.0.4-1.30.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-bigdecimal" release="1.30.4.amzn1" version="1.3.0"><filename>Packages/rubygem24-bigdecimal-1.3.0-1.30.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24" release="1.30.4.amzn1" version="2.4.2"><filename>Packages/ruby24-2.4.2-1.30.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24-debuginfo" release="1.30.4.amzn1" version="2.4.2"><filename>Packages/ruby24-debuginfo-2.4.2-1.30.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-io-console" release="1.30.4.amzn1" version="0.4.6"><filename>Packages/rubygem24-io-console-0.4.6-1.30.4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24-libs" release="1.30.4.amzn1" version="2.4.2"><filename>Packages/ruby24-libs-2.4.2-1.30.4.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby24-irb" release="1.30.4.amzn1" version="2.4.2"><filename>Packages/ruby24-irb-2.4.2-1.30.4.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby24-doc" release="1.30.4.amzn1" version="2.4.2"><filename>Packages/ruby24-doc-2.4.2-1.30.4.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-psych" release="1.30.4.amzn1" version="2.2.2"><filename>Packages/rubygem24-psych-2.2.2-1.30.4.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-bigdecimal" release="1.30.4.amzn1" version="1.3.0"><filename>Packages/rubygem24-bigdecimal-1.3.0-1.30.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-io-console" release="1.30.4.amzn1" version="0.4.6"><filename>Packages/rubygem24-io-console-0.4.6-1.30.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-devel" release="1.30.4.amzn1" version="2.4.2"><filename>Packages/ruby24-devel-2.4.2-1.30.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-json" release="1.30.4.amzn1" version="2.0.4"><filename>Packages/rubygem24-json-2.0.4-1.30.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-xmlrpc" release="1.30.4.amzn1" version="0.2.1"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-psych" release="1.30.4.amzn1" version="2.2.2"><filename>Packages/rubygem24-psych-2.2.2-1.30.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-debuginfo" release="1.30.4.amzn1" version="2.4.2"><filename>Packages/ruby24-debuginfo-2.4.2-1.30.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24" release="1.30.4.amzn1" version="2.4.2"><filename>Packages/ruby24-2.4.2-1.30.4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-libs" release="1.30.4.amzn1" version="2.4.2"><filename>Packages/ruby24-libs-2.4.2-1.30.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-916</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-916: important priority package update for wget</title><issued date="2017-10-26 19:41" /><updated date="2017-10-26 23:12" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12386 CVE-2017-13090: 12387 1505445: 12388 CVE-2017-13090 wget: Heap-based buffer overflow in HTTP protocol handling 12389 A heap-based buffer overflow, when processing chunked encoded HTTP responses, was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code. 12390 12391 CVE-2017-13089: 12392 A stack-based buffer overflow when processing chunked, encoded HTTP responses was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code. 12393 1505444: 12394 CVE-2017-13089 wget: Stack-based buffer overflow in HTTP protocol handling 12395 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13090" id="CVE-2017-13090" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13089" id="CVE-2017-13089" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="wget" release="3.28.amzn1" version="1.18"><filename>Packages/wget-1.18-3.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wget-debuginfo" release="3.28.amzn1" version="1.18"><filename>Packages/wget-debuginfo-1.18-3.28.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="wget-debuginfo" release="3.28.amzn1" version="1.18"><filename>Packages/wget-debuginfo-1.18-3.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wget" release="3.28.amzn1" version="1.18"><filename>Packages/wget-1.18-3.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-917</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-917: critical priority package update for java-1.8.0-openjdk</title><issued date="2017-10-26 19:46" /><updated date="2017-10-26 23:27" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12396 CVE-2017-10388: 12397 1502038: 12398 CVE-2017-10388 OpenJDK: use of unprotected sname in Kerberos client (Libraries, 8178794) 12399 It was discovered that the Kerberos client implementation in the Libraries component of OpenJDK used the sname field from the plain text part rather than encrypted part of the KDC reply message. A man-in-the-middle attacker could possibly use this flaw to impersonate Kerberos services to Java applications acting as Kerberos clients. 12400 12401 CVE-2017-10357: 12402 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 12403 1502614: 12404 CVE-2017-10357 OpenJDK: unbounded memory allocation in ObjectInputStream deserialization (Serialization, 8181597) 12405 12406 CVE-2017-10356: 12407 1503169: 12408 CVE-2017-10356 OpenJDK: weak protection of key stores against brute forcing (Security, 8181692) 12409 It was discovered that the Security component of OpenJDK generated weak password-based encryption keys used to protect private keys stored in key stores. This made it easier to perform password guessing attacks to decrypt stored keys if an attacker could gain access to a key store. 12410 12411 CVE-2017-10355: 12412 1502869: 12413 CVE-2017-10355 OpenJDK: no default network operations timeouts in FtpClient (Networking, 8181612) 12414 It was found that the FtpClient implementation in the Networking component of OpenJDK did not set connect and read timeouts by default. A malicious FTP server or a man-in-the-middle attacker could use this flaw to block execution of a Java application connecting to an FTP server. 12415 12416 CVE-2017-10350: 12417 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are Java SE: 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 12418 1502640: 12419 CVE-2017-10350 OpenJDK: unbounded memory allocation in JAXWSExceptionBase deserialization (JAX-WS, 8181100) 12420 12421 CVE-2017-10349: 12422 1502611: 12423 CVE-2017-10349 OpenJDK: unbounded memory allocation in PredicatedNodeTest deserialization (JAXP, 8181327) 12424 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 12425 12426 CVE-2017-10348: 12427 1502629: 12428 CVE-2017-10348 OpenJDK: multiple unbounded memory allocations in deserialization (Libraries, 8181432) 12429 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 12430 12431 CVE-2017-10347: 12432 1502632: 12433 CVE-2017-10347 OpenJDK: unbounded memory allocation in SimpleTimeZone deserialization (Serialization, 8181323) 12434 Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 12435 12436 CVE-2017-10346: 12437 1501873: 12438 CVE-2017-10346 OpenJDK: insufficient loader constraints checks for invokespecial (Hotspot, 8180711) 12439 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). 12440 12441 CVE-2017-10345: 12442 1502858: 12443 CVE-2017-10345 OpenJDK: unbounded resource use in JceKeyStore deserialization (Serialization, 8181370) 12444 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L). 12445 12446 CVE-2017-10295: 12447 It was found that the HttpURLConnection and HttpsURLConnection classes in the Networking component of OpenJDK failed to check for newline characters embedded in URLs. An attacker able to make a Java application perform an HTTP request using an attacker provided URL could possibly inject additional headers into the request. 12448 1502687: 12449 CVE-2017-10295 OpenJDK: HTTP client insufficient check for newline in URLs (Networking, 8176751) 12450 12451 CVE-2017-10285: 12452 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). 12453 1501868: 12454 CVE-2017-10285 OpenJDK: incorrect privilege use when handling unreferenced objects (RMI, 8174966) 12455 12456 CVE-2017-10281: 12457 1502649: 12458 CVE-2017-10281 OpenJDK: multiple unbounded memory allocations in deserialization (Serialization, 8174109) 12459 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 12460 12461 CVE-2017-10274: 12462 1502053: 12463 CVE-2017-10274 OpenJDK: CardImpl incorrect state handling (Smart Card IO, 8169026) 12464 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Smart Card IO). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data as well as unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N). 12465 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10281" id="CVE-2017-10281" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10345" id="CVE-2017-10345" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10346" id="CVE-2017-10346" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10347" id="CVE-2017-10347" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10285" id="CVE-2017-10285" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10356" id="CVE-2017-10356" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10355" id="CVE-2017-10355" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10295" id="CVE-2017-10295" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10348" id="CVE-2017-10348" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10349" id="CVE-2017-10349" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10350" id="CVE-2017-10350" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10274" id="CVE-2017-10274" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10357" id="CVE-2017-10357" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10388" id="CVE-2017-10388" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="1.b12.35.amzn1" version="1.8.0.151"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.151-1.b12.35.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="1.b12.35.amzn1" version="1.8.0.151"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.151-1.b12.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="1.b12.35.amzn1" version="1.8.0.151"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.151-1.b12.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="1.b12.35.amzn1" version="1.8.0.151"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.151-1.b12.35.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc-zip" release="1.b12.35.amzn1" version="1.8.0.151"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.151-1.b12.35.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="1.b12.35.amzn1" version="1.8.0.151"><filename>Packages/java-1.8.0-openjdk-1.8.0.151-1.b12.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="1.b12.35.amzn1" version="1.8.0.151"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.151-1.b12.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="1.b12.35.amzn1" version="1.8.0.151"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.151-1.b12.35.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="1.b12.35.amzn1" version="1.8.0.151"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.151-1.b12.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="1.b12.35.amzn1" version="1.8.0.151"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.151-1.b12.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="1.b12.35.amzn1" version="1.8.0.151"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.151-1.b12.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="1.b12.35.amzn1" version="1.8.0.151"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.151-1.b12.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="1.b12.35.amzn1" version="1.8.0.151"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.151-1.b12.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="1.b12.35.amzn1" version="1.8.0.151"><filename>Packages/java-1.8.0-openjdk-1.8.0.151-1.b12.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-918</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-918: medium priority package update for golang</title><issued date="2017-11-02 20:17" /><updated date="2017-11-03 05:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12466 CVE-2017-15042: 12467 1498867: 12468 CVE-2017-15042 golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting 12469 An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn&#039;t advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password. 12470 12471 CVE-2017-15041: 12472 1498870: 12473 CVE-2017-15041 golang: arbitrary code execution during go get or go get -d 12474 Go before 1.8.4 and 1.9.x before 1.9.1 allows &quot;go get&quot; remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, &quot;go get&quot; can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository&#039;s Git checkout has malicious commands in .git/hooks/, they will execute on the system running &quot;go get.&quot; 12475 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15041" id="CVE-2017-15041" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15042" id="CVE-2017-15042" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="golang-bin" release="1.41.amzn1" version="1.8.4"><filename>Packages/golang-bin-1.8.4-1.41.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-tests" release="1.41.amzn1" version="1.8.4"><filename>Packages/golang-tests-1.8.4-1.41.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-src" release="1.41.amzn1" version="1.8.4"><filename>Packages/golang-src-1.8.4-1.41.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-docs" release="1.41.amzn1" version="1.8.4"><filename>Packages/golang-docs-1.8.4-1.41.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang-race" release="1.41.amzn1" version="1.8.4"><filename>Packages/golang-race-1.8.4-1.41.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-misc" release="1.41.amzn1" version="1.8.4"><filename>Packages/golang-misc-1.8.4-1.41.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang" release="1.41.amzn1" version="1.8.4"><filename>Packages/golang-1.8.4-1.41.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="golang-bin" release="1.41.amzn1" version="1.8.4"><filename>Packages/golang-bin-1.8.4-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="golang" release="1.41.amzn1" version="1.8.4"><filename>Packages/golang-1.8.4-1.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-919</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-919: medium priority package update for curl</title><issued date="2017-11-02 20:18" /><updated date="2017-11-03 05:51" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12476 CVE-2017-1000254: 12477 1495541: 12478 CVE-2017-1000254 curl: FTP PWD response parser out of bounds read 12479 libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote. 12480 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254" id="CVE-2017-1000254" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="curl" release="11.78.amzn1" version="7.53.1"><filename>Packages/curl-7.53.1-11.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="11.78.amzn1" version="7.53.1"><filename>Packages/libcurl-7.53.1-11.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="11.78.amzn1" version="7.53.1"><filename>Packages/curl-debuginfo-7.53.1-11.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="11.78.amzn1" version="7.53.1"><filename>Packages/libcurl-devel-7.53.1-11.78.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="11.78.amzn1" version="7.53.1"><filename>Packages/curl-debuginfo-7.53.1-11.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="11.78.amzn1" version="7.53.1"><filename>Packages/libcurl-7.53.1-11.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="11.78.amzn1" version="7.53.1"><filename>Packages/curl-7.53.1-11.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="11.78.amzn1" version="7.53.1"><filename>Packages/libcurl-devel-7.53.1-11.78.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-920</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-920: medium priority package update for openvpn</title><issued date="2017-11-02 20:19" /><updated date="2017-11-03 05:54" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12481 CVE-2017-12166: 12482 Stuff 12483 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12166" id="CVE-2017-12166" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openvpn-debuginfo" release="1.21.amzn1" version="2.4.4"><filename>Packages/openvpn-debuginfo-2.4.4-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openvpn-devel" release="1.21.amzn1" version="2.4.4"><filename>Packages/openvpn-devel-2.4.4-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openvpn" release="1.21.amzn1" version="2.4.4"><filename>Packages/openvpn-2.4.4-1.21.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openvpn-debuginfo" release="1.21.amzn1" version="2.4.4"><filename>Packages/openvpn-debuginfo-2.4.4-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openvpn" release="1.21.amzn1" version="2.4.4"><filename>Packages/openvpn-2.4.4-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openvpn-devel" release="1.21.amzn1" version="2.4.4"><filename>Packages/openvpn-devel-2.4.4-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-921</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-921: medium priority package update for httpd</title><issued date="2017-11-02 20:21" /><updated date="2017-11-03 05:56" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12484 CVE-2017-12171: 12485 1493056: 12486 CVE-2017-12171 httpd: # character matches all IPs 12487 A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd, causing comments in the &quot;Allow&quot; and &quot;Deny&quot; configuration lines to be parsed incorrectly. A web administrator could unintentionally allow any client to access a restricted HTTP resource. 12488 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12171" id="CVE-2017-12171" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="httpd-devel" release="1.16.amzn1" version="2.2.34"><filename>Packages/httpd-devel-2.2.34-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd" release="1.16.amzn1" version="2.2.34"><filename>Packages/httpd-2.2.34-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod_ssl" release="1.16.amzn1" version="2.2.34"><filename>Packages/mod_ssl-2.2.34-1.16.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd-manual" release="1.16.amzn1" version="2.2.34"><filename>Packages/httpd-manual-2.2.34-1.16.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.16.amzn1" version="2.2.34"><filename>Packages/httpd-debuginfo-2.2.34-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd-tools" release="1.16.amzn1" version="2.2.34"><filename>Packages/httpd-tools-2.2.34-1.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="mod_ssl" release="1.16.amzn1" version="2.2.34"><filename>Packages/mod_ssl-2.2.34-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-tools" release="1.16.amzn1" version="2.2.34"><filename>Packages/httpd-tools-2.2.34-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-devel" release="1.16.amzn1" version="2.2.34"><filename>Packages/httpd-devel-2.2.34-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd" release="1.16.amzn1" version="2.2.34"><filename>Packages/httpd-2.2.34-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd-debuginfo" release="1.16.amzn1" version="2.2.34"><filename>Packages/httpd-debuginfo-2.2.34-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-922</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-922: medium priority package update for curl</title><issued date="2017-11-15 19:54" /><updated date="2017-11-20 21:37" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12489 CVE-2017-1000257: 12490 A buffer overrun flaw was found in the IMAP handler of libcurl. By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application. 12491 1503705: 12492 CVE-2017-1000257 curl: IMAP FETCH response out of bounds read 12493 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257" id="CVE-2017-1000257" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="curl-debuginfo" release="12.79.amzn1" version="7.53.1"><filename>Packages/curl-debuginfo-7.53.1-12.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="12.79.amzn1" version="7.53.1"><filename>Packages/libcurl-devel-7.53.1-12.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="12.79.amzn1" version="7.53.1"><filename>Packages/libcurl-7.53.1-12.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl" release="12.79.amzn1" version="7.53.1"><filename>Packages/curl-7.53.1-12.79.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="12.79.amzn1" version="7.53.1"><filename>Packages/curl-debuginfo-7.53.1-12.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="12.79.amzn1" version="7.53.1"><filename>Packages/curl-7.53.1-12.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="12.79.amzn1" version="7.53.1"><filename>Packages/libcurl-devel-7.53.1-12.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="12.79.amzn1" version="7.53.1"><filename>Packages/libcurl-7.53.1-12.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-923</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-923: medium priority package update for cacti</title><issued date="2017-11-15 19:56" /><updated date="2017-11-20 21:38" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12494 CVE-2017-15194: 12495 include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page. 12496 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15194" id="CVE-2017-15194" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="cacti" release="2.18.amzn1" version="1.1.19"><filename>Packages/cacti-1.1.19-2.18.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-924</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-924: important priority package update for php56 php70 php71</title><issued date="2017-11-15 20:05" /><updated date="2017-11-20 21:40" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12497 CVE-2016-1283: 12498 1295385: 12499 CVE-2016-1283 pcre: heap buffer overflow in handling of duplicate named groups (8.39/14) 12500 The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\\&quot;){99}-))(?J)(?&#039;R&#039;(?&#039;R&#039;&lt;((?&#039;RR&#039;(?&#039;R&#039;\\){97)?J)?J)(?&#039;R&#039;(?&#039;R&#039;\\){99|(:(?|(?&#039;R&#039;)(\\k&#039;R&#039;)|((?&#039;R&#039;)))H&#039;R&#039;R)(H&#039;R))))))/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. 12501 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1283" id="CVE-2016-1283" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-ldap" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-ldap-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-gmp-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-common-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-xml-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-snmp-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-pgsql-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-pspell-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-cli-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-fpm-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-process-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-mcrypt-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-opcache-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-enchant-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-mssql-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-dba-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-dbg-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-gd-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-embedded-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-recode-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-tidy-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-mbstring-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-pdo-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-xmlrpc-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-devel-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-intl-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-bcmath-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-debuginfo-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-soap-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-mysqlnd-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-imap-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-odbc-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-mbstring-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-snmp-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-opcache-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-debuginfo-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-fpm-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-common-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-odbc-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-mssql-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-embedded-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-process-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-xmlrpc-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-bcmath-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-pgsql-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-pspell-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-dba-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-mysqlnd-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-recode-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-ldap-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-cli-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-intl-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-xml-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-pdo-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-dbg-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-imap-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-soap-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-gmp-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-mcrypt-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-gd-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-enchant-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-tidy-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.135.amzn1" version="5.6.32"><filename>Packages/php56-devel-5.6.32-1.135.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-intl" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-intl-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-snmp" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-snmp-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-enchant" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-enchant-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-embedded" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-embedded-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gd" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-gd-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-common" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-common-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mbstring" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-mbstring-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo-dblib" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-pdo-dblib-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-soap" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-soap-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-ldap" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-ldap-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-imap" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-imap-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dba" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-dba-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-json" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-json-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-debuginfo" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-debuginfo-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xmlrpc" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-xmlrpc-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gmp" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-gmp-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-recode" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-recode-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-opcache" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-opcache-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pspell" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-pspell-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mcrypt" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-mcrypt-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-odbc" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-odbc-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xml" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-xml-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-fpm" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-fpm-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dbg" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-dbg-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-process" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-process-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pgsql" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-pgsql-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-cli" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-cli-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-devel" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-devel-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-bcmath" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-bcmath-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-tidy" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-tidy-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mysqlnd" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-mysqlnd-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-pdo-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php71-xmlrpc" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-xmlrpc-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mysqlnd" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-mysqlnd-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gd" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-gd-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pspell" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-pspell-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-fpm" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-fpm-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-process" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-process-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-bcmath" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-bcmath-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-odbc" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-odbc-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pgsql" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-pgsql-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo-dblib" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-pdo-dblib-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xml" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-xml-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-opcache" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-opcache-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-embedded" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-embedded-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-json" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-json-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dbg" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-dbg-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-intl" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-intl-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-pdo-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-common" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-common-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-imap" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-imap-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-tidy" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-tidy-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-snmp" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-snmp-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-cli" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-cli-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mcrypt" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-mcrypt-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-ldap" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-ldap-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-recode" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-recode-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gmp" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-gmp-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-soap" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-soap-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-devel" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-devel-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-enchant" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-enchant-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dba" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-dba-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-debuginfo" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-debuginfo-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mbstring" release="1.28.amzn1" version="7.1.11"><filename>Packages/php71-mbstring-7.1.11-1.28.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-devel" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-devel-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dba" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-dba-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pgsql" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-pgsql-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo-dblib" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-pdo-dblib-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-zip" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-zip-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-tidy" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-tidy-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-opcache" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-opcache-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xml" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-xml-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dbg" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-dbg-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mcrypt" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-mcrypt-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-enchant" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-enchant-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-odbc" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-odbc-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xmlrpc" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-xmlrpc-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-common" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-common-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gd" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-gd-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gmp" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-gmp-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-intl" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-intl-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pspell" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-pspell-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mbstring" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-mbstring-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-fpm" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-fpm-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-imap" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-imap-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mysqlnd" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-mysqlnd-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-ldap" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-ldap-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-snmp" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-snmp-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-json" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-json-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-cli" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-cli-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-soap" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-soap-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-pdo-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-process" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-process-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-bcmath" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-bcmath-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-debuginfo" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-debuginfo-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-recode" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-recode-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-embedded" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-embedded-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php70-opcache" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-opcache-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-json" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-json-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xml" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-xml-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-process" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-process-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-devel" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-devel-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-recode" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-recode-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-ldap" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-ldap-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-odbc" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-odbc-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-bcmath" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-bcmath-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-zip" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-zip-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pspell" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-pspell-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dba" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-dba-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-intl" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-intl-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gmp" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-gmp-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-soap" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-soap-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dbg" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-dbg-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xmlrpc" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-xmlrpc-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-embedded" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-embedded-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mbstring" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-mbstring-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo-dblib" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-pdo-dblib-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mcrypt" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-mcrypt-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-cli" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-cli-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pgsql" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-pgsql-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-fpm" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-fpm-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mysqlnd" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-mysqlnd-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-debuginfo" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-debuginfo-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-pdo-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-tidy" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-tidy-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gd" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-gd-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-enchant" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-enchant-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-snmp" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-snmp-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-common" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-common-7.0.25-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-imap" release="1.25.amzn1" version="7.0.25"><filename>Packages/php70-imap-7.0.25-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-925</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-925: medium priority package update for kernel</title><issued date="2017-11-18 02:03" /><updated date="2017-11-20 21:42" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12502 CVE-2017-15951: 12503 1507539: 12504 CVE-2017-15951 kernel: Race condition in the KEYS subsystem 12505 The KEYS subsystem in the Linux kernel before 4.13.10 does not correctly synchronize the actions of updating versus finding a key in the &quot;negative&quot; state to avoid a race condition, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls. 12506 12507 CVE-2017-15299: 12508 A vulnerability was found in the key management subsystem of the Linux kernel. An update on an uninstantiated key could cause a kernel panic, leading to denial of service (DoS). 12509 1498016: 12510 CVE-2017-15299 kernel: Incorrect updates of uninstantiated keys crash the kernel 12511 12512 CVE-2017-12193: 12513 1501215: 12514 CVE-2017-12193 kernel: Null pointer dereference due to incorrect node-splitting in assoc_array implementation 12515 A flaw was found in the Linux kernel&#039;s implementation of associative arrays introduced in 3.13. This functionality was backported to the 3.10 kernels in Red Hat Enterprise Linux 7. The flaw involved a null pointer dereference in assoc_array_apply_edit() due to incorrect node-splitting in assoc_array implementation. This affects the keyring key type and thus key addition and link creation operations may cause the kernel to panic. 12516 12517 CVE-2017-12190: 12518 1495089: 12519 CVE-2017-12190 kernel: memory leak when merging buffers in SCSI IO vectors 12520 It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in &#039;block/bio.c&#039; do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition. 12521 12522 CVE-2017-1000255: 12523 1498067: 12524 CVE-2017-1000255 kernel: Arbitrary stack overwrite causing oops via crafted signal frame 12525 A flaw was found in the Linux kernel&#039;s handling of signal frame on PowerPC systems. A malicious local user process could craft a signal frame allowing an attacker to corrupt memory. 12526 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15299" id="CVE-2017-15299" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12190" id="CVE-2017-12190" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12193" id="CVE-2017-12193" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000255" id="CVE-2017-1000255" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15951" id="CVE-2017-15951" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-debuginfo-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-headers-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-tools-debuginfo-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="21.56.amzn1" version="4.9.62"><filename>Packages/perf-debuginfo-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-tools-devel-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-devel-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="21.56.amzn1" version="4.9.62"><filename>Packages/perf-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-tools-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="21.56.amzn1" version="4.9.62"><filename>Packages/perf-debuginfo-4.9.62-21.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-tools-devel-4.9.62-21.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-debuginfo-4.9.62-21.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-devel-4.9.62-21.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="21.56.amzn1" version="4.9.62"><filename>Packages/perf-4.9.62-21.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-headers-4.9.62-21.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-debuginfo-common-i686-4.9.62-21.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-4.9.62-21.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-tools-4.9.62-21.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-tools-debuginfo-4.9.62-21.56.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="21.56.amzn1" version="4.9.62"><filename>Packages/kernel-doc-4.9.62-21.56.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-926</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-926: important priority package update for mysql56 mysql57</title><issued date="2017-12-05 21:50" /><updated date="2017-12-06 21:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12527 CVE-2017-10384: 12528 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.57 and earlier 5.6.37 and earlier 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 12529 1503686: 12530 CVE-2017-10384 mysql: Server: DDL unspecified vulnerability (CPU Oct 2017) 12531 12532 CVE-2017-10379: 12533 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). 12534 1503685: 12535 CVE-2017-10379 mysql: Client programs unspecified vulnerability (CPU Oct 2017) 12536 12537 CVE-2017-10378: 12538 1503684: 12539 CVE-2017-10378 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017) 12540 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 12541 12542 CVE-2017-10314: 12543 1503679: 12544 CVE-2017-10314 mysql: Server: Memcached unspecified vulnerability (CPU Oct 2017) 12545 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 12546 12547 CVE-2017-10294: 12548 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 12549 1503671: 12550 CVE-2017-10294 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017) 12551 12552 CVE-2017-10286: 12553 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 12554 1503669: 12555 CVE-2017-10286 mysql: Server: InnoDB unspecified vulnerability (CPU Oct 2017) 12556 12557 CVE-2017-10283: 12558 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Performance Schema). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). 12559 1503664: 12560 CVE-2017-10283 mysql: Server: Performance Schema unspecified vulnerability (CPU Oct 2017) 12561 12562 CVE-2017-10279: 12563 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 12564 1503663: 12565 CVE-2017-10279 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017) 12566 12567 CVE-2017-10276: 12568 1503659: 12569 CVE-2017-10276 mysql: Server: FTS unspecified vulnerability (CPU Oct 2017) 12570 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: FTS). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 12571 12572 CVE-2017-10268: 12573 1503656: 12574 CVE-2017-10268 mysql: Server: Replication unspecified vulnerability (CPU Oct 2017) 12575 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N). 12576 12577 CVE-2017-10227: 12578 1503654: 12579 CVE-2017-10227 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017) 12580 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 12581 12582 CVE-2017-10155: 12583 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 12584 1503649: 12585 CVE-2017-10155 mysql: Server: Pluggable Auth unspecified vulnerability (CPU Oct 2017) 12586 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10379" id="CVE-2017-10379" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10378" id="CVE-2017-10378" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10283" id="CVE-2017-10283" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10227" id="CVE-2017-10227" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10294" id="CVE-2017-10294" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10268" id="CVE-2017-10268" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10155" id="CVE-2017-10155" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10314" id="CVE-2017-10314" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10384" id="CVE-2017-10384" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10276" id="CVE-2017-10276" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10286" id="CVE-2017-10286" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10279" id="CVE-2017-10279" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql56-bench" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-bench-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-devel" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-devel-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-embedded-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-libs" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-libs-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded-devel" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-embedded-devel-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-errmsg" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-errmsg-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-test" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-test-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-server" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-server-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-common" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-common-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-debuginfo" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-debuginfo-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-embedded-5.6.38-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded-devel" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-embedded-devel-5.6.38-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-bench" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-bench-5.6.38-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-server" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-server-5.6.38-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-errmsg" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-errmsg-5.6.38-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-libs" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-libs-5.6.38-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-debuginfo" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-debuginfo-5.6.38-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-common" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-common-5.6.38-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-devel" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-devel-5.6.38-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-test" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-test-5.6.38-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56" release="1.27.amzn1" version="5.6.38"><filename>Packages/mysql56-5.6.38-1.27.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-common" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-common-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-libs" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-libs-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-server" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-server-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-embedded" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-embedded-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-devel" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-devel-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-debuginfo" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-debuginfo-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-embedded-devel" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-embedded-devel-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-test" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-test-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-errmsg" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-errmsg-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-debuginfo" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-debuginfo-5.7.20-2.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-errmsg" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-errmsg-5.7.20-2.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-embedded" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-embedded-5.7.20-2.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-server" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-server-5.7.20-2.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-devel" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-devel-5.7.20-2.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-libs" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-libs-5.7.20-2.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-test" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-test-5.7.20-2.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-embedded-devel" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-embedded-devel-5.7.20-2.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-5.7.20-2.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-common" release="2.5.amzn1" version="5.7.20"><filename>Packages/mysql57-common-5.7.20-2.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-927</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-927: medium priority package update for mysql55</title><issued date="2017-12-05 21:54" /><updated date="2017-12-06 21:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12587 CVE-2017-10384: 12588 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.57 and earlier 5.6.37 and earlier 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 12589 1503686: 12590 CVE-2017-10384 mysql: Server: DDL unspecified vulnerability (CPU Oct 2017) 12591 12592 CVE-2017-10379: 12593 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). 12594 1503685: 12595 CVE-2017-10379 mysql: Client programs unspecified vulnerability (CPU Oct 2017) 12596 12597 CVE-2017-10378: 12598 1503684: 12599 CVE-2017-10378 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017) 12600 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 12601 12602 CVE-2017-10268: 12603 1503656: 12604 CVE-2017-10268 mysql: Server: Replication unspecified vulnerability (CPU Oct 2017) 12605 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N). 12606 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10379" id="CVE-2017-10379" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10378" id="CVE-2017-10378" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10384" id="CVE-2017-10384" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10268" id="CVE-2017-10268" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql55-test" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-test-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-embedded-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-server" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-server-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-embedded-devel-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-debuginfo-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-libs-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-config" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql-config-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-devel-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-bench" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-bench-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql-config" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql-config-5.5.58-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-embedded-5.5.58-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-server-5.5.58-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-5.5.58-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-test-5.5.58-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-bench-5.5.58-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-libs-5.5.58-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-debuginfo-5.5.58-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-embedded-devel-5.5.58-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="1.19.amzn1" version="5.5.58"><filename>Packages/mysql55-devel-5.5.58-1.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-928</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-928: important priority package update for apr</title><issued date="2017-12-05 21:57" /><updated date="2017-12-06 21:33" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12607 CVE-2017-12613: 12608 An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. 12609 1506523: 12610 CVE-2017-12613 apr: Out-of-bounds array deref in apr_time_exp*() functions 12611 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12613" id="CVE-2017-12613" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="apr-devel" release="5.13.amzn1" version="1.5.2"><filename>Packages/apr-devel-1.5.2-5.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="apr-debuginfo" release="5.13.amzn1" version="1.5.2"><filename>Packages/apr-debuginfo-1.5.2-5.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="apr" release="5.13.amzn1" version="1.5.2"><filename>Packages/apr-1.5.2-5.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="apr-devel" release="5.13.amzn1" version="1.5.2"><filename>Packages/apr-devel-1.5.2-5.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="apr" release="5.13.amzn1" version="1.5.2"><filename>Packages/apr-1.5.2-5.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="apr-debuginfo" release="5.13.amzn1" version="1.5.2"><filename>Packages/apr-debuginfo-1.5.2-5.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-929</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-929: medium priority package update for apr-util</title><issued date="2017-12-05 21:59" /><updated date="2017-12-06 21:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12612 CVE-2017-12618: 12613 Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to validate the integrity of SDBM database files used by apr_sdbm*() functions, resulting in a possible out of bound read access. A local user with write access to the database can make a program or process using these functions crash, and cause a denial of service. 12614 1506532: 12615 CVE-2017-12618 apr-util: Out-of-bounds access in corrupted SDBM database 12616 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12618" id="CVE-2017-12618" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="apr-util-sqlite" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-sqlite-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="apr-util-mysql" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-mysql-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="apr-util-odbc" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-odbc-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="apr-util-openssl" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-openssl-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="apr-util-ldap" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-ldap-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="apr-util" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="apr-util-devel" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-devel-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="apr-util-pgsql" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-pgsql-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="apr-util-nss" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-nss-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="apr-util-debuginfo" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-debuginfo-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="apr-util-freetds" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-freetds-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="apr-util-openssl" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-openssl-1.5.4-6.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="apr-util-ldap" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-ldap-1.5.4-6.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="apr-util-sqlite" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-sqlite-1.5.4-6.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="apr-util-pgsql" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-pgsql-1.5.4-6.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="apr-util-odbc" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-odbc-1.5.4-6.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="apr-util-debuginfo" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-debuginfo-1.5.4-6.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="apr-util-devel" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-devel-1.5.4-6.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="apr-util-freetds" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-freetds-1.5.4-6.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="apr-util-nss" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-nss-1.5.4-6.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="apr-util-mysql" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-mysql-1.5.4-6.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="apr-util" release="6.18.amzn1" version="1.5.4"><filename>Packages/apr-util-1.5.4-6.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-930</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-930: medium priority package update for postgresql95 postgresql96</title><issued date="2017-12-05 22:18" /><updated date="2017-12-06 21:35" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12617 CVE-2017-15099: 12618 1508823: 12619 CVE-2017-15099 postgresql: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges 12620 INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege. 12621 12622 CVE-2017-15098: 12623 Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory. 12624 1508820: 12625 CVE-2017-15098 postgresql: Memory disclosure in JSON functions 12626 12627 CVE-2017-12172: 12628 Privilege escalation flaws were found in the initialization scripts of PostgreSQL. A remote attacker with access to the postgres user account could use these flaws to obtain root access on the server machine. 12629 1498394: 12630 CVE-2017-12172 postgresql: Start scripts permit database administrator to modify root-owned files 12631 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12172" id="CVE-2017-12172" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15099" id="CVE-2017-15099" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15098" id="CVE-2017-15098" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql95-server" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-server-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-devel" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-devel-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-contrib" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-contrib-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-static" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-static-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plpython27" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-plpython27-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-libs" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-libs-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-docs" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-docs-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plpython26" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-plpython26-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plperl" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-plperl-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-debuginfo" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-debuginfo-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-test" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-test-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plperl" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-plperl-9.5.10-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-libs" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-libs-9.5.10-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-debuginfo" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-debuginfo-9.5.10-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-devel" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-devel-9.5.10-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-test" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-test-9.5.10-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-contrib" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-contrib-9.5.10-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-docs" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-docs-9.5.10-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-9.5.10-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plpython26" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-plpython26-9.5.10-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-static" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-static-9.5.10-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-server" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-server-9.5.10-1.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plpython27" release="1.77.amzn1" version="9.5.10"><filename>Packages/postgresql95-plpython27-9.5.10-1.77.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-static" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-static-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-docs" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-docs-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-plperl" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-plperl-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-libs" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-libs-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-test" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-test-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-debuginfo" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-debuginfo-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-contrib" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-contrib-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-server" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-server-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-plpython26" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-plpython26-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-devel" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-devel-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-plpython27" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-plpython27-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plperl" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-plperl-9.6.6-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plpython26" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-plpython26-9.6.6-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plpython27" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-plpython27-9.6.6-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-devel" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-devel-9.6.6-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-contrib" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-contrib-9.6.6-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-static" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-static-9.6.6-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-docs" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-docs-9.6.6-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-libs" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-libs-9.6.6-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-debuginfo" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-debuginfo-9.6.6-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-test" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-test-9.6.6-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-9.6.6-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-server" release="1.79.amzn1" version="9.6.6"><filename>Packages/postgresql96-server-9.6.6-1.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-931</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-931: medium priority package update for postgresql92 postgresql93 postgresql94</title><issued date="2017-12-05 22:19" /><updated date="2017-12-06 21:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12632 CVE-2017-15098: 12633 Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory. 12634 1508820: 12635 CVE-2017-15098 postgresql: Memory disclosure in JSON functions 12636 12637 CVE-2017-12172: 12638 Privilege escalation flaws were found in the initialization scripts of PostgreSQL. A remote attacker with access to the postgres user account could use these flaws to obtain root access on the server machine. 12639 1498394: 12640 CVE-2017-12172 postgresql: Start scripts permit database administrator to modify root-owned files 12641 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12172" id="CVE-2017-12172" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15098" id="CVE-2017-15098" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql92-docs" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-docs-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython27" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-plpython27-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-test" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-test-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server-compat" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-server-compat-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-pltcl" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-pltcl-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plperl" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-plperl-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-devel" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-devel-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-server-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-libs" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-libs-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-contrib" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-contrib-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython26" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-plpython26-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-debuginfo" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-debuginfo-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plperl" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-plperl-9.2.24-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-debuginfo" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-debuginfo-9.2.24-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server-compat" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-server-compat-9.2.24-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython27" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-plpython27-9.2.24-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-devel" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-devel-9.2.24-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-server-9.2.24-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-libs" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-libs-9.2.24-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-contrib" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-contrib-9.2.24-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-9.2.24-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-test" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-test-9.2.24-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-pltcl" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-pltcl-9.2.24-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython26" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-plpython26-9.2.24-1.65.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-docs" release="1.65.amzn1" version="9.2.24"><filename>Packages/postgresql92-docs-9.2.24-1.65.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-contrib" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-contrib-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plperl" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-plperl-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-devel" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-devel-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-server" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-server-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-libs" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-libs-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython26" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-plpython26-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-debuginfo" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-debuginfo-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython27" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-plpython27-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-test" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-test-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-docs" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-docs-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython27" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-plpython27-9.4.15-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-debuginfo" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-debuginfo-9.4.15-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-docs" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-docs-9.4.15-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-libs" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-libs-9.4.15-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-devel" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-devel-9.4.15-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-server" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-server-9.4.15-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plperl" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-plperl-9.4.15-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-9.4.15-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-test" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-test-9.4.15-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython26" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-plpython26-9.4.15-1.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-contrib" release="1.73.amzn1" version="9.4.15"><filename>Packages/postgresql94-contrib-9.4.15-1.73.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-server" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-server-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-devel" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-devel-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-test" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-test-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plperl" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-plperl-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython27" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-plpython27-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-docs" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-docs-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-pltcl" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-pltcl-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-contrib" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-contrib-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython26" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-plpython26-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-libs" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-libs-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-debuginfo" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-debuginfo-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-pltcl" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-pltcl-9.3.20-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-test" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-test-9.3.20-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython26" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-plpython26-9.3.20-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-libs" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-libs-9.3.20-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-server" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-server-9.3.20-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-docs" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-docs-9.3.20-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-contrib" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-contrib-9.3.20-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-devel" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-devel-9.3.20-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-debuginfo" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-debuginfo-9.3.20-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython27" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-plpython27-9.3.20-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-9.3.20-1.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plperl" release="1.69.amzn1" version="9.3.20"><filename>Packages/postgresql93-plperl-9.3.20-1.69.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-932</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-932: critical priority package update for exim</title><issued date="2017-12-20 18:51" /><updated date="2017-12-21 22:55" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12642 CVE-2017-16944: 12643 1517684: 12644 CVE-2017-16944 exim: infinite loop and stack exhaustion in receive_msg function via vectors involving BDAT commands 12645 The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a &#039;.&#039; character signifying the end of the content, related to the bdat_getc function. 12646 12647 CVE-2017-16943: 12648 1517680: 12649 CVE-2017-16943 exim: use-after-free in receive_msg function via vectors involving BDAT commands 12650 The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands. 12651 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16943" id="CVE-2017-16943" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16944" id="CVE-2017-16944" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="exim-debuginfo" release="4.17.amzn1" version="4.89"><filename>Packages/exim-debuginfo-4.89-4.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim" release="4.17.amzn1" version="4.89"><filename>Packages/exim-4.89-4.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-greylist" release="4.17.amzn1" version="4.89"><filename>Packages/exim-greylist-4.89-4.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-mysql" release="4.17.amzn1" version="4.89"><filename>Packages/exim-mysql-4.89-4.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-pgsql" release="4.17.amzn1" version="4.89"><filename>Packages/exim-pgsql-4.89-4.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-mon" release="4.17.amzn1" version="4.89"><filename>Packages/exim-mon-4.89-4.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="exim-mysql" release="4.17.amzn1" version="4.89"><filename>Packages/exim-mysql-4.89-4.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-greylist" release="4.17.amzn1" version="4.89"><filename>Packages/exim-greylist-4.89-4.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-debuginfo" release="4.17.amzn1" version="4.89"><filename>Packages/exim-debuginfo-4.89-4.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-pgsql" release="4.17.amzn1" version="4.89"><filename>Packages/exim-pgsql-4.89-4.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-mon" release="4.17.amzn1" version="4.89"><filename>Packages/exim-mon-4.89-4.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim" release="4.17.amzn1" version="4.89"><filename>Packages/exim-4.89-4.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-933</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-933: important priority package update for samba</title><issued date="2017-12-20 18:53" /><updated date="2017-12-21 22:58" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12652 CVE-2017-15275: 12653 1512465: 12654 CVE-2017-15275 samba: Server heap-memory disclosure 12655 A memory disclosure flaw was found in samba. An attacker could retrieve parts of server memory, which could contain potentially sensitive data, by sending specially-crafted requests to the samba server. 12656 12657 CVE-2017-14746: 12658 A use-after-free flaw was found in the way samba servers handled certain SMB1 requests. An unauthenticated attacker could send specially-crafted SMB1 requests to cause the server to crash or execute arbitrary code. 12659 1511899: 12660 CVE-2017-14746 samba: Use-after-free in processing SMB1 requests 12661 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14746" id="CVE-2017-14746" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15275" id="CVE-2017-15275" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libwbclient" release="12.37.amzn1" version="4.6.2"><filename>Packages/libwbclient-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-modules" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-winbind-modules-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-krb5-printing" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-krb5-printing-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-devel" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-devel-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb" release="12.37.amzn1" version="4.6.2"><filename>Packages/ctdb-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test-libs" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-test-libs-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-client-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-debuginfo" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-debuginfo-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-libs" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-libs-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-tools" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-common-tools-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-winbind-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-python" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-python-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-krb5-locator" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-winbind-krb5-locator-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-common" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-common-4.6.2-12.37.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-libs" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-common-libs-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb-tests" release="12.37.amzn1" version="4.6.2"><filename>Packages/ctdb-tests-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient" release="12.37.amzn1" version="4.6.2"><filename>Packages/libsmbclient-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwbclient-devel" release="12.37.amzn1" version="4.6.2"><filename>Packages/libwbclient-devel-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient-devel" release="12.37.amzn1" version="4.6.2"><filename>Packages/libsmbclient-devel-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client-libs" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-client-libs-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-test-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-clients" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-winbind-clients-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-pidl" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-pidl-4.6.2-12.37.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ctdb-tests" release="12.37.amzn1" version="4.6.2"><filename>Packages/ctdb-tests-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-devel" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-devel-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test-libs" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-test-libs-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-client-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-modules" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-winbind-modules-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-debuginfo" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-debuginfo-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client-libs" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-client-libs-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb" release="12.37.amzn1" version="4.6.2"><filename>Packages/ctdb-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-tools" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-common-tools-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-libs" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-libs-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-winbind-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-libs" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-common-libs-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient-devel" release="12.37.amzn1" version="4.6.2"><filename>Packages/libsmbclient-devel-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-krb5-printing" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-krb5-printing-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-python" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-python-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient" release="12.37.amzn1" version="4.6.2"><filename>Packages/libsmbclient-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-test-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-krb5-locator" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-winbind-krb5-locator-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient-devel" release="12.37.amzn1" version="4.6.2"><filename>Packages/libwbclient-devel-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-clients" release="12.37.amzn1" version="4.6.2"><filename>Packages/samba-winbind-clients-4.6.2-12.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient" release="12.37.amzn1" version="4.6.2"><filename>Packages/libwbclient-4.6.2-12.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-934</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-934: medium priority package update for qemu-kvm</title><issued date="2017-12-20 18:55" /><updated date="2017-12-21 22:59" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12662 CVE-2017-15289: 12663 1501290: 12664 CVE-2017-15289 Qemu: cirrus: OOB access issue in mode4and5 write functions 12665 Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). 12666 12667 CVE-2017-14167: 12668 1489375: 12669 CVE-2017-14167 Qemu: i386: multiboot OOB access while loading kernel image 12670 Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host. 12671 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14167" id="CVE-2017-14167" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15289" id="CVE-2017-15289" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="10" name="qemu-kvm-common" release="141.5.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-common-1.5.3-141.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm-tools" release="141.5.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-tools-1.5.3-141.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-img" release="141.5.amzn1" version="1.5.3"><filename>Packages/qemu-img-1.5.3-141.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm-debuginfo" release="141.5.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-debuginfo-1.5.3-141.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm" release="141.5.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-1.5.3-141.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-935</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-935: medium priority package update for sssd</title><issued date="2017-12-20 18:56" /><updated date="2017-12-21 22:59" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12672 CVE-2017-12173: 12673 1498173: 12674 CVE-2017-12173 sssd: unsanitized input when searching in local cache database 12675 It was found that sssd&#039;s sysdb_search_user_by_upn_res() function did not sanitize requests when querying its local cache and was vulnerable to injection. In a centralized login environment, if a password hash was locally cached for a given user, an authenticated attacker could use this flaw to retrieve it. 12676 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12173" id="CVE-2017-12173" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="sssd-krb5" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-krb5-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-proxy" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-proxy-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_simpleifp-devel" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_simpleifp-devel-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-krb5-common" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-krb5-common-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_idmap-devel" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_idmap-devel-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_autofs" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_autofs-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-common-pac" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-common-pac-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_nss_idmap-devel" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_nss_idmap-devel-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-debuginfo" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-debuginfo-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libipa_hbac" release="50.34.amzn1" version="1.15.2"><filename>Packages/python27-libipa_hbac-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-ad" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-ad-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-common" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-common-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-sss-murmur" release="50.34.amzn1" version="1.15.2"><filename>Packages/python27-sss-murmur-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-winbind-idmap" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-winbind-idmap-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-sss" release="50.34.amzn1" version="1.15.2"><filename>Packages/python27-sss-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-libwbclient" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-libwbclient-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-dbus" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-dbus-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_certmap" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_certmap-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_nss_idmap" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_nss_idmap-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libipa_hbac-devel" release="50.34.amzn1" version="1.15.2"><filename>Packages/libipa_hbac-devel-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_certmap-devel" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_certmap-devel-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_sudo" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_sudo-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-libwbclient-devel" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-libwbclient-devel-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libsss_nss_idmap" release="50.34.amzn1" version="1.15.2"><filename>Packages/python27-libsss_nss_idmap-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libipa_hbac" release="50.34.amzn1" version="1.15.2"><filename>Packages/libipa_hbac-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_simpleifp" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_simpleifp-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-ipa" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-ipa-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-client" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-client-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-ldap" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-ldap-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="python27-sssdconfig" release="50.34.amzn1" version="1.15.2"><filename>Packages/python27-sssdconfig-1.15.2-50.34.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_idmap" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_idmap-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-tools" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-tools-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="sssd-client" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-client-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-ldap" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-ldap-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-debuginfo" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-debuginfo-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_autofs" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_autofs-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libipa_hbac" release="50.34.amzn1" version="1.15.2"><filename>Packages/python27-libipa_hbac-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-tools" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-tools-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-sss" release="50.34.amzn1" version="1.15.2"><filename>Packages/python27-sss-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-dbus" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-dbus-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_nss_idmap-devel" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_nss_idmap-devel-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_idmap-devel" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_idmap-devel-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_idmap" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_idmap-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-ipa" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-ipa-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_simpleifp" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_simpleifp-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libsss_nss_idmap" release="50.34.amzn1" version="1.15.2"><filename>Packages/python27-libsss_nss_idmap-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-common" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-common-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-libwbclient" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-libwbclient-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-winbind-idmap" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-winbind-idmap-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_certmap" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_certmap-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_nss_idmap" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_nss_idmap-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-krb5" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-krb5-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_certmap-devel" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_certmap-devel-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-sss-murmur" release="50.34.amzn1" version="1.15.2"><filename>Packages/python27-sss-murmur-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libipa_hbac" release="50.34.amzn1" version="1.15.2"><filename>Packages/libipa_hbac-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libipa_hbac-devel" release="50.34.amzn1" version="1.15.2"><filename>Packages/libipa_hbac-devel-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-ad" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-ad-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-krb5-common" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-krb5-common-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-libwbclient-devel" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-libwbclient-devel-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_sudo" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_sudo-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-common-pac" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-common-pac-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-proxy" release="50.34.amzn1" version="1.15.2"><filename>Packages/sssd-proxy-1.15.2-50.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_simpleifp-devel" release="50.34.amzn1" version="1.15.2"><filename>Packages/libsss_simpleifp-devel-1.15.2-50.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-936</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-936: critical priority package update for java-1.7.0-openjdk</title><issued date="2017-12-20 19:02" /><updated date="2017-12-21 23:08" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12677 CVE-2017-10388: 12678 1502038: 12679 CVE-2017-10388 OpenJDK: use of unprotected sname in Kerberos client (Libraries, 8178794) 12680 It was discovered that the Kerberos client implementation in the Libraries component of OpenJDK used the sname field from the plain text part rather than encrypted part of the KDC reply message. A man-in-the-middle attacker could possibly use this flaw to impersonate Kerberos services to Java applications acting as Kerberos clients. 12681 12682 CVE-2017-10357: 12683 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 12684 1502614: 12685 CVE-2017-10357 OpenJDK: unbounded memory allocation in ObjectInputStream deserialization (Serialization, 8181597) 12686 12687 CVE-2017-10356: 12688 1503169: 12689 CVE-2017-10356 OpenJDK: weak protection of key stores against brute forcing (Security, 8181692) 12690 It was discovered that the Security component of OpenJDK generated weak password-based encryption keys used to protect private keys stored in key stores. This made it easier to perform password guessing attacks to decrypt stored keys if an attacker could gain access to a key store. 12691 12692 CVE-2017-10355: 12693 1502869: 12694 CVE-2017-10355 OpenJDK: no default network operations timeouts in FtpClient (Networking, 8181612) 12695 It was found that the FtpClient implementation in the Networking component of OpenJDK did not set connect and read timeouts by default. A malicious FTP server or a man-in-the-middle attacker could use this flaw to block execution of a Java application connecting to an FTP server. 12696 12697 CVE-2017-10350: 12698 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are Java SE: 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 12699 1502640: 12700 CVE-2017-10350 OpenJDK: unbounded memory allocation in JAXWSExceptionBase deserialization (JAX-WS, 8181100) 12701 12702 CVE-2017-10349: 12703 1502611: 12704 CVE-2017-10349 OpenJDK: unbounded memory allocation in PredicatedNodeTest deserialization (JAXP, 8181327) 12705 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 12706 12707 CVE-2017-10348: 12708 1502629: 12709 CVE-2017-10348 OpenJDK: multiple unbounded memory allocations in deserialization (Libraries, 8181432) 12710 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 12711 12712 CVE-2017-10347: 12713 1502632: 12714 CVE-2017-10347 OpenJDK: unbounded memory allocation in SimpleTimeZone deserialization (Serialization, 8181323) 12715 Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 12716 12717 CVE-2017-10346: 12718 1501873: 12719 CVE-2017-10346 OpenJDK: insufficient loader constraints checks for invokespecial (Hotspot, 8180711) 12720 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). 12721 12722 CVE-2017-10345: 12723 1502858: 12724 CVE-2017-10345 OpenJDK: unbounded resource use in JceKeyStore deserialization (Serialization, 8181370) 12725 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L). 12726 12727 CVE-2017-10295: 12728 It was found that the HttpURLConnection and HttpsURLConnection classes in the Networking component of OpenJDK failed to check for newline characters embedded in URLs. An attacker able to make a Java application perform an HTTP request using an attacker provided URL could possibly inject additional headers into the request. 12729 1502687: 12730 CVE-2017-10295 OpenJDK: HTTP client insufficient check for newline in URLs (Networking, 8176751) 12731 12732 CVE-2017-10285: 12733 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). 12734 1501868: 12735 CVE-2017-10285 OpenJDK: incorrect privilege use when handling unreferenced objects (RMI, 8174966) 12736 12737 CVE-2017-10281: 12738 1502649: 12739 CVE-2017-10281 OpenJDK: multiple unbounded memory allocations in deserialization (Serialization, 8174109) 12740 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 12741 12742 CVE-2017-10274: 12743 1502053: 12744 CVE-2017-10274 OpenJDK: CardImpl incorrect state handling (Smart Card IO, 8169026) 12745 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Smart Card IO). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data as well as unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N). 12746 12747 CVE-2017-10198: 12748 It was discovered that the Security component of OpenJDK could fail to properly enforce restrictions defined for processing of X.509 certificate chains. A remote attacker could possibly use this flaw to make Java accept certificate using one of the disabled algorithms. 12749 1472320: 12750 CVE-2017-10198 OpenJDK: incorrect enforcement of certificate path restrictions (Security, 8179998) 12751 12752 CVE-2017-10193: 12753 1471715: 12754 CVE-2017-10193 OpenJDK: incorrect key size constraint check (Security, 8179101) 12755 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). 12756 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10198" id="CVE-2017-10198" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10346" id="CVE-2017-10346" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10347" id="CVE-2017-10347" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10357" id="CVE-2017-10357" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10356" id="CVE-2017-10356" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10355" id="CVE-2017-10355" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10345" id="CVE-2017-10345" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10193" id="CVE-2017-10193" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10348" id="CVE-2017-10348" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10349" id="CVE-2017-10349" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10350" id="CVE-2017-10350" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10274" id="CVE-2017-10274" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10281" id="CVE-2017-10281" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10285" id="CVE-2017-10285" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10295" id="CVE-2017-10295" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10388" id="CVE-2017-10388" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.12.0.75.amzn1" version="1.7.0.161"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.161-2.6.12.0.75.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.12.0.75.amzn1" version="1.7.0.161"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.161-2.6.12.0.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.12.0.75.amzn1" version="1.7.0.161"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.161-2.6.12.0.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.12.0.75.amzn1" version="1.7.0.161"><filename>Packages/java-1.7.0-openjdk-1.7.0.161-2.6.12.0.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.12.0.75.amzn1" version="1.7.0.161"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.161-2.6.12.0.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.12.0.75.amzn1" version="1.7.0.161"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.161-2.6.12.0.75.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.12.0.75.amzn1" version="1.7.0.161"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.161-2.6.12.0.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.12.0.75.amzn1" version="1.7.0.161"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.161-2.6.12.0.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.12.0.75.amzn1" version="1.7.0.161"><filename>Packages/java-1.7.0-openjdk-1.7.0.161-2.6.12.0.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.12.0.75.amzn1" version="1.7.0.161"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.161-2.6.12.0.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.12.0.75.amzn1" version="1.7.0.161"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.161-2.6.12.0.75.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2017-937</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-937: important priority package update for kernel</title><issued date="2017-12-21 00:02" /><updated date="2017-12-21 23:12" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12757 CVE-2017-16994: 12758 The walk_hugetlb_range() function in &#039;mm/pagewalk.c&#039; file in the Linux kernel from v4.0-rc1 through v4.15-rc1 mishandles holes in hugetlb ranges. This allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call. 12759 1518155: 12760 CVE-2017-16994 kernel: mm/pagewalk.c:walk_hugetlb_range function mishandles holes in hugetlb ranges causing information leak 12761 12762 CVE-2017-16650: 12763 1516265: 12764 CVE-2017-16650 kernel: Divide-by-zero in drivers/net/usb/qmi_wwan.c 12765 The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. 12766 12767 CVE-2017-16649: 12768 The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. 12769 1516267: 12770 CVE-2017-16649 kernel: Divide-by-zero in drivers/net/usb/cdc_ether.c 12771 12772 CVE-2017-16647: 12773 1516270: 12774 CVE-2017-16647 kernel: NULL pointer dereference in drivers/net/usb/asix_devices.c 12775 drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. 12776 12777 CVE-2017-16646: 12778 1516272: 12779 CVE-2017-16646 kernel: BUG in drivers/media/usb/dvb-usb/dib0700_devices.c 12780 drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device. 12781 12782 CVE-2017-16645: 12783 1516235: 12784 CVE-2017-16645 kernel: Out-of-bounds read in drivers/input/misc/ims-pcu.c 12785 The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. 12786 12787 CVE-2017-16643: 12788 1516232: 12789 CVE-2017-16643 kernel: Out-of-bounds read in drivers/input/tablet/gtco.c 12790 The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. 12791 12792 CVE-2017-15115: 12793 1513345: 12794 CVE-2017-15115 kernel: use-after-free in sctp_cmp_addr_exact 12795 A vulnerability was found in the Linux kernel when peeling off an association to the socket in another network namespace. All transports in this association are not to be rehashed and keep using the old key in hashtable, thus removing transports from hashtable when closing the socket, all transports are being freed. Later on a use-after-free issue could be caused when looking up an association and dereferencing the transports. 12796 12797 CVE-2017-1000407: 12798 Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. 12799 1520328: 12800 CVE-2017-1000407 Kernel: KVM: DoS via write flood to I/O port 0x80 12801 12802 CVE-2017-1000405: 12803 1516514: 12804 CVE-2017-1000405 kernel: pmd can become dirty without going through a COW cycle 12805 A flaw was found in the patches used to fix the &#039;dirtycow&#039; vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages. 12806 12807 CVE-2017-0861: 12808 12809 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0861" id="CVE-2017-0861" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000405" id="CVE-2017-1000405" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000407" id="CVE-2017-1000407" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16647" id="CVE-2017-16647" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16646" id="CVE-2017-16646" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16645" id="CVE-2017-16645" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16643" id="CVE-2017-16643" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16994" id="CVE-2017-16994" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16650" id="CVE-2017-16650" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16649" id="CVE-2017-16649" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15115" id="CVE-2017-15115" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-tools-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-devel-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-headers-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="22.55.amzn1" version="4.9.70"><filename>Packages/perf-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-tools-devel-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-tools-debuginfo-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="22.55.amzn1" version="4.9.70"><filename>Packages/perf-debuginfo-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-debuginfo-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="22.55.amzn1" version="4.9.70"><filename>Packages/perf-4.9.70-22.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-4.9.70-22.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-debuginfo-common-i686-4.9.70-22.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-debuginfo-4.9.70-22.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="22.55.amzn1" version="4.9.70"><filename>Packages/perf-debuginfo-4.9.70-22.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-tools-devel-4.9.70-22.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-headers-4.9.70-22.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-tools-4.9.70-22.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-devel-4.9.70-22.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-tools-debuginfo-4.9.70-22.55.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="22.55.amzn1" version="4.9.70"><filename>Packages/kernel-doc-4.9.70-22.55.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-938</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-938: medium priority package update for curl</title><issued date="2018-01-03 08:22" /><updated date="2018-01-03 22:49" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12810 CVE-2017-8817: 12811 The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an &#039;[&#039; character. 12812 1515760: 12813 CVE-2017-8817 curl: FTP wildcard out of bounds read 12814 12815 CVE-2017-8816: 12816 1515757: 12817 CVE-2017-8816 curl: NTLM buffer overflow via integer overflow 12818 The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields. 12819 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816" id="CVE-2017-8816" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817" id="CVE-2017-8817" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libcurl" release="13.80.amzn1" version="7.53.1"><filename>Packages/libcurl-7.53.1-13.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl" release="13.80.amzn1" version="7.53.1"><filename>Packages/curl-7.53.1-13.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="13.80.amzn1" version="7.53.1"><filename>Packages/libcurl-devel-7.53.1-13.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="13.80.amzn1" version="7.53.1"><filename>Packages/curl-debuginfo-7.53.1-13.80.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="13.80.amzn1" version="7.53.1"><filename>Packages/curl-debuginfo-7.53.1-13.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="13.80.amzn1" version="7.53.1"><filename>Packages/curl-7.53.1-13.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="13.80.amzn1" version="7.53.1"><filename>Packages/libcurl-7.53.1-13.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="13.80.amzn1" version="7.53.1"><filename>Packages/libcurl-devel-7.53.1-13.80.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-939</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-939: critical priority package update for kernel</title><issued date="2018-01-03 19:27" /><updated date="2018-01-16 01:10" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12820 CVE-2017-5754: 12821 1519781: 12822 CVE-2017-5754 hw: cpu: speculative execution permission faults handling 12823 An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue. 12824 12825 CVE-2017-5715: 12826 An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks. 12827 1519780: 12828 CVE-2017-5715 hw: cpu: speculative execution branch target injection 12829 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754" id="CVE-2017-5754" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715" id="CVE-2017-5715" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perf" release="3.78.amzn1" version="4.9.76"><filename>Packages/perf-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-tools-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-headers-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-tools-debuginfo-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-tools-devel-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-devel-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-debuginfo-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="3.78.amzn1" version="4.9.76"><filename>Packages/perf-debuginfo-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="3.78.amzn1" version="4.9.76"><filename>Packages/perf-debuginfo-4.9.76-3.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="3.78.amzn1" version="4.9.76"><filename>Packages/perf-4.9.76-3.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-4.9.76-3.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-tools-4.9.76-3.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-tools-debuginfo-4.9.76-3.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-devel-4.9.76-3.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-debuginfo-4.9.76-3.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-debuginfo-common-i686-4.9.76-3.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-headers-4.9.76-3.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-tools-devel-4.9.76-3.78.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="3.78.amzn1" version="4.9.76"><filename>Packages/kernel-doc-4.9.76-3.78.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-940</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-940: medium priority package update for collectd</title><issued date="2018-01-04 19:38" /><updated date="2018-01-05 20:47" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12830 CVE-2017-16820: 12831 1516447: 12832 CVE-2017-16820 collectd: double free in csnmp_read_table function in snmp.c 12833 The csnmp_read_table function in snmp.c in the SNMP plugin in collectd before 5.6.3 is susceptible to a double free in a certain error case, which could lead to a crash (or potentially have other impact). 12834 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16820" id="CVE-2017-16820" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="collectd-disk" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-disk-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-curl_xml" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-curl_xml-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-mcelog" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-mcelog-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-generic-jmx" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-generic-jmx-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-zookeeper" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-zookeeper-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-mysql" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-mysql-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-lua" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-lua-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-hugepages" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-hugepages-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-apache" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-apache-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-dbi" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-dbi-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-debuginfo" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-debuginfo-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-rrdtool" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-rrdtool-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-iptables" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-iptables-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-chrony" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-chrony-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-email" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-email-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcollectdclient-devel" release="2.19.amzn1" version="5.8.0"><filename>Packages/libcollectdclient-devel-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-varnish" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-varnish-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-utils" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-utils-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-amqp" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-amqp-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-write_sensu" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-write_sensu-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-python" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-python-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-gmond" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-gmond-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-snmp_agent" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-snmp_agent-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-lvm" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-lvm-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-openldap" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-openldap-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-drbd" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-drbd-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-dns" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-dns-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-bind" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-bind-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-java" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-java-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-rrdcached" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-rrdcached-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-netlink" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-netlink-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-ipvs" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-ipvs-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-memcachec" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-memcachec-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-postgresql" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-postgresql-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Collectd" release="2.19.amzn1" version="5.8.0"><filename>Packages/perl-Collectd-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-synproxy" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-synproxy-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-ipmi" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-ipmi-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-notify_email" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-notify_email-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-write_tsdb" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-write_tsdb-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-web" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-web-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-snmp" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-snmp-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcollectdclient" release="2.19.amzn1" version="5.8.0"><filename>Packages/libcollectdclient-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-nginx" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-nginx-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-write_http" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-write_http-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="collectd-curl" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-curl-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="collectd-chrony" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-chrony-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-web" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-web-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-generic-jmx" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-generic-jmx-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-postgresql" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-postgresql-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-dns" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-dns-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-write_http" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-write_http-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-drbd" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-drbd-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-varnish" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-varnish-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-lua" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-lua-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-email" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-email-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-synproxy" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-synproxy-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-ipvs" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-ipvs-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-write_tsdb" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-write_tsdb-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-debuginfo" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-debuginfo-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-utils" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-utils-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-rrdtool" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-rrdtool-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-gmond" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-gmond-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcollectdclient-devel" release="2.19.amzn1" version="5.8.0"><filename>Packages/libcollectdclient-devel-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcollectdclient" release="2.19.amzn1" version="5.8.0"><filename>Packages/libcollectdclient-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-ipmi" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-ipmi-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-notify_email" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-notify_email-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-netlink" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-netlink-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-mysql" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-mysql-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-bind" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-bind-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-dbi" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-dbi-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-amqp" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-amqp-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-snmp_agent" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-snmp_agent-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-curl_xml" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-curl_xml-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-disk" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-disk-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-apache" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-apache-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-iptables" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-iptables-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-hugepages" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-hugepages-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-java" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-java-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-python" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-python-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-snmp" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-snmp-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-openldap" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-openldap-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-write_sensu" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-write_sensu-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-mcelog" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-mcelog-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-lvm" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-lvm-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-curl" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-curl-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Collectd" release="2.19.amzn1" version="5.8.0"><filename>Packages/perl-Collectd-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-zookeeper" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-zookeeper-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-rrdcached" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-rrdcached-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-nginx" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-nginx-5.8.0-2.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="collectd-memcachec" release="2.19.amzn1" version="5.8.0"><filename>Packages/collectd-memcachec-5.8.0-2.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-941</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-941: medium priority package update for docker</title><issued date="2018-01-12 21:20" /><updated date="2018-01-15 19:01" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12835 CVE-2017-14992: 12836 1510348: 12837 CVE-2017-14992 docker: Lack of content verification 12838 Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing. 12839 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14992" id="CVE-2017-14992" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="docker-debuginfo" release="1.111.amzn1" version="17.09.1ce"><filename>Packages/docker-debuginfo-17.09.1ce-1.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="docker" release="1.111.amzn1" version="17.09.1ce"><filename>Packages/docker-17.09.1ce-1.111.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-942</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-942: important priority package update for qemu-kvm</title><issued date="2018-01-12 21:24" /><updated date="2018-01-15 19:04" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12840 CVE-2017-5715: 12841 An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks. 12842 1519780: 12843 CVE-2017-5715 hw: cpu: speculative execution branch target injection 12844 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715" id="CVE-2017-5715" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="10" name="qemu-kvm-tools" release="141.6.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-tools-1.5.3-141.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm-common" release="141.6.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-common-1.5.3-141.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm-debuginfo" release="141.6.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-debuginfo-1.5.3-141.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm" release="141.6.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-1.5.3-141.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-img" release="141.6.amzn1" version="1.5.3"><filename>Packages/qemu-img-1.5.3-141.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-943</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-943: medium priority package update for python35 python34</title><issued date="2018-01-17 23:18" /><updated date="2018-01-18 00:21" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12845 CVE-2017-1000158: 12846 1519595: 12847 CVE-2017-1000158 python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow 12848 CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution) 12849 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158" id="CVE-2017-1000158" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python35-libs" release="13.10.amzn1" version="3.5.4"><filename>Packages/python35-libs-3.5.4-13.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-test" release="13.10.amzn1" version="3.5.4"><filename>Packages/python35-test-3.5.4-13.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-tools" release="13.10.amzn1" version="3.5.4"><filename>Packages/python35-tools-3.5.4-13.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-debuginfo" release="13.10.amzn1" version="3.5.4"><filename>Packages/python35-debuginfo-3.5.4-13.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-devel" release="13.10.amzn1" version="3.5.4"><filename>Packages/python35-devel-3.5.4-13.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35" release="13.10.amzn1" version="3.5.4"><filename>Packages/python35-3.5.4-13.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python35-test" release="13.10.amzn1" version="3.5.4"><filename>Packages/python35-test-3.5.4-13.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35" release="13.10.amzn1" version="3.5.4"><filename>Packages/python35-3.5.4-13.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-libs" release="13.10.amzn1" version="3.5.4"><filename>Packages/python35-libs-3.5.4-13.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-tools" release="13.10.amzn1" version="3.5.4"><filename>Packages/python35-tools-3.5.4-13.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-debuginfo" release="13.10.amzn1" version="3.5.4"><filename>Packages/python35-debuginfo-3.5.4-13.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-devel" release="13.10.amzn1" version="3.5.4"><filename>Packages/python35-devel-3.5.4-13.10.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-tools" release="1.37.amzn1" version="3.4.7"><filename>Packages/python34-tools-3.4.7-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-debuginfo" release="1.37.amzn1" version="3.4.7"><filename>Packages/python34-debuginfo-3.4.7-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34" release="1.37.amzn1" version="3.4.7"><filename>Packages/python34-3.4.7-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-libs" release="1.37.amzn1" version="3.4.7"><filename>Packages/python34-libs-3.4.7-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-devel" release="1.37.amzn1" version="3.4.7"><filename>Packages/python34-devel-3.4.7-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-test" release="1.37.amzn1" version="3.4.7"><filename>Packages/python34-test-3.4.7-1.37.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python34-debuginfo" release="1.37.amzn1" version="3.4.7"><filename>Packages/python34-debuginfo-3.4.7-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-devel" release="1.37.amzn1" version="3.4.7"><filename>Packages/python34-devel-3.4.7-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-tools" release="1.37.amzn1" version="3.4.7"><filename>Packages/python34-tools-3.4.7-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34" release="1.37.amzn1" version="3.4.7"><filename>Packages/python34-3.4.7-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-test" release="1.37.amzn1" version="3.4.7"><filename>Packages/python34-test-3.4.7-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-libs" release="1.37.amzn1" version="3.4.7"><filename>Packages/python34-libs-3.4.7-1.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-944</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-944: important priority package update for kernel</title><issued date="2018-01-18 22:45" /><updated date="2018-01-18 22:57" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12850 CVE-2017-8824: 12851 1519591: 12852 CVE-2017-8824 kernel: Use-after-free vulnerability in DCCP socket 12853 A use-after-free vulnerability was found in DCCP socket code affecting the Linux kernel since 2.6.16. This vulnerability could allow an attacker to their escalate privileges. 12854 12855 CVE-2017-17741: 12856 Linux kernel compiled with the KVM virtualization (CONFIG_KVM) support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memory bytes. 12857 1527112: 12858 CVE-2017-17741 kernel: kvm: stack-based out-of-bounds read via vmcall instruction 12859 12860 CVE-2017-17712: 12861 1526427: 12862 CVE-2017-17712 kernel: Race condition in raw_sendmsg function allows denial-of-service or kernel addresses leak 12863 A flaw was found in the Linux kernel&#039;s implementation of raw_sendmsg allowing a local attacker to panic the kernel or possibly leak kernel addresses. A local attacker, with the privilege of creating raw sockets, can abuse a possible race condition when setting the socket option to allow the kernel to automatically create ip header values and thus potentially escalate their privileges. 12864 12865 CVE-2017-17450: 12866 net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces. 12867 1525761: 12868 CVE-2017-17450 kernel: Unchecked capabilities in net/netfilter/xt_osf.c allows for unprivileged modification to systemwide fingerprint list 12869 12870 CVE-2017-17448: 12871 1525768: 12872 CVE-2017-17448 kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure 12873 net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces. 12874 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17712" id="CVE-2017-17712" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8824" id="CVE-2017-8824" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17741" id="CVE-2017-17741" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17450" id="CVE-2017-17450" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17448" id="CVE-2017-17448" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perf" release="31.58.amzn1" version="4.9.77"><filename>Packages/perf-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-devel-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-tools-debuginfo-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-tools-devel-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-headers-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-tools-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="31.58.amzn1" version="4.9.77"><filename>Packages/perf-debuginfo-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-debuginfo-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-tools-debuginfo-4.9.77-31.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-debuginfo-common-i686-4.9.77-31.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-devel-4.9.77-31.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-headers-4.9.77-31.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-4.9.77-31.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-debuginfo-4.9.77-31.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-tools-4.9.77-31.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-tools-devel-4.9.77-31.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="31.58.amzn1" version="4.9.77"><filename>Packages/perf-debuginfo-4.9.77-31.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="31.58.amzn1" version="4.9.77"><filename>Packages/perf-4.9.77-31.58.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="31.58.amzn1" version="4.9.77"><filename>Packages/kernel-doc-4.9.77-31.58.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-945</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-945: medium priority package update for python27</title><issued date="2018-02-07 17:02" /><updated date="2018-02-08 21:23" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12875 CVE-2017-1000158: 12876 1519595: 12877 CVE-2017-1000158 python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow 12878 CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution) 12879 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158" id="CVE-2017-1000158" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python27-debuginfo" release="2.122.amzn1" version="2.7.13"><filename>Packages/python27-debuginfo-2.7.13-2.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27" release="2.122.amzn1" version="2.7.13"><filename>Packages/python27-2.7.13-2.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-test" release="2.122.amzn1" version="2.7.13"><filename>Packages/python27-test-2.7.13-2.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-tools" release="2.122.amzn1" version="2.7.13"><filename>Packages/python27-tools-2.7.13-2.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libs" release="2.122.amzn1" version="2.7.13"><filename>Packages/python27-libs-2.7.13-2.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-devel" release="2.122.amzn1" version="2.7.13"><filename>Packages/python27-devel-2.7.13-2.122.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python27" release="2.122.amzn1" version="2.7.13"><filename>Packages/python27-2.7.13-2.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-devel" release="2.122.amzn1" version="2.7.13"><filename>Packages/python27-devel-2.7.13-2.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-test" release="2.122.amzn1" version="2.7.13"><filename>Packages/python27-test-2.7.13-2.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libs" release="2.122.amzn1" version="2.7.13"><filename>Packages/python27-libs-2.7.13-2.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-tools" release="2.122.amzn1" version="2.7.13"><filename>Packages/python27-tools-2.7.13-2.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-debuginfo" release="2.122.amzn1" version="2.7.13"><filename>Packages/python27-debuginfo-2.7.13-2.122.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-946</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-946: medium priority package update for php56 php70 php71</title><issued date="2018-02-07 17:10" /><updated date="2018-02-08 21:31" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12880 CVE-2018-5712: 12881 1535251: 12882 CVE-2018-5712 php: reflected XSS in .phar 404 page 12883 An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file. 12884 12885 CVE-2018-5711: 12886 1535246: 12887 CVE-2018-5711 php: Denial of Service (DoS) via infinite loop in libgd gdImageCreateFromGifCtx function in ext/gd/libgd/gd_gif_in.c 12888 gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx. 12889 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5712" id="CVE-2018-5712" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5711" id="CVE-2018-5711" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php71-debuginfo" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-debuginfo-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gd" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-gd-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-odbc" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-odbc-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-process" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-process-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-imap" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-imap-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mbstring" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-mbstring-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mcrypt" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-mcrypt-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gmp" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-gmp-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-soap" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-soap-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-ldap" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-ldap-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-snmp" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-snmp-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-enchant" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-enchant-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-tidy" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-tidy-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo-dblib" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-pdo-dblib-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-json" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-json-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-embedded" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-embedded-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-devel" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-devel-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pspell" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-pspell-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-common" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-common-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-recode" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-recode-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xmlrpc" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-xmlrpc-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pgsql" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-pgsql-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-cli" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-cli-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dbg" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-dbg-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xml" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-xml-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-opcache" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-opcache-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-fpm" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-fpm-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mysqlnd" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-mysqlnd-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dba" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-dba-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-intl" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-intl-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-pdo-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-bcmath" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-bcmath-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php71-soap" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-soap-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-intl" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-intl-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-ldap" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-ldap-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pspell" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-pspell-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-opcache" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-opcache-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gmp" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-gmp-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-snmp" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-snmp-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-odbc" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-odbc-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-embedded" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-embedded-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pgsql" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-pgsql-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-tidy" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-tidy-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xmlrpc" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-xmlrpc-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-imap" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-imap-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-process" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-process-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-bcmath" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-bcmath-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-debuginfo" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-debuginfo-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-json" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-json-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo-dblib" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-pdo-dblib-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dba" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-dba-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dbg" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-dbg-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mbstring" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-mbstring-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-fpm" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-fpm-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mysqlnd" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-mysqlnd-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mcrypt" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-mcrypt-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-cli" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-cli-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-common" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-common-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-recode" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-recode-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-devel" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-devel-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-enchant" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-enchant-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gd" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-gd-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-pdo-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xml" release="1.30.amzn1" version="7.1.13"><filename>Packages/php71-xml-7.1.13-1.30.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-debuginfo" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-debuginfo-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dba" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-dba-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mcrypt" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-mcrypt-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-tidy" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-tidy-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-bcmath" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-bcmath-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-opcache" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-opcache-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-fpm" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-fpm-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-pdo-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mysqlnd" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-mysqlnd-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dbg" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-dbg-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gmp" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-gmp-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-process" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-process-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-imap" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-imap-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-snmp" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-snmp-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-cli" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-cli-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-ldap" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-ldap-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-enchant" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-enchant-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-intl" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-intl-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-odbc" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-odbc-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-json" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-json-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-devel" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-devel-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-recode" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-recode-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pspell" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-pspell-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-common" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-common-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-soap" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-soap-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xml" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-xml-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xmlrpc" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-xmlrpc-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo-dblib" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-pdo-dblib-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pgsql" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-pgsql-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gd" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-gd-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-zip" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-zip-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-embedded" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-embedded-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mbstring" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-mbstring-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php70-mysqlnd" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-mysqlnd-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-snmp" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-snmp-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-pdo-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-bcmath" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-bcmath-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gmp" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-gmp-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dbg" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-dbg-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-soap" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-soap-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-embedded" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-embedded-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pgsql" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-pgsql-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-ldap" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-ldap-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-recode" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-recode-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-devel" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-devel-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mbstring" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-mbstring-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-odbc" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-odbc-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-opcache" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-opcache-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-enchant" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-enchant-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-common" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-common-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-imap" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-imap-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mcrypt" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-mcrypt-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-tidy" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-tidy-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-intl" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-intl-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gd" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-gd-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xml" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-xml-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xmlrpc" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-xmlrpc-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-zip" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-zip-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-cli" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-cli-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-fpm" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-fpm-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-process" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-process-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dba" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-dba-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pspell" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-pspell-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-json" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-json-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo-dblib" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-pdo-dblib-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-debuginfo" release="1.27.amzn1" version="7.0.27"><filename>Packages/php70-debuginfo-7.0.27-1.27.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-intl-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-cli-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-pspell-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-gmp-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-soap-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-devel-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-process-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-enchant-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-xml-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-mssql-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-snmp-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-pdo-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-debuginfo-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-xmlrpc-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-mcrypt-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-dba-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-bcmath-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-opcache-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-dbg-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-pgsql-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-common-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-ldap-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-odbc-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-recode-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-mbstring-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-fpm-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-imap-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-gd-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-embedded-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-mysqlnd-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-tidy-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-mysqlnd-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-tidy-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-soap-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-mssql-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-pspell-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-enchant-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-xmlrpc-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-odbc-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-process-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-imap-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-recode-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-pgsql-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-gmp-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-cli-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-snmp-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-dbg-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-embedded-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-debuginfo-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-intl-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-bcmath-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-xml-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-ldap-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-gd-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-fpm-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-pdo-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-devel-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-common-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-opcache-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-dba-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-mbstring-5.6.33-1.136.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.136.amzn1" version="5.6.33"><filename>Packages/php56-mcrypt-5.6.33-1.136.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-947</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-947: low priority package update for tomcat7</title><issued date="2018-02-07 17:13" /><updated date="2018-02-08 21:32" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12890 CVE-2017-15706: 12891 1540828: 12892 CVE-2017-15706 tomcat: Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration 12893 As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected. 12894 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706" id="CVE-2017-15706" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.31.amzn1" version="7.0.84"><filename>Packages/tomcat7-javadoc-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.31.amzn1" version="7.0.84"><filename>Packages/tomcat7-el-2.2-api-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.31.amzn1" version="7.0.84"><filename>Packages/tomcat7-webapps-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.31.amzn1" version="7.0.84"><filename>Packages/tomcat7-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.31.amzn1" version="7.0.84"><filename>Packages/tomcat7-docs-webapp-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.31.amzn1" version="7.0.84"><filename>Packages/tomcat7-log4j-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.31.amzn1" version="7.0.84"><filename>Packages/tomcat7-admin-webapps-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.31.amzn1" version="7.0.84"><filename>Packages/tomcat7-lib-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.31.amzn1" version="7.0.84"><filename>Packages/tomcat7-servlet-3.0-api-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.31.amzn1" version="7.0.84"><filename>Packages/tomcat7-jsp-2.2-api-7.0.84-1.31.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-948</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-948: low priority package update for git</title><issued date="2018-02-07 17:34" /><updated date="2018-02-08 21:32" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12895 CVE-2017-15298: 12896 1510455: 12897 CVE-2017-15298 git: Mishandling layers of tree objects 12898 Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk. 12899 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15298" id="CVE-2017-15298" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="git-daemon" release="2.56.amzn1" version="2.13.6"><filename>Packages/git-daemon-2.13.6-2.56.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-bzr" release="2.56.amzn1" version="2.13.6"><filename>Packages/git-bzr-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-cvs" release="2.56.amzn1" version="2.13.6"><filename>Packages/git-cvs-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git" release="2.56.amzn1" version="2.13.6"><filename>Packages/perl-Git-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git" release="2.56.amzn1" version="2.13.6"><filename>Packages/git-2.13.6-2.56.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-p4" release="2.56.amzn1" version="2.13.6"><filename>Packages/git-p4-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git" release="2.56.amzn1" version="2.13.6"><filename>Packages/emacs-git-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git-el" release="2.56.amzn1" version="2.13.6"><filename>Packages/emacs-git-el-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-email" release="2.56.amzn1" version="2.13.6"><filename>Packages/git-email-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="gitweb" release="2.56.amzn1" version="2.13.6"><filename>Packages/gitweb-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git-SVN" release="2.56.amzn1" version="2.13.6"><filename>Packages/perl-Git-SVN-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-hg" release="2.56.amzn1" version="2.13.6"><filename>Packages/git-hg-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-debuginfo" release="2.56.amzn1" version="2.13.6"><filename>Packages/git-debuginfo-2.13.6-2.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="git-svn" release="2.56.amzn1" version="2.13.6"><filename>Packages/git-svn-2.13.6-2.56.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-all" release="2.56.amzn1" version="2.13.6"><filename>Packages/git-all-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="git-daemon" release="2.56.amzn1" version="2.13.6"><filename>Packages/git-daemon-2.13.6-2.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-debuginfo" release="2.56.amzn1" version="2.13.6"><filename>Packages/git-debuginfo-2.13.6-2.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-svn" release="2.56.amzn1" version="2.13.6"><filename>Packages/git-svn-2.13.6-2.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git" release="2.56.amzn1" version="2.13.6"><filename>Packages/git-2.13.6-2.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-949</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-949: important priority package update for java-1.8.0-openjdk</title><issued date="2018-02-07 17:45" /><updated date="2018-02-08 21:42" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12900 CVE-2018-2678: 12901 1534263: 12902 CVE-2018-2678 OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142) 12903 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). 12904 12905 CVE-2018-2677: 12906 1534288: 12907 CVE-2018-2677 OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289) 12908 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). 12909 12910 CVE-2018-2663: 12911 1534296: 12912 CVE-2018-2663 OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284) 12913 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). 12914 12915 CVE-2018-2641: 12916 1534766: 12917 CVE-2018-2641 OpenJDK: GTK library loading use-after-free (AWT, 8185325) 12918 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N). 12919 12920 CVE-2018-2637: 12921 1534970: 12922 CVE-2018-2637 OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998) 12923 It was discovered that the JMX component of OpenJDK failed to properly set the deserialization filter for the SingleEntryRegistry in certain cases. A remote attacker could possibly use this flaw to bypass intended deserialization restrictions. 12924 12925 CVE-2018-2634: 12926 1534943: 12927 CVE-2018-2634 OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600) 12928 The JGSS component of OpenJDK ignores the value of the javax.security.auth.useSubjectCredsOnly property when using HTTP/SPNEGO authentication and always uses global credentials. It was discovered that this could cause global credentials to be unexpectedly used by an untrusted Java application. 12929 12930 CVE-2018-2633: 12931 It was discovered that the LDAPCertStore class in the JNDI component of OpenJDK failed to securely handle LDAP referrals. An attacker could possibly use this flaw to make it fetch attacker controlled certificate data. 12932 1535036: 12933 CVE-2018-2633 OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606) 12934 12935 CVE-2018-2629: 12936 1534625: 12937 CVE-2018-2629 OpenJDK: GSS context use-after-free (JGSS, 8186212) 12938 It was discovered that the JGSS component of OpenJDK failed to properly handle GSS context in the native GSS library wrapper in certain cases. A remote attacker could possibly make a Java application using JGSS to use a previously freed context. 12939 12940 CVE-2018-2618: 12941 1534762: 12942 CVE-2018-2618 OpenJDK: insufficient strength of key agreement (JCE, 8185292) 12943 It was discovered that the key agreement implementations in the JCE component of OpenJDK did not guarantee sufficient strength of used keys to adequately protect generated shared secret. This could make it easier to break data encryption by attacking key agreement rather than the encryption using the negotiated secret. 12944 12945 CVE-2018-2603: 12946 1534553: 12947 CVE-2018-2603 OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387) 12948 It was discovered that the Libraries component of OpenJDK failed to sufficiently limit the amount of memory allocated when reading DER encoded input. A remote attacker could possibly use this flaw to make a Java application use an excessive amount of memory if it parsed attacker supplied DER encoded input. 12949 12950 CVE-2018-2602: 12951 It was discovered that the I18n component of OpenJDK could use an untrusted search path when loading resource bundle classes. A local attacker could possibly use this flaw to execute arbitrary code as another local user by making their Java application load an attacker controlled class file. 12952 1534525: 12953 CVE-2018-2602 OpenJDK: loading of classes from untrusted locations (I18n, 8182601) 12954 12955 CVE-2018-2599: 12956 It was discovered that the DNS client implementation in the JNDI component of OpenJDK did not use random source ports when sending out DNS queries. This could make it easier for a remote attacker to spoof responses to those queries. 12957 1534543: 12958 CVE-2018-2599 OpenJDK: DnsClient missing source port randomization (JNDI, 8182125) 12959 12960 CVE-2018-2588: 12961 1534299: 12962 CVE-2018-2588 OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449) 12963 It was discovered that the LDAP component of OpenJDK failed to properly encode special characters in user names when adding them to an LDAP search query. A remote attacker could possibly use this flaw to manipulate LDAP queries performed by the LdapLoginModule class. 12964 12965 CVE-2018-2582: 12966 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 8u152 and 9.0.1; Java SE Embedded: 8u151. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N). 12967 1534768: 12968 CVE-2018-2582 OpenJDK: insufficient validation of the invokeinterface instruction (Hotspot, 8174962) 12969 12970 CVE-2018-2579: 12971 1534298: 12972 CVE-2018-2579 OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525) 12973 It was discovered that multiple encryption key classes in the Libraries component of OpenJDK did not properly synchronize access to their internal data. This could possibly cause a multi-threaded Java application to apply weak encryption to data because of the use of a key that was zeroed out. 12974 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2677" id="CVE-2018-2677" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2599" id="CVE-2018-2599" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2603" id="CVE-2018-2603" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2579" id="CVE-2018-2579" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2678" id="CVE-2018-2678" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2634" id="CVE-2018-2634" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2582" id="CVE-2018-2582" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2602" id="CVE-2018-2602" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2629" id="CVE-2018-2629" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2618" id="CVE-2018-2618" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2633" id="CVE-2018-2633" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2588" id="CVE-2018-2588" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2641" id="CVE-2018-2641" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2637" id="CVE-2018-2637" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2663" id="CVE-2018-2663" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.b14.36.amzn1" version="1.8.0.161"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.161-0.b14.36.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc-zip" release="0.b14.36.amzn1" version="1.8.0.161"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.161-0.b14.36.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="0.b14.36.amzn1" version="1.8.0.161"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.161-0.b14.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="0.b14.36.amzn1" version="1.8.0.161"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.161-0.b14.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="0.b14.36.amzn1" version="1.8.0.161"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.161-0.b14.36.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="0.b14.36.amzn1" version="1.8.0.161"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.161-0.b14.36.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="0.b14.36.amzn1" version="1.8.0.161"><filename>Packages/java-1.8.0-openjdk-1.8.0.161-0.b14.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="0.b14.36.amzn1" version="1.8.0.161"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.161-0.b14.36.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="0.b14.36.amzn1" version="1.8.0.161"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.161-0.b14.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.b14.36.amzn1" version="1.8.0.161"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.161-0.b14.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="0.b14.36.amzn1" version="1.8.0.161"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.161-0.b14.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="0.b14.36.amzn1" version="1.8.0.161"><filename>Packages/java-1.8.0-openjdk-1.8.0.161-0.b14.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="0.b14.36.amzn1" version="1.8.0.161"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.161-0.b14.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="0.b14.36.amzn1" version="1.8.0.161"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.161-0.b14.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-950</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-950: medium priority package update for transmission</title><issued date="2018-02-07 17:54" /><updated date="2018-02-08 21:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12975 CVE-2018-5702: 12976 12977 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5702" id="CVE-2018-5702" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="transmission" release="11.12.amzn1" version="2.92"><filename>Packages/transmission-2.92-11.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="transmission-common" release="11.12.amzn1" version="2.92"><filename>Packages/transmission-common-2.92-11.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="transmission-debuginfo" release="11.12.amzn1" version="2.92"><filename>Packages/transmission-debuginfo-2.92-11.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="transmission-cli" release="11.12.amzn1" version="2.92"><filename>Packages/transmission-cli-2.92-11.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="transmission-daemon" release="11.12.amzn1" version="2.92"><filename>Packages/transmission-daemon-2.92-11.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="transmission-cli" release="11.12.amzn1" version="2.92"><filename>Packages/transmission-cli-2.92-11.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="transmission" release="11.12.amzn1" version="2.92"><filename>Packages/transmission-2.92-11.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="transmission-common" release="11.12.amzn1" version="2.92"><filename>Packages/transmission-common-2.92-11.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="transmission-daemon" release="11.12.amzn1" version="2.92"><filename>Packages/transmission-daemon-2.92-11.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="transmission-debuginfo" release="11.12.amzn1" version="2.92"><filename>Packages/transmission-debuginfo-2.92-11.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-951</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-951: important priority package update for curl</title><issued date="2018-02-20 20:57" /><updated date="2018-04-05 17:04" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12978 CVE-2018-1000007: 12979 1537125: 12980 CVE-2018-1000007 curl: HTTP authentication leak in redirects 12981 libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client&#039;s request. 12982 12983 CVE-2018-1000005: 12984 1536013: 12985 CVE-2018-1000005 curl: Out-of-bounds read in code handling HTTP/2 trailers 12986 libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn&#039;t updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something. 12987 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000007" id="CVE-2018-1000007" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000005" id="CVE-2018-1000005" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="curl" release="14.81.amzn1" version="7.53.1"><filename>Packages/curl-7.53.1-14.81.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="14.81.amzn1" version="7.53.1"><filename>Packages/curl-debuginfo-7.53.1-14.81.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="14.81.amzn1" version="7.53.1"><filename>Packages/libcurl-7.53.1-14.81.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="14.81.amzn1" version="7.53.1"><filename>Packages/libcurl-devel-7.53.1-14.81.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="14.81.amzn1" version="7.53.1"><filename>Packages/libcurl-devel-7.53.1-14.81.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="14.81.amzn1" version="7.53.1"><filename>Packages/libcurl-7.53.1-14.81.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="14.81.amzn1" version="7.53.1"><filename>Packages/curl-debuginfo-7.53.1-14.81.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="14.81.amzn1" version="7.53.1"><filename>Packages/curl-7.53.1-14.81.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-954</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-954: important priority package update for bind</title><issued date="2018-02-20 21:02" /><updated date="2018-02-21 20:42" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12988 CVE-2017-3145: 12989 A use-after-free flaw leading to denial of service was found in the way BIND internally handled cleanup operations on upstream recursion fetch contexts. A remote attacker could potentially use this flaw to make named, acting as a DNSSEC validating resolver, exit unexpectedly with an assertion failure via a specially crafted DNS request. 12990 1534812: 12991 CVE-2017-3145 bind: Improper fetch cleanup sequencing in the resolver can cause named to crash 12992 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3145" id="CVE-2017-3145" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind" release="0.62.rc1.57.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.62.rc1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.62.rc1.57.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.62.rc1.57.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.62.rc1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.62.rc1.57.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.62.rc1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.62.rc1.57.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.62.rc1.57.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.62.rc1.57.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.62.rc1.57.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.62.rc1.57.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.62.rc1.57.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.62.rc1.57.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.62.rc1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.62.rc1.57.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.62.rc1.57.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.62.rc1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.62.rc1.57.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.62.rc1.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.62.rc1.57.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.62.rc1.57.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-955</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-955: important priority package update for 389-ds-base</title><issued date="2018-02-20 21:09" /><updated date="2018-02-21 20:43" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12993 CVE-2017-15134: 12994 1531573: 12995 CVE-2017-15134 389-ds-base: Remote DoS via search filters in slapi_filter_sprintf in slapd/util.c 12996 A stack buffer overflow flaw was found in the way 389-ds-base handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service. 12997 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15134" id="CVE-2017-15134" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="26.52.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-libs-1.3.6.1-26.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-snmp" release="26.52.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-snmp-1.3.6.1-26.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base" release="26.52.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-1.3.6.1-26.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="26.52.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-debuginfo-1.3.6.1-26.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="26.52.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-devel-1.3.6.1-26.52.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-snmp" release="26.52.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-snmp-1.3.6.1-26.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="26.52.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-libs-1.3.6.1-26.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="26.52.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-devel-1.3.6.1-26.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="26.52.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-1.3.6.1-26.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="26.52.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-debuginfo-1.3.6.1-26.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-956</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-956: important priority package update for kernel</title><issued date="2018-02-20 21:20" /><updated date="2018-02-21 20:45" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 12998 CVE-2018-5750: 12999 The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel, through 4.14.15, allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call. 13000 1539706: 13001 CVE-2018-5750 kernel: Kernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass 13002 13003 CVE-2018-5344: 13004 1533909: 13005 CVE-2018-5344 kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial-of-service 13006 A flaw was found in the Linux kernel&#039;s handling of loopback devices. An attacker, who has permissions to setup loopback disks, may create a denial of service or other unspecified actions. 13007 13008 CVE-2018-1000028: 13009 1540439: 13010 CVE-2018-1000028 kernel: Improper sorting of GIDs in nfsd can lead to incorrect permissions being applied 13011 Linux kernel version after commit bdcf0a423ea1 - 4.15-rc4+, 4.14.8+, 4.9.76+, 4.4.111+ contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS. This attack appear to be exploitable via NFS server must export a filesystem with the &quot;rootsquash&quot; options enabled. This vulnerability appears to have been fixed in after commit 1995266727fa. 13012 13013 CVE-2017-5753: 13014 An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5753 triggers the speculative execution by performing a bounds-check bypass. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks. 13015 1519778: 13016 CVE-2017-5753 hw: cpu: speculative execution bounds-check bypass 13017 13018 CVE-2017-17741: 13019 Linux kernel compiled with the KVM virtualization (CONFIG_KVM) support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memory bytes. 13020 1527112: 13021 CVE-2017-17741 kernel: kvm: stack-based out-of-bounds read via vmcall instruction 13022 13023 CVE-2017-1000405: 13024 1516514: 13025 CVE-2017-1000405 kernel: pmd can become dirty without going through a COW cycle 13026 A flaw was found in the patches used to fix the &#039;dirtycow&#039; vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages. 13027 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5750" id="CVE-2018-5750" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17741" id="CVE-2017-17741" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753" id="CVE-2017-5753" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5344" id="CVE-2018-5344" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000028" id="CVE-2018-1000028" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000405" id="CVE-2017-1000405" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-tools-debuginfo-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-devel-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-tools-devel-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="35.56.amzn1" version="4.9.81"><filename>Packages/perf-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-headers-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-debuginfo-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-tools-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="35.56.amzn1" version="4.9.81"><filename>Packages/perf-debuginfo-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-tools-debuginfo-4.9.81-35.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-devel-4.9.81-35.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-headers-4.9.81-35.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-debuginfo-4.9.81-35.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-4.9.81-35.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-tools-4.9.81-35.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-debuginfo-common-i686-4.9.81-35.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-tools-devel-4.9.81-35.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="35.56.amzn1" version="4.9.81"><filename>Packages/perf-4.9.81-35.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="35.56.amzn1" version="4.9.81"><filename>Packages/perf-debuginfo-4.9.81-35.56.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="35.56.amzn1" version="4.9.81"><filename>Packages/kernel-doc-4.9.81-35.56.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-957</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-957: important priority package update for quagga</title><issued date="2018-02-20 21:26" /><updated date="2018-02-21 20:46" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13028 CVE-2018-5381: 13029 An infinite loop vulnerability was discovered in Quagga. A BGP peer could send specially crafted packets that would cause the daemon to enter an infinite loop, denying service and consuming CPU until it is restarted. 13030 1542992: 13031 CVE-2018-5381 quagga: Infinite loop issue triggered by invalid OPEN message allows denial-of-service 13032 13033 CVE-2018-5380: 13034 A vulnerability was found in Quagga, in the log formatting code. Specially crafted messages sent by BGP peers could cause Quagga to read one element past the end of certain static arrays, causing arbitrary binary data to appear in the logs or potentially, a crash. 13035 1542990: 13036 CVE-2018-5380 quagga: bgpd can overrun internal BGP code-to-string conversion tables potentially allowing crash 13037 13038 CVE-2018-5379: 13039 1542985: 13040 CVE-2018-5379 quagga: Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to crash or potentially execute arbitrary code 13041 A double-free vulnerability was found in Quagga. A BGP peer could send a specially crafted UPDATE message which would cause allocated blocks of memory to be free()d more than once, potentially leading to a crash or other issues. 13042 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5379" id="CVE-2018-5379" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5380" id="CVE-2018-5380" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5381" id="CVE-2018-5381" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="quagga-devel" release="4.17.amzn1" version="0.99.22.4"><filename>Packages/quagga-devel-0.99.22.4-4.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="quagga-debuginfo" release="4.17.amzn1" version="0.99.22.4"><filename>Packages/quagga-debuginfo-0.99.22.4-4.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="quagga" release="4.17.amzn1" version="0.99.22.4"><filename>Packages/quagga-0.99.22.4-4.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="quagga-contrib" release="4.17.amzn1" version="0.99.22.4"><filename>Packages/quagga-contrib-0.99.22.4-4.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="quagga-devel" release="4.17.amzn1" version="0.99.22.4"><filename>Packages/quagga-devel-0.99.22.4-4.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="quagga" release="4.17.amzn1" version="0.99.22.4"><filename>Packages/quagga-0.99.22.4-4.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="quagga-debuginfo" release="4.17.amzn1" version="0.99.22.4"><filename>Packages/quagga-debuginfo-0.99.22.4-4.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="quagga-contrib" release="4.17.amzn1" version="0.99.22.4"><filename>Packages/quagga-contrib-0.99.22.4-4.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-958</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-958: medium priority package update for clamav</title><issued date="2018-02-20 21:35" /><updated date="2018-02-21 20:57" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13043 CVE-2017-6420: 13044 13045 13046 CVE-2017-6419: 13047 1483909: 13048 CVE-2017-6419 libmspack, clamav: heap-based buffer overflow in mspack/lzxd.c 13049 mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file. 13050 13051 CVE-2017-6418: 13052 13053 13054 CVE-2017-12380: 13055 13056 13057 CVE-2017-12379: 13058 13059 13060 CVE-2017-12378: 13061 13062 13063 CVE-2017-12377: 13064 13065 13066 CVE-2017-12376: 13067 13068 13069 CVE-2017-12375: 13070 13071 13072 CVE-2017-12374: 13073 13074 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6418" id="CVE-2017-6418" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6419" id="CVE-2017-6419" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12380" id="CVE-2017-12380" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12379" id="CVE-2017-12379" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12378" id="CVE-2017-12378" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12377" id="CVE-2017-12377" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12376" id="CVE-2017-12376" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12375" id="CVE-2017-12375" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12374" id="CVE-2017-12374" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6420" id="CVE-2017-6420" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="clamav-milter" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-milter-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-lib" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-lib-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-scanner-sysvinit" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-scanner-sysvinit-0.99.3-1.28.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-devel" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-devel-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-data" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-data-0.99.3-1.28.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-milter-sysvinit" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-milter-sysvinit-0.99.3-1.28.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-server" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-server-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-debuginfo" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-debuginfo-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-db" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-db-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamd" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamd-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-scanner" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-scanner-0.99.3-1.28.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-update" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-update-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-data-empty" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-data-empty-0.99.3-1.28.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-filesystem" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-filesystem-0.99.3-1.28.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-server-sysvinit" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-server-sysvinit-0.99.3-1.28.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="clamav-db" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-db-0.99.3-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-milter" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-milter-0.99.3-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-lib" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-lib-0.99.3-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-debuginfo" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-debuginfo-0.99.3-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamd" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamd-0.99.3-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-devel" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-devel-0.99.3-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-update" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-update-0.99.3-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-server" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-server-0.99.3-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav" release="1.28.amzn1" version="0.99.3"><filename>Packages/clamav-0.99.3-1.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-959</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-959: low priority package update for tomcat8</title><issued date="2018-02-20 21:37" /><updated date="2018-02-21 20:47" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13075 CVE-2017-15706: 13076 1540828: 13077 CVE-2017-15706 tomcat: Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration 13078 As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected. 13079 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706" id="CVE-2017-15706" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.76.amzn1" version="8.5.28"><filename>Packages/tomcat8-jsp-2.3-api-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.76.amzn1" version="8.5.28"><filename>Packages/tomcat8-webapps-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.76.amzn1" version="8.5.28"><filename>Packages/tomcat8-el-3.0-api-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.76.amzn1" version="8.5.28"><filename>Packages/tomcat8-docs-webapp-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.76.amzn1" version="8.5.28"><filename>Packages/tomcat8-servlet-3.1-api-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.76.amzn1" version="8.5.28"><filename>Packages/tomcat8-javadoc-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8" release="1.76.amzn1" version="8.5.28"><filename>Packages/tomcat8-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.76.amzn1" version="8.5.28"><filename>Packages/tomcat8-lib-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.76.amzn1" version="8.5.28"><filename>Packages/tomcat8-admin-webapps-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.76.amzn1" version="8.5.28"><filename>Packages/tomcat8-log4j-8.5.28-1.76.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-964</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-964: medium priority package update for memcached</title><issued date="2018-03-07 21:14" /><updated date="2018-05-10 23:43" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13080 CVE-2018-1000115: 13081 It was discovered that the memcached connections using UDP transport protocol can be abused for efficient traffic amplification distributed denial of service (DDoS) attacks. A remote attacker could send a malicious UDP request using a spoofed source IP address of a target system to memcached, causing it to send a significantly larger response to the target. 13082 1551182: 13083 CVE-2018-1000115 memcached: UDP server support allows spoofed traffic amplification DoS 13084 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000115" id="CVE-2018-1000115" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="memcached-debuginfo" release="10.15.amzn1" version="1.4.15"><filename>Packages/memcached-debuginfo-1.4.15-10.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="memcached-devel" release="10.15.amzn1" version="1.4.15"><filename>Packages/memcached-devel-1.4.15-10.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="memcached" release="10.15.amzn1" version="1.4.15"><filename>Packages/memcached-1.4.15-10.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="memcached" release="10.15.amzn1" version="1.4.15"><filename>Packages/memcached-1.4.15-10.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="memcached-debuginfo" release="10.15.amzn1" version="1.4.15"><filename>Packages/memcached-debuginfo-1.4.15-10.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="memcached-devel" release="10.15.amzn1" version="1.4.15"><filename>Packages/memcached-devel-1.4.15-10.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-965</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-965: medium priority package update for tomcat-native</title><issued date="2018-03-07 21:16" /><updated date="2018-03-08 22:05" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13085 CVE-2017-15698: 13086 1540824: 13087 CVE-2017-15698 tomcat-native: Mishandling of client certificates can allow for OCSP check bypass 13088 When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability. 13089 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15698" id="CVE-2017-15698" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="tomcat-native" release="1.20.amzn1" version="1.2.16"><filename>Packages/tomcat-native-1.2.16-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="tomcat-native-debuginfo" release="1.20.amzn1" version="1.2.16"><filename>Packages/tomcat-native-debuginfo-1.2.16-1.20.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="tomcat-native" release="1.20.amzn1" version="1.2.16"><filename>Packages/tomcat-native-1.2.16-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="tomcat-native-debuginfo" release="1.20.amzn1" version="1.2.16"><filename>Packages/tomcat-native-debuginfo-1.2.16-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-966</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-966: important priority package update for GraphicsMagick</title><issued date="2018-03-07 21:35" /><updated date="2018-03-08 22:17" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13090 CVE-2018-5685: 13091 13092 13093 CVE-2017-17915: 13094 13095 13096 CVE-2017-17913: 13097 13098 13099 CVE-2017-17912: 13100 13101 13102 CVE-2017-17783: 13103 13104 13105 CVE-2017-17782: 13106 13107 13108 CVE-2017-16669: 13109 13110 13111 CVE-2017-16353: 13112 GraphicsMagick 1.3.26 is vulnerable to a memory information disclosure vulnerability found in the DescribeImage function of the magick/describe.c file, because of a heap-based buffer over-read. The portion of the code containing the vulnerability is responsible for printing the IPTC Profile information contained in the image. This vulnerability can be triggered with a specially crafted MIFF file. There is an out-of-bounds buffer dereference because certain increments are never checked. 13113 1512047: 13114 CVE-2017-16353 ImageMagick, GraphicsMagick: memory information disclosure in DescribeImage function in magick/describe.c 13115 13116 CVE-2017-13147: 13117 13118 13119 CVE-2017-11643: 13120 13121 13122 CVE-2017-11641: 13123 13124 13125 CVE-2017-11637: 13126 13127 13128 CVE-2017-11636: 13129 13130 13131 CVE-2017-11140: 13132 13133 13134 CVE-2017-11139: 13135 13136 13137 CVE-2017-11102: 13138 13139 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11140" id="CVE-2017-11140" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11636" id="CVE-2017-11636" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17912" id="CVE-2017-17912" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17913" id="CVE-2017-17913" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11637" id="CVE-2017-11637" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17915" id="CVE-2017-17915" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11139" id="CVE-2017-11139" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5685" id="CVE-2018-5685" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11102" id="CVE-2017-11102" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13147" id="CVE-2017-13147" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16353" id="CVE-2017-16353" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11643" id="CVE-2017-11643" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11641" id="CVE-2017-11641" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17783" id="CVE-2017-17783" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17782" id="CVE-2017-17782" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16669" id="CVE-2017-16669" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="GraphicsMagick-doc" release="1.12.amzn1" version="1.3.28"><filename>Packages/GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++" release="1.12.amzn1" version="1.3.28"><filename>Packages/GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-devel" release="1.12.amzn1" version="1.3.28"><filename>Packages/GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-perl" release="1.12.amzn1" version="1.3.28"><filename>Packages/GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-debuginfo" release="1.12.amzn1" version="1.3.28"><filename>Packages/GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++-devel" release="1.12.amzn1" version="1.3.28"><filename>Packages/GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick" release="1.12.amzn1" version="1.3.28"><filename>Packages/GraphicsMagick-1.3.28-1.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++" release="1.12.amzn1" version="1.3.28"><filename>Packages/GraphicsMagick-c++-1.3.28-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick" release="1.12.amzn1" version="1.3.28"><filename>Packages/GraphicsMagick-1.3.28-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-devel" release="1.12.amzn1" version="1.3.28"><filename>Packages/GraphicsMagick-devel-1.3.28-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-perl" release="1.12.amzn1" version="1.3.28"><filename>Packages/GraphicsMagick-perl-1.3.28-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-debuginfo" release="1.12.amzn1" version="1.3.28"><filename>Packages/GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++-devel" release="1.12.amzn1" version="1.3.28"><filename>Packages/GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-967</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-967: low priority package update for libvpx</title><issued date="2018-03-07 21:36" /><updated date="2018-03-08 22:18" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13140 CVE-2017-13194: 13141 A vulnerability in the Android media framework (libvpx) related to odd frame width. Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-64710201. 13142 1535183: 13143 CVE-2017-13194 libvpx: denial of service (DoS) in vpx/src/vpx_image.c file 13144 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13194" id="CVE-2017-13194" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libvpx-debuginfo" release="1.1.amzn1" version="1.2.0"><filename>Packages/libvpx-debuginfo-1.2.0-1.1.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libvpx-utils" release="1.1.amzn1" version="1.2.0"><filename>Packages/libvpx-utils-1.2.0-1.1.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libvpx-devel" release="1.1.amzn1" version="1.2.0"><filename>Packages/libvpx-devel-1.2.0-1.1.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libvpx" release="1.1.amzn1" version="1.2.0"><filename>Packages/libvpx-1.2.0-1.1.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libvpx-devel" release="1.1.amzn1" version="1.2.0"><filename>Packages/libvpx-devel-1.2.0-1.1.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libvpx-debuginfo" release="1.1.amzn1" version="1.2.0"><filename>Packages/libvpx-debuginfo-1.2.0-1.1.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libvpx-utils" release="1.1.amzn1" version="1.2.0"><filename>Packages/libvpx-utils-1.2.0-1.1.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libvpx" release="1.1.amzn1" version="1.2.0"><filename>Packages/libvpx-1.2.0-1.1.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-968</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-968: medium priority package update for mod_auth_mellon mod24_auth_mellon</title><issued date="2018-03-07 21:37" /><updated date="2018-03-08 22:19" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13145 CVE-2017-6807: 13146 1431670: 13147 CVE-2017-6807 mod_auth_mellon: Cross-site session transfer vulnerability 13148 It was found that mod_auth_mellon was vulnerable to a cross-site session transfer attack. An attacker with access to one web site on a server could use the same session to get access to a different site running on the same server. 13149 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6807" id="CVE-2017-6807" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod_auth_mellon-debuginfo" release="1.5.amzn1" version="0.13.1"><filename>Packages/mod_auth_mellon-debuginfo-0.13.1-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_auth_mellon" release="1.5.amzn1" version="0.13.1"><filename>Packages/mod_auth_mellon-0.13.1-1.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod_auth_mellon" release="1.5.amzn1" version="0.13.1"><filename>Packages/mod_auth_mellon-0.13.1-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_auth_mellon-debuginfo" release="1.5.amzn1" version="0.13.1"><filename>Packages/mod_auth_mellon-debuginfo-0.13.1-1.5.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_auth_mellon-debuginfo" release="1.7.amzn1" version="0.13.1"><filename>Packages/mod24_auth_mellon-debuginfo-0.13.1-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_auth_mellon" release="1.7.amzn1" version="0.13.1"><filename>Packages/mod24_auth_mellon-0.13.1-1.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod24_auth_mellon-debuginfo" release="1.7.amzn1" version="0.13.1"><filename>Packages/mod24_auth_mellon-debuginfo-0.13.1-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_auth_mellon" release="1.7.amzn1" version="0.13.1"><filename>Packages/mod24_auth_mellon-0.13.1-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-969</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-969: important priority package update for mysql55 mysql56 mysql57</title><issued date="2018-03-07 21:41" /><updated date="2018-03-08 22:26" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13150 CVE-2018-2703: 13151 1534139: 13152 CVE-2018-2703 mysql: sha256_password authentication DoS via hash with large rounds value 13153 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 13154 13155 CVE-2018-2696: 13156 1509475: 13157 CVE-2018-2696 mysql: sha256_password authentication DoS via long password 13158 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 13159 13160 CVE-2018-2668: 13161 1535506: 13162 CVE-2018-2668 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) 13163 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 13164 13165 CVE-2018-2667: 13166 1535505: 13167 CVE-2018-2667 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) 13168 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13169 13170 CVE-2018-2665: 13171 1535504: 13172 CVE-2018-2665 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) 13173 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 13174 13175 CVE-2018-2647: 13176 1535503: 13177 CVE-2018-2647 mysql: Server: Replication unspecified vulnerability (CPU Jan 2018) 13178 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). 13179 13180 CVE-2018-2646: 13181 1535502: 13182 CVE-2018-2646 mysql: Server: DML unspecified vulnerability (CPU Jan 2018) 13183 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13184 13185 CVE-2018-2645: 13186 1535501: 13187 CVE-2018-2645 mysql: Server: Performance Schema unspecified vulnerability (CPU Jan 2018) 13188 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Performance Schema). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N). 13189 13190 CVE-2018-2640: 13191 1535500: 13192 CVE-2018-2640 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) 13193 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 13194 13195 CVE-2018-2622: 13196 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 13197 1535499: 13198 CVE-2018-2622 mysql: Server: DDL unspecified vulnerability (CPU Jan 2018) 13199 13200 CVE-2018-2612: 13201 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H). 13202 1535497: 13203 CVE-2018-2612 mysql: InnoDB unspecified vulnerability (CPU Jan 2018) 13204 13205 CVE-2018-2600: 13206 1535496: 13207 CVE-2018-2600 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018) 13208 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13209 13210 CVE-2018-2590: 13211 1535492: 13212 CVE-2018-2590 mysql: Server: Performance Schema unspecified vulnerability (CPU Jan 2018) 13213 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Performance Schema). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13214 13215 CVE-2018-2586: 13216 1535491: 13217 CVE-2018-2586 mysql: Server: DML unspecified vulnerability (CPU Jan 2018) 13218 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13219 13220 CVE-2018-2583: 13221 1535490: 13222 CVE-2018-2583 mysql: Stored Procedure unspecified vulnerability (CPU Jan 2018) 13223 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Stored Procedure). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.8 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H). 13224 13225 CVE-2018-2576: 13226 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13227 1535488: 13228 CVE-2018-2576 mysql: Server: DML unspecified vulnerability (CPU Jan 2018) 13229 13230 CVE-2018-2573: 13231 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: GIS). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 13232 1535487: 13233 CVE-2018-2573 mysql: Server: GIS unspecified vulnerability (CPU Jan 2018) 13234 13235 CVE-2018-2565: 13236 1535486: 13237 CVE-2018-2565 mysql: Server: InnoDB unspecified vulnerability (CPU Jan 2018) 13238 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13239 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2565" id="CVE-2018-2565" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2667" id="CVE-2018-2667" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2590" id="CVE-2018-2590" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2600" id="CVE-2018-2600" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2583" id="CVE-2018-2583" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2586" id="CVE-2018-2586" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2622" id="CVE-2018-2622" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2645" id="CVE-2018-2645" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2646" id="CVE-2018-2646" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2647" id="CVE-2018-2647" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2640" id="CVE-2018-2640" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2703" id="CVE-2018-2703" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2573" id="CVE-2018-2573" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2665" id="CVE-2018-2665" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2576" id="CVE-2018-2576" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2696" id="CVE-2018-2696" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2668" id="CVE-2018-2668" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2612" id="CVE-2018-2612" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql55-server" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-server-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-devel-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-debuginfo-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-embedded-devel-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-test" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-test-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-libs-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-bench" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-bench-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-embedded-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-config" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql-config-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-5.5.59-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-libs-5.5.59-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-embedded-devel-5.5.59-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-server-5.5.59-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-test-5.5.59-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-embedded-5.5.59-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-bench-5.5.59-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-config" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql-config-5.5.59-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-debuginfo-5.5.59-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="1.20.amzn1" version="5.5.59"><filename>Packages/mysql55-devel-5.5.59-1.20.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-embedded-devel" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-embedded-devel-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-debuginfo" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-debuginfo-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-common" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-common-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-server" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-server-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-test" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-test-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-embedded" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-embedded-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-devel" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-devel-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-libs" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-libs-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-errmsg" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-errmsg-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-devel" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-devel-5.7.21-2.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-test" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-test-5.7.21-2.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-server" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-server-5.7.21-2.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-errmsg" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-errmsg-5.7.21-2.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-libs" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-libs-5.7.21-2.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-common" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-common-5.7.21-2.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-debuginfo" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-debuginfo-5.7.21-2.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-5.7.21-2.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-embedded-devel" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-embedded-devel-5.7.21-2.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-embedded" release="2.6.amzn1" version="5.7.21"><filename>Packages/mysql57-embedded-5.7.21-2.6.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-server" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-server-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-bench" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-bench-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-debuginfo" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-debuginfo-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-test" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-test-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-libs" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-libs-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-devel" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-devel-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-embedded-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded-devel" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-embedded-devel-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-errmsg" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-errmsg-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-common" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-common-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-embedded-5.6.39-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-server" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-server-5.6.39-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-common" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-common-5.6.39-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-devel" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-devel-5.6.39-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-5.6.39-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-errmsg" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-errmsg-5.6.39-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-libs" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-libs-5.6.39-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-debuginfo" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-debuginfo-5.6.39-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded-devel" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-embedded-devel-5.6.39-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-bench" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-bench-5.6.39-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-test" release="1.28.amzn1" version="5.6.39"><filename>Packages/mysql56-test-5.6.39-1.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-970</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-970: critical priority package update for exim</title><issued date="2018-03-07 21:43" /><updated date="2018-03-08 22:27" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13240 CVE-2018-6789: 13241 1543268: 13242 CVE-2018-6789 exim: buffer overflow in b64decode() function, possibly leading to remote code execution 13243 An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely. 13244 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6789" id="CVE-2018-6789" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="exim-mysql" release="2.14.amzn1" version="4.90.1"><filename>Packages/exim-mysql-4.90.1-2.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-debuginfo" release="2.14.amzn1" version="4.90.1"><filename>Packages/exim-debuginfo-4.90.1-2.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-mon" release="2.14.amzn1" version="4.90.1"><filename>Packages/exim-mon-4.90.1-2.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim" release="2.14.amzn1" version="4.90.1"><filename>Packages/exim-4.90.1-2.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-greylist" release="2.14.amzn1" version="4.90.1"><filename>Packages/exim-greylist-4.90.1-2.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-pgsql" release="2.14.amzn1" version="4.90.1"><filename>Packages/exim-pgsql-4.90.1-2.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="exim-mon" release="2.14.amzn1" version="4.90.1"><filename>Packages/exim-mon-4.90.1-2.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-greylist" release="2.14.amzn1" version="4.90.1"><filename>Packages/exim-greylist-4.90.1-2.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim" release="2.14.amzn1" version="4.90.1"><filename>Packages/exim-4.90.1-2.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-mysql" release="2.14.amzn1" version="4.90.1"><filename>Packages/exim-mysql-4.90.1-2.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-pgsql" release="2.14.amzn1" version="4.90.1"><filename>Packages/exim-pgsql-4.90.1-2.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-debuginfo" release="2.14.amzn1" version="4.90.1"><filename>Packages/exim-debuginfo-4.90.1-2.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-971</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-971: important priority package update for kernel</title><issued date="2018-03-16 16:17" /><updated date="2018-03-16 22:54" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13245 CVE-2018-1068: 13246 A flaw was found in the Linux kernel&#039;s implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory. 13247 1552048: 13248 CVE-2018-1068 kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c 13249 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1068" id="CVE-2018-1068" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-tools-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-tools-debuginfo-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-tools-devel-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-headers-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-debuginfo-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="38.58.amzn1" version="4.9.85"><filename>Packages/perf-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="38.58.amzn1" version="4.9.85"><filename>Packages/perf-debuginfo-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-devel-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-tools-4.9.85-38.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-4.9.85-38.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-headers-4.9.85-38.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-tools-devel-4.9.85-38.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-debuginfo-4.9.85-38.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-devel-4.9.85-38.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="38.58.amzn1" version="4.9.85"><filename>Packages/perf-debuginfo-4.9.85-38.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-debuginfo-common-i686-4.9.85-38.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="38.58.amzn1" version="4.9.85"><filename>Packages/perf-4.9.85-38.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-tools-debuginfo-4.9.85-38.58.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="38.58.amzn1" version="4.9.85"><filename>Packages/kernel-doc-4.9.85-38.58.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-972</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-972: medium priority package update for tomcat7 tomcat8</title><issued date="2018-03-21 22:06" /><updated date="2018-03-23 17:21" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13250 CVE-2018-1305: 13251 Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. 13252 1548282: 13253 CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users 13254 13255 CVE-2018-1304: 13256 1548289: 13257 CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources 13258 The URL pattern of &quot;&quot; (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. 13259 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304" id="CVE-2018-1304" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305" id="CVE-2018-1305" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.32.amzn1" version="7.0.85"><filename>Packages/tomcat7-log4j-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.32.amzn1" version="7.0.85"><filename>Packages/tomcat7-admin-webapps-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.32.amzn1" version="7.0.85"><filename>Packages/tomcat7-javadoc-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.32.amzn1" version="7.0.85"><filename>Packages/tomcat7-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.32.amzn1" version="7.0.85"><filename>Packages/tomcat7-webapps-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.32.amzn1" version="7.0.85"><filename>Packages/tomcat7-jsp-2.2-api-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.32.amzn1" version="7.0.85"><filename>Packages/tomcat7-el-2.2-api-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.32.amzn1" version="7.0.85"><filename>Packages/tomcat7-lib-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.32.amzn1" version="7.0.85"><filename>Packages/tomcat7-servlet-3.0-api-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.32.amzn1" version="7.0.85"><filename>Packages/tomcat7-docs-webapp-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8" release="1.77.amzn1" version="8.5.29"><filename>Packages/tomcat8-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.77.amzn1" version="8.5.29"><filename>Packages/tomcat8-docs-webapp-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.77.amzn1" version="8.5.29"><filename>Packages/tomcat8-admin-webapps-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.77.amzn1" version="8.5.29"><filename>Packages/tomcat8-el-3.0-api-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.77.amzn1" version="8.5.29"><filename>Packages/tomcat8-javadoc-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.77.amzn1" version="8.5.29"><filename>Packages/tomcat8-webapps-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.77.amzn1" version="8.5.29"><filename>Packages/tomcat8-servlet-3.1-api-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.77.amzn1" version="8.5.29"><filename>Packages/tomcat8-lib-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.77.amzn1" version="8.5.29"><filename>Packages/tomcat8-log4j-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.77.amzn1" version="8.5.29"><filename>Packages/tomcat8-jsp-2.3-api-8.5.29-1.77.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-973</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-973: medium priority package update for tomcat80</title><issued date="2018-03-21 22:08" /><updated date="2018-03-23 17:23" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13260 CVE-2018-1305: 13261 Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. 13262 1548282: 13263 CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users 13264 13265 CVE-2018-1304: 13266 1548289: 13267 CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources 13268 The URL pattern of &quot;&quot; (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. 13269 13270 CVE-2017-15706: 13271 1540828: 13272 CVE-2017-15706 tomcat: Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration 13273 As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected. 13274 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706" id="CVE-2017-15706" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304" id="CVE-2018-1304" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305" id="CVE-2018-1305" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat80-servlet-3.1-api" release="1.79.amzn1" version="8.0.50"><filename>Packages/tomcat80-servlet-3.1-api-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-lib" release="1.79.amzn1" version="8.0.50"><filename>Packages/tomcat80-lib-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80" release="1.79.amzn1" version="8.0.50"><filename>Packages/tomcat80-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-jsp-2.3-api" release="1.79.amzn1" version="8.0.50"><filename>Packages/tomcat80-jsp-2.3-api-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-el-3.0-api" release="1.79.amzn1" version="8.0.50"><filename>Packages/tomcat80-el-3.0-api-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-webapps" release="1.79.amzn1" version="8.0.50"><filename>Packages/tomcat80-webapps-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-docs-webapp" release="1.79.amzn1" version="8.0.50"><filename>Packages/tomcat80-docs-webapp-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-javadoc" release="1.79.amzn1" version="8.0.50"><filename>Packages/tomcat80-javadoc-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-log4j" release="1.79.amzn1" version="8.0.50"><filename>Packages/tomcat80-log4j-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-admin-webapps" release="1.79.amzn1" version="8.0.50"><filename>Packages/tomcat80-admin-webapps-8.0.50-1.79.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-974</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-974: important priority package update for java-1.7.0-openjdk</title><issued date="2018-03-21 22:12" /><updated date="2018-03-23 17:34" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13275 CVE-2018-2678: 13276 1534263: 13277 CVE-2018-2678 OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142) 13278 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). 13279 13280 CVE-2018-2677: 13281 1534288: 13282 CVE-2018-2677 OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289) 13283 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). 13284 13285 CVE-2018-2663: 13286 1534296: 13287 CVE-2018-2663 OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284) 13288 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). 13289 13290 CVE-2018-2641: 13291 1534766: 13292 CVE-2018-2641 OpenJDK: GTK library loading use-after-free (AWT, 8185325) 13293 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N). 13294 13295 CVE-2018-2637: 13296 1534970: 13297 CVE-2018-2637 OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998) 13298 It was discovered that the JMX component of OpenJDK failed to properly set the deserialization filter for the SingleEntryRegistry in certain cases. A remote attacker could possibly use this flaw to bypass intended deserialization restrictions. 13299 13300 CVE-2018-2634: 13301 1534943: 13302 CVE-2018-2634 OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600) 13303 The JGSS component of OpenJDK ignores the value of the javax.security.auth.useSubjectCredsOnly property when using HTTP/SPNEGO authentication and always uses global credentials. It was discovered that this could cause global credentials to be unexpectedly used by an untrusted Java application. 13304 13305 CVE-2018-2633: 13306 It was discovered that the LDAPCertStore class in the JNDI component of OpenJDK failed to securely handle LDAP referrals. An attacker could possibly use this flaw to make it fetch attacker controlled certificate data. 13307 1535036: 13308 CVE-2018-2633 OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606) 13309 13310 CVE-2018-2629: 13311 1534625: 13312 CVE-2018-2629 OpenJDK: GSS context use-after-free (JGSS, 8186212) 13313 It was discovered that the JGSS component of OpenJDK failed to properly handle GSS context in the native GSS library wrapper in certain cases. A remote attacker could possibly make a Java application using JGSS to use a previously freed context. 13314 13315 CVE-2018-2618: 13316 1534762: 13317 CVE-2018-2618 OpenJDK: insufficient strength of key agreement (JCE, 8185292) 13318 It was discovered that the key agreement implementations in the JCE component of OpenJDK did not guarantee sufficient strength of used keys to adequately protect generated shared secret. This could make it easier to break data encryption by attacking key agreement rather than the encryption using the negotiated secret. 13319 13320 CVE-2018-2603: 13321 1534553: 13322 CVE-2018-2603 OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387) 13323 It was discovered that the Libraries component of OpenJDK failed to sufficiently limit the amount of memory allocated when reading DER encoded input. A remote attacker could possibly use this flaw to make a Java application use an excessive amount of memory if it parsed attacker supplied DER encoded input. 13324 13325 CVE-2018-2602: 13326 It was discovered that the I18n component of OpenJDK could use an untrusted search path when loading resource bundle classes. A local attacker could possibly use this flaw to execute arbitrary code as another local user by making their Java application load an attacker controlled class file. 13327 1534525: 13328 CVE-2018-2602 OpenJDK: loading of classes from untrusted locations (I18n, 8182601) 13329 13330 CVE-2018-2599: 13331 It was discovered that the DNS client implementation in the JNDI component of OpenJDK did not use random source ports when sending out DNS queries. This could make it easier for a remote attacker to spoof responses to those queries. 13332 1534543: 13333 CVE-2018-2599 OpenJDK: DnsClient missing source port randomization (JNDI, 8182125) 13334 13335 CVE-2018-2588: 13336 1534299: 13337 CVE-2018-2588 OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449) 13338 It was discovered that the LDAP component of OpenJDK failed to properly encode special characters in user names when adding them to an LDAP search query. A remote attacker could possibly use this flaw to manipulate LDAP queries performed by the LdapLoginModule class. 13339 13340 CVE-2018-2579: 13341 1534298: 13342 CVE-2018-2579 OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525) 13343 It was discovered that multiple encryption key classes in the Libraries component of OpenJDK did not properly synchronize access to their internal data. This could possibly cause a multi-threaded Java application to apply weak encryption to data because of the use of a key that was zeroed out. 13344 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2677" id="CVE-2018-2677" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2599" id="CVE-2018-2599" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2603" id="CVE-2018-2603" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2579" id="CVE-2018-2579" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2678" id="CVE-2018-2678" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2634" id="CVE-2018-2634" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2602" id="CVE-2018-2602" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2629" id="CVE-2018-2629" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2618" id="CVE-2018-2618" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2633" id="CVE-2018-2633" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2588" id="CVE-2018-2588" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2641" id="CVE-2018-2641" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2637" id="CVE-2018-2637" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2663" id="CVE-2018-2663" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.13.0.76.amzn1" version="1.7.0.171"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.171-2.6.13.0.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.13.0.76.amzn1" version="1.7.0.171"><filename>Packages/java-1.7.0-openjdk-1.7.0.171-2.6.13.0.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.13.0.76.amzn1" version="1.7.0.171"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.171-2.6.13.0.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.13.0.76.amzn1" version="1.7.0.171"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.171-2.6.13.0.76.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.13.0.76.amzn1" version="1.7.0.171"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.171-2.6.13.0.76.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.13.0.76.amzn1" version="1.7.0.171"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.171-2.6.13.0.76.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.13.0.76.amzn1" version="1.7.0.171"><filename>Packages/java-1.7.0-openjdk-1.7.0.171-2.6.13.0.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.13.0.76.amzn1" version="1.7.0.171"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.171-2.6.13.0.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.13.0.76.amzn1" version="1.7.0.171"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.171-2.6.13.0.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.13.0.76.amzn1" version="1.7.0.171"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.171-2.6.13.0.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.13.0.76.amzn1" version="1.7.0.171"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.171-2.6.13.0.76.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-975</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-975: medium priority package update for golang</title><issued date="2018-03-21 22:13" /><updated date="2018-04-19 22:38" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13345 CVE-2018-7187: 13346 1546386: 13347 CVE-2018-7187 golang: arbitrary command execution via VCS path 13348 The &quot;go get&quot; implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for &quot;://&quot; anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. 13349 13350 CVE-2018-6574: 13351 1543561: 13352 CVE-2018-6574 golang: arbitrary code execution during "go get" via C compiler options 13353 An arbitrary command execution flaw was found in the way Go&#039;s &quot;go get&quot; command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side. 13354 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6574" id="CVE-2018-6574" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7187" id="CVE-2018-7187" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="golang-tests" release="2.44.amzn1" version="1.9.4"><filename>Packages/golang-tests-1.9.4-2.44.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang-race" release="2.44.amzn1" version="1.9.4"><filename>Packages/golang-race-1.9.4-2.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="golang" release="2.44.amzn1" version="1.9.4"><filename>Packages/golang-1.9.4-2.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="golang-bin" release="2.44.amzn1" version="1.9.4"><filename>Packages/golang-bin-1.9.4-2.44.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-docs" release="2.44.amzn1" version="1.9.4"><filename>Packages/golang-docs-1.9.4-2.44.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-src" release="2.44.amzn1" version="1.9.4"><filename>Packages/golang-src-1.9.4-2.44.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-misc" release="2.44.amzn1" version="1.9.4"><filename>Packages/golang-misc-1.9.4-2.44.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="golang-bin" release="2.44.amzn1" version="1.9.4"><filename>Packages/golang-bin-1.9.4-2.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="golang" release="2.44.amzn1" version="1.9.4"><filename>Packages/golang-1.9.4-2.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-976</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-976: medium priority package update for clamav</title><issued date="2018-03-21 22:24" /><updated date="2018-03-23 17:39" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13355 CVE-2018-1000085: 13356 13357 13358 CVE-2018-0202: 13359 13360 13361 CVE-2017-6419: 13362 1483909: 13363 CVE-2017-6419 libmspack, clamav: heap-based buffer overflow in mspack/lzxd.c 13364 mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file. 13365 13366 CVE-2017-11423: 13367 1472776: 13368 CVE-2017-11423 libmspack, clamav: Stack-based buffer over-read in cabd_read_string function 13369 The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2 and other products, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted CAB file. 13370 13371 CVE-2012-6706: 13372 13373 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11423" id="CVE-2017-11423" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6419" id="CVE-2017-6419" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0202" id="CVE-2018-0202" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6706" id="CVE-2012-6706" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000085" id="CVE-2018-1000085" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="clamav-milter-sysvinit" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-milter-sysvinit-0.99.4-1.29.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-devel" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-devel-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-update" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-update-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-server-sysvinit" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-server-sysvinit-0.99.4-1.29.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-server" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-server-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-filesystem" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-filesystem-0.99.4-1.29.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-data-empty" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-data-empty-0.99.4-1.29.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-debuginfo" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-debuginfo-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-scanner-sysvinit" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-scanner-sysvinit-0.99.4-1.29.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-scanner" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-scanner-0.99.4-1.29.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-db" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-db-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-data" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-data-0.99.4-1.29.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamd" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamd-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-milter" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-milter-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-lib" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-lib-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="clamav" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-0.99.4-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamd" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamd-0.99.4-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-update" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-update-0.99.4-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-db" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-db-0.99.4-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-milter" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-milter-0.99.4-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-debuginfo" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-debuginfo-0.99.4-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-lib" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-lib-0.99.4-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-server" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-server-0.99.4-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-devel" release="1.29.amzn1" version="0.99.4"><filename>Packages/clamav-devel-0.99.4-1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-977</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-977: medium priority package update for python-crypto</title><issued date="2018-03-21 22:26" /><updated date="2018-03-23 17:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13374 CVE-2018-6594: 13375 lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto&#039;s ElGamal implementation. 13376 1542313: 13377 CVE-2018-6594 python-crypto: Weak ElGamal key parameters in PublicKey/ElGamal.py allow attackers to obtain sensitive information by reading ciphertext 13378 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6594" id="CVE-2018-6594" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python26-crypto" release="1.15.amzn1" version="2.6.1"><filename>Packages/python26-crypto-2.6.1-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-crypto" release="1.15.amzn1" version="2.6.1"><filename>Packages/python27-crypto-2.6.1-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python-crypto-debuginfo" release="1.15.amzn1" version="2.6.1"><filename>Packages/python-crypto-debuginfo-2.6.1-1.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python-crypto-debuginfo" release="1.15.amzn1" version="2.6.1"><filename>Packages/python-crypto-debuginfo-2.6.1-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-crypto" release="1.15.amzn1" version="2.6.1"><filename>Packages/python27-crypto-2.6.1-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python26-crypto" release="1.15.amzn1" version="2.6.1"><filename>Packages/python26-crypto-2.6.1-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-978</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-978: medium priority package update for ruby24 ruby22 ruby23</title><issued date="2018-03-21 22:27" /><updated date="2018-03-23 17:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13379 CVE-2017-0903: 13380 A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter. 13381 1500488: 13382 CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications 13383 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903" id="CVE-2017-0903" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="ruby22-doc" release="1.10.amzn1" version="2.2.9"><filename>Packages/ruby22-doc-2.2.9-1.10.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-debuginfo" release="1.10.amzn1" version="2.2.9"><filename>Packages/ruby22-debuginfo-2.2.9-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-psych" release="1.10.amzn1" version="2.0.8.1"><filename>Packages/rubygem22-psych-2.0.8.1-1.10.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby22-irb" release="1.10.amzn1" version="2.2.9"><filename>Packages/ruby22-irb-2.2.9-1.10.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-devel" release="1.10.amzn1" version="2.2.9"><filename>Packages/ruby22-devel-2.2.9-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-io-console" release="1.10.amzn1" version="0.4.3"><filename>Packages/rubygem22-io-console-0.4.3-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-bigdecimal" release="1.10.amzn1" version="1.2.6"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-libs" release="1.10.amzn1" version="2.2.9"><filename>Packages/ruby22-libs-2.2.9-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22" release="1.10.amzn1" version="2.2.9"><filename>Packages/ruby22-2.2.9-1.10.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems22-devel" release="1.10.amzn1" version="2.4.5.2"><filename>Packages/rubygems22-devel-2.4.5.2-1.10.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems22" release="1.10.amzn1" version="2.4.5.2"><filename>Packages/rubygems22-2.4.5.2-1.10.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-bigdecimal" release="1.10.amzn1" version="1.2.6"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-io-console" release="1.10.amzn1" version="0.4.3"><filename>Packages/rubygem22-io-console-0.4.3-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-debuginfo" release="1.10.amzn1" version="2.2.9"><filename>Packages/ruby22-debuginfo-2.2.9-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-libs" release="1.10.amzn1" version="2.2.9"><filename>Packages/ruby22-libs-2.2.9-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-devel" release="1.10.amzn1" version="2.2.9"><filename>Packages/ruby22-devel-2.2.9-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-psych" release="1.10.amzn1" version="2.0.8.1"><filename>Packages/rubygem22-psych-2.0.8.1-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22" release="1.10.amzn1" version="2.2.9"><filename>Packages/ruby22-2.2.9-1.10.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="ruby24-doc" release="1.30.5.amzn1" version="2.4.3"><filename>Packages/ruby24-doc-2.4.3-1.30.5.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems24-devel" release="1.30.5.amzn1" version="2.6.14"><filename>Packages/rubygems24-devel-2.6.14-1.30.5.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24" release="1.30.5.amzn1" version="2.4.3"><filename>Packages/ruby24-2.4.3-1.30.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-psych" release="1.30.5.amzn1" version="2.2.2"><filename>Packages/rubygem24-psych-2.2.2-1.30.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24-libs" release="1.30.5.amzn1" version="2.4.3"><filename>Packages/ruby24-libs-2.4.3-1.30.5.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby24-irb" release="1.30.5.amzn1" version="2.4.3"><filename>Packages/ruby24-irb-2.4.3-1.30.5.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems24" release="1.30.5.amzn1" version="2.6.14"><filename>Packages/rubygems24-2.6.14-1.30.5.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem24-did_you_mean" release="1.30.5.amzn1" version="1.1.0"><filename>Packages/rubygem24-did_you_mean-1.1.0-1.30.5.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24-debuginfo" release="1.30.5.amzn1" version="2.4.3"><filename>Packages/ruby24-debuginfo-2.4.3-1.30.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-bigdecimal" release="1.30.5.amzn1" version="1.3.0"><filename>Packages/rubygem24-bigdecimal-1.3.0-1.30.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-json" release="1.30.5.amzn1" version="2.0.4"><filename>Packages/rubygem24-json-2.0.4-1.30.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24-devel" release="1.30.5.amzn1" version="2.4.3"><filename>Packages/ruby24-devel-2.4.3-1.30.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-io-console" release="1.30.5.amzn1" version="0.4.6"><filename>Packages/rubygem24-io-console-0.4.6-1.30.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-xmlrpc" release="1.30.5.amzn1" version="0.2.1"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-libs" release="1.30.5.amzn1" version="2.4.3"><filename>Packages/ruby24-libs-2.4.3-1.30.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-xmlrpc" release="1.30.5.amzn1" version="0.2.1"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-psych" release="1.30.5.amzn1" version="2.2.2"><filename>Packages/rubygem24-psych-2.2.2-1.30.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-devel" release="1.30.5.amzn1" version="2.4.3"><filename>Packages/ruby24-devel-2.4.3-1.30.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-debuginfo" release="1.30.5.amzn1" version="2.4.3"><filename>Packages/ruby24-debuginfo-2.4.3-1.30.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-bigdecimal" release="1.30.5.amzn1" version="1.3.0"><filename>Packages/rubygem24-bigdecimal-1.3.0-1.30.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24" release="1.30.5.amzn1" version="2.4.3"><filename>Packages/ruby24-2.4.3-1.30.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-io-console" release="1.30.5.amzn1" version="0.4.6"><filename>Packages/rubygem24-io-console-0.4.6-1.30.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-json" release="1.30.5.amzn1" version="2.0.4"><filename>Packages/rubygem24-json-2.0.4-1.30.5.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-bigdecimal" release="1.18.amzn1" version="1.2.8"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23" release="1.18.amzn1" version="2.3.6"><filename>Packages/ruby23-2.3.6-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23-libs" release="1.18.amzn1" version="2.3.6"><filename>Packages/ruby23-libs-2.3.6-1.18.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby23-irb" release="1.18.amzn1" version="2.3.6"><filename>Packages/ruby23-irb-2.3.6-1.18.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems23" release="1.18.amzn1" version="2.5.2.2"><filename>Packages/rubygems23-2.5.2.2-1.18.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby23-doc" release="1.18.amzn1" version="2.3.6"><filename>Packages/ruby23-doc-2.3.6-1.18.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-psych" release="1.18.amzn1" version="2.1.0.1"><filename>Packages/rubygem23-psych-2.1.0.1-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-io-console" release="1.18.amzn1" version="0.4.5"><filename>Packages/rubygem23-io-console-0.4.5-1.18.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem23-did_you_mean" release="1.18.amzn1" version="1.0.0"><filename>Packages/rubygem23-did_you_mean-1.0.0-1.18.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-json" release="1.18.amzn1" version="1.8.3.1"><filename>Packages/rubygem23-json-1.8.3.1-1.18.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems23-devel" release="1.18.amzn1" version="2.5.2.2"><filename>Packages/rubygems23-devel-2.5.2.2-1.18.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23-debuginfo" release="1.18.amzn1" version="2.3.6"><filename>Packages/ruby23-debuginfo-2.3.6-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23-devel" release="1.18.amzn1" version="2.3.6"><filename>Packages/ruby23-devel-2.3.6-1.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-json" release="1.18.amzn1" version="1.8.3.1"><filename>Packages/rubygem23-json-1.8.3.1-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-psych" release="1.18.amzn1" version="2.1.0.1"><filename>Packages/rubygem23-psych-2.1.0.1-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-debuginfo" release="1.18.amzn1" version="2.3.6"><filename>Packages/ruby23-debuginfo-2.3.6-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-bigdecimal" release="1.18.amzn1" version="1.2.8"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-libs" release="1.18.amzn1" version="2.3.6"><filename>Packages/ruby23-libs-2.3.6-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-io-console" release="1.18.amzn1" version="0.4.5"><filename>Packages/rubygem23-io-console-0.4.5-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-devel" release="1.18.amzn1" version="2.3.6"><filename>Packages/ruby23-devel-2.3.6-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23" release="1.18.amzn1" version="2.3.6"><filename>Packages/ruby23-2.3.6-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-980</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-980: important priority package update for 389-ds-base</title><issued date="2018-04-05 15:55" /><updated date="2018-04-05 23:07" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13384 CVE-2018-1054: 13385 An out-of-bounds memory read flaw was found in the way 389-ds-base handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service. 13386 1537314: 13387 CVE-2018-1054 389-ds-base: remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c 13388 13389 CVE-2017-15135: 13390 It was found that 389-ds-base did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the authentication process under very rare and specific circumstances. 13391 1525628: 13392 CVE-2017-15135 389-ds-base: Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c 13393 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15135" id="CVE-2017-15135" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1054" id="CVE-2018-1054" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="28.54.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-devel-1.3.6.1-28.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-snmp" release="28.54.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-snmp-1.3.6.1-28.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base" release="28.54.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-1.3.6.1-28.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="28.54.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-debuginfo-1.3.6.1-28.54.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="28.54.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-libs-1.3.6.1-28.54.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="28.54.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-1.3.6.1-28.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-snmp" release="28.54.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-snmp-1.3.6.1-28.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="28.54.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-debuginfo-1.3.6.1-28.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="28.54.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-libs-1.3.6.1-28.54.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="28.54.amzn1" version="1.3.6.1"><filename>Packages/389-ds-base-devel-1.3.6.1-28.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-981</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-981: critical priority package update for libvorbis</title><issued date="2018-04-05 15:57" /><updated date="2018-04-05 23:07" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13394 CVE-2018-5146: 13395 1557221: 13396 CVE-2018-5146 Mozilla: Vorbis audio processing out of bounds write (MFSA 2018-08) 13397 An out of bounds write flaw was found in the processing of vorbis audio data. A maliciously crafted file or audio stream could cause the application to crash or, potentially, execute arbitrary code. 13398 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146" id="CVE-2018-5146" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="libvorbis-devel-docs" release="8.7.amzn1" version="1.3.3"><filename>Packages/libvorbis-devel-docs-1.3.3-8.7.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="libvorbis-devel" release="8.7.amzn1" version="1.3.3"><filename>Packages/libvorbis-devel-1.3.3-8.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="libvorbis" release="8.7.amzn1" version="1.3.3"><filename>Packages/libvorbis-1.3.3-8.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="libvorbis-debuginfo" release="8.7.amzn1" version="1.3.3"><filename>Packages/libvorbis-debuginfo-1.3.3-8.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="libvorbis-devel" release="8.7.amzn1" version="1.3.3"><filename>Packages/libvorbis-devel-1.3.3-8.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="libvorbis" release="8.7.amzn1" version="1.3.3"><filename>Packages/libvorbis-1.3.3-8.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="libvorbis-debuginfo" release="8.7.amzn1" version="1.3.3"><filename>Packages/libvorbis-debuginfo-1.3.3-8.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-982</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-982: important priority package update for php71</title><issued date="2018-03-27 21:37" /><updated date="2018-03-28 22:46" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13399 CVE-2018-7584: 13400 1551039: 13401 CVE-2018-7584 php: Stack-based buffer under-read in ext/standard/http_fopen_wrapper.c:php_stream_url_wrap_http_ex function when parsing HTTP response allows denial of service 13402 In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string. 13403 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7584" id="CVE-2018-7584" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php71-common" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-common-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gmp" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-gmp-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gd" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-gd-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-debuginfo" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-debuginfo-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-intl" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-intl-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-json" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-json-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-tidy" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-tidy-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-snmp" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-snmp-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dba" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-dba-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mysqlnd" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-mysqlnd-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-ldap" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-ldap-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pgsql" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-pgsql-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-enchant" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-enchant-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xmlrpc" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-xmlrpc-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mbstring" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-mbstring-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-odbc" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-odbc-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-process" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-process-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dbg" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-dbg-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-soap" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-soap-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-embedded" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-embedded-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pspell" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-pspell-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-pdo-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-opcache" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-opcache-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-fpm" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-fpm-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xml" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-xml-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-devel" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-devel-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-recode" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-recode-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-bcmath" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-bcmath-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-imap" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-imap-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mcrypt" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-mcrypt-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-cli" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-cli-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo-dblib" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-pdo-dblib-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php71" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-common" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-common-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-tidy" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-tidy-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-opcache" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-opcache-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-ldap" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-ldap-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo-dblib" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-pdo-dblib-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pspell" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-pspell-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-recode" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-recode-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-pdo-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-bcmath" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-bcmath-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mysqlnd" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-mysqlnd-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gmp" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-gmp-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-snmp" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-snmp-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-cli" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-cli-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-embedded" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-embedded-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xml" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-xml-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-debuginfo" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-debuginfo-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pgsql" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-pgsql-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-process" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-process-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-enchant" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-enchant-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gd" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-gd-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mcrypt" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-mcrypt-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dbg" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-dbg-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-odbc" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-odbc-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-devel" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-devel-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-fpm" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-fpm-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mbstring" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-mbstring-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-intl" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-intl-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-soap" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-soap-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-imap" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-imap-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-json" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-json-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dba" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-dba-7.1.15-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xmlrpc" release="1.31.amzn1" version="7.1.15"><filename>Packages/php71-xmlrpc-7.1.15-1.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-983</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-983: medium priority package update for ruby20 ruby22 ruby23 ruby24</title><issued date="2018-04-04 23:18" /><updated date="2018-05-10 23:19" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13404 CVE-2018-8780: 13405 1561949: 13406 CVE-2018-8780 ruby: Unintentional directory traversal by poisoned NULL byte in Dir 13407 It was found that the methods from the Dir class did not properly handle strings containing the NULL byte. An attacker, able to inject NULL bytes in a path, could possibly trigger an unspecified behavior of the ruby script. 13408 13409 CVE-2018-8779: 13410 It was found that the UNIXSocket::open and UNIXServer::open ruby methods did not handle the NULL byte properly. An attacker, able to inject NULL bytes in the socket path, could possibly trigger an unspecified behavior of the ruby script. 13411 1561948: 13412 CVE-2018-8779 ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket 13413 13414 CVE-2018-8778: 13415 A integer underflow was found in the way String#unpack decodes the unpacking format. An attacker, able to control the unpack format, could use this flaw to disclose arbitrary parts of the application&#039;s memory. 13416 1561953: 13417 CVE-2018-8778 ruby: Buffer under-read in String#unpack 13418 13419 CVE-2018-8777: 13420 1561950: 13421 CVE-2018-8777 ruby: DoS by large request in WEBrick 13422 It was found that WEBrick could be forced to use an excessive amount of memory during the processing of HTTP requests, leading to a Denial of Service. An attacker could use this flaw to send huge requests to a WEBrick application, resulting in the server running out of memory. 13423 13424 CVE-2018-6914: 13425 It was found that the tmpdir and tempfile modules did not sanitize their file name argument. An attacker with control over the name could create temporary files and directories outside of the dedicated directory. 13426 1561947: 13427 CVE-2018-6914 ruby: Unintentional file and directory creation with directory traversal in tempfile and tmpdir 13428 13429 CVE-2018-1000079: 13430 1547426: 13431 CVE-2018-1000079 rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations 13432 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6. 13433 13434 CVE-2018-1000078: 13435 1547425: 13436 CVE-2018-1000078 rubygems: XSS vulnerability in homepage attribute when displayed via gem server 13437 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6. 13438 13439 CVE-2018-1000077: 13440 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6. 13441 1547422: 13442 CVE-2018-1000077 rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL 13443 13444 CVE-2018-1000076: 13445 1547421: 13446 CVE-2018-1000076 rubygems: Improper verification of signatures in tarball allows to install mis-signed gem 13447 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6. 13448 13449 CVE-2018-1000075: 13450 1547420: 13451 CVE-2018-1000075 rubygems: Infinite loop vulnerability due to negative size in tar header causes Denial of Service 13452 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6. 13453 13454 CVE-2018-1000074: 13455 1547419: 13456 CVE-2018-1000074 rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML 13457 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6. 13458 13459 CVE-2018-1000073: 13460 1547418: 13461 CVE-2018-1000073 rubygems: Path traversal when writing to a symlinked basedir outside of the root 13462 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6. 13463 13464 CVE-2017-17790: 13465 The &quot;lazy_initialize&quot; function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands. 13466 1528218: 13467 CVE-2017-17790 ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution 13468 13469 CVE-2017-17742: 13470 It was found that WEBrick did not sanitize headers sent back to clients, resulting in a response-splitting vulnerability. An attacker, able to control the server&#039;s headers, could force WEBrick into injecting additional headers to a client. 13471 1561952: 13472 CVE-2017-17742 ruby: HTTP response splitting in WEBrick 13473 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6914" id="CVE-2018-6914" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8777" id="CVE-2018-8777" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742" id="CVE-2017-17742" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8778" id="CVE-2018-8778" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8779" id="CVE-2018-8779" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000073" id="CVE-2018-1000073" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17790" id="CVE-2017-17790" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8780" id="CVE-2018-8780" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000077" id="CVE-2018-1000077" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000076" id="CVE-2018-1000076" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000075" id="CVE-2018-1000075" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000074" id="CVE-2018-1000074" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000079" id="CVE-2018-1000079" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000078" id="CVE-2018-1000078" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ruby23-libs" release="1.19.amzn1" version="2.3.7"><filename>Packages/ruby23-libs-2.3.7-1.19.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems23-devel" release="1.19.amzn1" version="2.5.2.3"><filename>Packages/rubygems23-devel-2.5.2.3-1.19.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-psych" release="1.19.amzn1" version="2.1.0.1"><filename>Packages/rubygem23-psych-2.1.0.1-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23-debuginfo" release="1.19.amzn1" version="2.3.7"><filename>Packages/ruby23-debuginfo-2.3.7-1.19.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem23-did_you_mean" release="1.19.amzn1" version="1.0.0"><filename>Packages/rubygem23-did_you_mean-1.0.0-1.19.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby23-doc" release="1.19.amzn1" version="2.3.7"><filename>Packages/ruby23-doc-2.3.7-1.19.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23" release="1.19.amzn1" version="2.3.7"><filename>Packages/ruby23-2.3.7-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-io-console" release="1.19.amzn1" version="0.4.5"><filename>Packages/rubygem23-io-console-0.4.5-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-json" release="1.19.amzn1" version="1.8.3.1"><filename>Packages/rubygem23-json-1.8.3.1-1.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-bigdecimal" release="1.19.amzn1" version="1.2.8"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.19.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby23-irb" release="1.19.amzn1" version="2.3.7"><filename>Packages/ruby23-irb-2.3.7-1.19.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23-devel" release="1.19.amzn1" version="2.3.7"><filename>Packages/ruby23-devel-2.3.7-1.19.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems23" release="1.19.amzn1" version="2.5.2.3"><filename>Packages/rubygems23-2.5.2.3-1.19.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ruby23" release="1.19.amzn1" version="2.3.7"><filename>Packages/ruby23-2.3.7-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-psych" release="1.19.amzn1" version="2.1.0.1"><filename>Packages/rubygem23-psych-2.1.0.1-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-io-console" release="1.19.amzn1" version="0.4.5"><filename>Packages/rubygem23-io-console-0.4.5-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-devel" release="1.19.amzn1" version="2.3.7"><filename>Packages/ruby23-devel-2.3.7-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-bigdecimal" release="1.19.amzn1" version="1.2.8"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-json" release="1.19.amzn1" version="1.8.3.1"><filename>Packages/rubygem23-json-1.8.3.1-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-libs" release="1.19.amzn1" version="2.3.7"><filename>Packages/ruby23-libs-2.3.7-1.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-debuginfo" release="1.19.amzn1" version="2.3.7"><filename>Packages/ruby23-debuginfo-2.3.7-1.19.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems24-devel" release="1.30.6.amzn1" version="2.6.14.1"><filename>Packages/rubygems24-devel-2.6.14.1-1.30.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby24-irb" release="1.30.6.amzn1" version="2.4.4"><filename>Packages/ruby24-irb-2.4.4-1.30.6.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-bigdecimal" release="1.30.6.amzn1" version="1.3.2"><filename>Packages/rubygem24-bigdecimal-1.3.2-1.30.6.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby24-doc" release="1.30.6.amzn1" version="2.4.4"><filename>Packages/ruby24-doc-2.4.4-1.30.6.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-io-console" release="1.30.6.amzn1" version="0.4.6"><filename>Packages/rubygem24-io-console-0.4.6-1.30.6.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems24" release="1.30.6.amzn1" version="2.6.14.1"><filename>Packages/rubygems24-2.6.14.1-1.30.6.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-xmlrpc" release="1.30.6.amzn1" version="0.2.1"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24-devel" release="1.30.6.amzn1" version="2.4.4"><filename>Packages/ruby24-devel-2.4.4-1.30.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-psych" release="1.30.6.amzn1" version="2.2.2"><filename>Packages/rubygem24-psych-2.2.2-1.30.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-json" release="1.30.6.amzn1" version="2.0.4"><filename>Packages/rubygem24-json-2.0.4-1.30.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24" release="1.30.6.amzn1" version="2.4.4"><filename>Packages/ruby24-2.4.4-1.30.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24-libs" release="1.30.6.amzn1" version="2.4.4"><filename>Packages/ruby24-libs-2.4.4-1.30.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24-debuginfo" release="1.30.6.amzn1" version="2.4.4"><filename>Packages/ruby24-debuginfo-2.4.4-1.30.6.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem24-did_you_mean" release="1.30.6.amzn1" version="1.1.0"><filename>Packages/rubygem24-did_you_mean-1.1.0-1.30.6.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-json" release="1.30.6.amzn1" version="2.0.4"><filename>Packages/rubygem24-json-2.0.4-1.30.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24" release="1.30.6.amzn1" version="2.4.4"><filename>Packages/ruby24-2.4.4-1.30.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-libs" release="1.30.6.amzn1" version="2.4.4"><filename>Packages/ruby24-libs-2.4.4-1.30.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-devel" release="1.30.6.amzn1" version="2.4.4"><filename>Packages/ruby24-devel-2.4.4-1.30.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-bigdecimal" release="1.30.6.amzn1" version="1.3.2"><filename>Packages/rubygem24-bigdecimal-1.3.2-1.30.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-io-console" release="1.30.6.amzn1" version="0.4.6"><filename>Packages/rubygem24-io-console-0.4.6-1.30.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-xmlrpc" release="1.30.6.amzn1" version="0.2.1"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-psych" release="1.30.6.amzn1" version="2.2.2"><filename>Packages/rubygem24-psych-2.2.2-1.30.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-debuginfo" release="1.30.6.amzn1" version="2.4.4"><filename>Packages/ruby24-debuginfo-2.4.4-1.30.6.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-debuginfo" release="1.11.amzn1" version="2.2.10"><filename>Packages/ruby22-debuginfo-2.2.10-1.11.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems22" release="1.11.amzn1" version="2.4.5.2"><filename>Packages/rubygems22-2.4.5.2-1.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby22-irb" release="1.11.amzn1" version="2.2.10"><filename>Packages/ruby22-irb-2.2.10-1.11.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-psych" release="1.11.amzn1" version="2.0.8.1"><filename>Packages/rubygem22-psych-2.0.8.1-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-devel" release="1.11.amzn1" version="2.2.10"><filename>Packages/ruby22-devel-2.2.10-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22-libs" release="1.11.amzn1" version="2.2.10"><filename>Packages/ruby22-libs-2.2.10-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-bigdecimal" release="1.11.amzn1" version="1.2.6"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem22-io-console" release="1.11.amzn1" version="0.4.3"><filename>Packages/rubygem22-io-console-0.4.3-1.11.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems22-devel" release="1.11.amzn1" version="2.4.5.2"><filename>Packages/rubygems22-devel-2.4.5.2-1.11.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby22" release="1.11.amzn1" version="2.2.10"><filename>Packages/ruby22-2.2.10-1.11.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby22-doc" release="1.11.amzn1" version="2.2.10"><filename>Packages/ruby22-doc-2.2.10-1.11.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-bigdecimal" release="1.11.amzn1" version="1.2.6"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-libs" release="1.11.amzn1" version="2.2.10"><filename>Packages/ruby22-libs-2.2.10-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-debuginfo" release="1.11.amzn1" version="2.2.10"><filename>Packages/ruby22-debuginfo-2.2.10-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-io-console" release="1.11.amzn1" version="0.4.3"><filename>Packages/rubygem22-io-console-0.4.3-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22-devel" release="1.11.amzn1" version="2.2.10"><filename>Packages/ruby22-devel-2.2.10-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby22" release="1.11.amzn1" version="2.2.10"><filename>Packages/ruby22-2.2.10-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem22-psych" release="1.11.amzn1" version="2.0.8.1"><filename>Packages/rubygem22-psych-2.0.8.1-1.11.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-bigdecimal" release="1.31.amzn1" version="1.2.0"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.31.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems20" release="1.31.amzn1" version="2.0.14.1"><filename>Packages/rubygems20-2.0.14.1-1.31.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-libs" release="1.31.amzn1" version="2.0.0.648"><filename>Packages/ruby20-libs-2.0.0.648-1.31.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby20-irb" release="1.31.amzn1" version="2.0.0.648"><filename>Packages/ruby20-irb-2.0.0.648-1.31.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby20-doc" release="1.31.amzn1" version="2.0.0.648"><filename>Packages/ruby20-doc-2.0.0.648-1.31.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20" release="1.31.amzn1" version="2.0.0.648"><filename>Packages/ruby20-2.0.0.648-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-devel" release="1.31.amzn1" version="2.0.0.648"><filename>Packages/ruby20-devel-2.0.0.648-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-io-console" release="1.31.amzn1" version="0.4.2"><filename>Packages/rubygem20-io-console-0.4.2-1.31.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems20-devel" release="1.31.amzn1" version="2.0.14.1"><filename>Packages/rubygems20-devel-2.0.14.1-1.31.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-psych" release="1.31.amzn1" version="2.0.0"><filename>Packages/rubygem20-psych-2.0.0-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-debuginfo" release="1.31.amzn1" version="2.0.0.648"><filename>Packages/ruby20-debuginfo-2.0.0.648-1.31.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-psych" release="1.31.amzn1" version="2.0.0"><filename>Packages/rubygem20-psych-2.0.0-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20" release="1.31.amzn1" version="2.0.0.648"><filename>Packages/ruby20-2.0.0.648-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-debuginfo" release="1.31.amzn1" version="2.0.0.648"><filename>Packages/ruby20-debuginfo-2.0.0.648-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-io-console" release="1.31.amzn1" version="0.4.2"><filename>Packages/rubygem20-io-console-0.4.2-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-libs" release="1.31.amzn1" version="2.0.0.648"><filename>Packages/ruby20-libs-2.0.0.648-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-devel" release="1.31.amzn1" version="2.0.0.648"><filename>Packages/ruby20-devel-2.0.0.648-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-bigdecimal" release="1.31.amzn1" version="1.2.0"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-984</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-984: important priority package update for dhcp</title><issued date="2018-04-05 15:52" /><updated date="2018-04-05 23:12" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13474 CVE-2018-5733: 13475 A denial of service flaw was found in the way dhcpd handled reference counting when processing client requests. A malicious DHCP client could use this flaw to trigger a reference count overflow on the server side, potentially causing dhcpd to crash, by sending large amounts of traffic. 13476 1549961: 13477 CVE-2018-5733 dhcp: Reference count overflow in dhcpd allows denial of service 13478 13479 CVE-2018-5732: 13480 1549960: 13481 CVE-2018-5732 dhcp: Buffer overflow in dhclient possibly allowing code execution triggered by malicious server 13482 An out-of-bound memory access flaw was found in the way dhclient processed a DHCP response packet. A malicious DHCP server could potentially use this flaw to crash dhclient processes running on DHCP client machines via a crafted DHCP response packet. 13483 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5733" id="CVE-2018-5733" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5732" id="CVE-2018-5732" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="12" name="dhcp-debuginfo" release="53.P1.27.amzn1" version="4.1.1"><filename>Packages/dhcp-debuginfo-4.1.1-53.P1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp-devel" release="53.P1.27.amzn1" version="4.1.1"><filename>Packages/dhcp-devel-4.1.1-53.P1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhclient" release="53.P1.27.amzn1" version="4.1.1"><filename>Packages/dhclient-4.1.1-53.P1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp-common" release="53.P1.27.amzn1" version="4.1.1"><filename>Packages/dhcp-common-4.1.1-53.P1.27.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp" release="53.P1.27.amzn1" version="4.1.1"><filename>Packages/dhcp-4.1.1-53.P1.27.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="12" name="dhcp" release="53.P1.27.amzn1" version="4.1.1"><filename>Packages/dhcp-4.1.1-53.P1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-debuginfo" release="53.P1.27.amzn1" version="4.1.1"><filename>Packages/dhcp-debuginfo-4.1.1-53.P1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-common" release="53.P1.27.amzn1" version="4.1.1"><filename>Packages/dhcp-common-4.1.1-53.P1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhclient" release="53.P1.27.amzn1" version="4.1.1"><filename>Packages/dhclient-4.1.1-53.P1.27.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-devel" release="53.P1.27.amzn1" version="4.1.1"><filename>Packages/dhcp-devel-4.1.1-53.P1.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-985</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-985: medium priority package update for mailman</title><issued date="2018-04-05 16:46" /><updated date="2018-04-05 23:13" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13484 CVE-2018-5950: 13485 A cross-site scripting (XSS) flaw was found in mailman. An attacker, able to trick the user into visiting a specific URL, can execute arbitrary web scripts on the user&#039;s side and force the victim to perform unintended actions. 13486 1537941: 13487 CVE-2018-5950 mailman: Cross-site scripting (XSS) vulnerability in web UI 13488 13489 CVE-2016-6893: 13490 1370155: 13491 CVE-2016-6893 mailman: CSRF protection missing in the user options page 13492 Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim&#039;s account. 13493 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5950" id="CVE-2018-5950" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6893" id="CVE-2016-6893" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="4" name="mailman" release="26.21.amzn1" version="2.1.15"><filename>Packages/mailman-2.1.15-26.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="mailman-debuginfo" release="26.21.amzn1" version="2.1.15"><filename>Packages/mailman-debuginfo-2.1.15-26.21.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="4" name="mailman" release="26.21.amzn1" version="2.1.15"><filename>Packages/mailman-2.1.15-26.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="mailman-debuginfo" release="26.21.amzn1" version="2.1.15"><filename>Packages/mailman-debuginfo-2.1.15-26.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-987</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-987: medium priority package update for mod24_wsgi</title><issued date="2018-04-26 16:33" /><updated date="2018-04-26 21:47" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13494 CVE-2014-8583: 13495 1111034: 13496 CVE-2014-8583 mod_wsgi: failure to handle errors when attempting to drop group privileges 13497 mod_wsgi before 4.2.4 for Apache, when creating a daemon process group, does not properly handle when group privileges cannot be dropped, which might allow attackers to gain privileges via unspecified vectors. 13498 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8583" id="CVE-2014-8583" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod24_wsgi-python35" release="1.25.amzn1" version="3.5"><filename>Packages/mod24_wsgi-python35-3.5-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_wsgi-python36" release="1.25.amzn1" version="3.5"><filename>Packages/mod24_wsgi-python36-3.5-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_wsgi-debuginfo" release="1.25.amzn1" version="3.5"><filename>Packages/mod24_wsgi-debuginfo-3.5-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_wsgi-python26" release="1.25.amzn1" version="3.5"><filename>Packages/mod24_wsgi-python26-3.5-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_wsgi-python27" release="1.25.amzn1" version="3.5"><filename>Packages/mod24_wsgi-python27-3.5-1.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_wsgi-python34" release="1.25.amzn1" version="3.5"><filename>Packages/mod24_wsgi-python34-3.5-1.25.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod24_wsgi-python35" release="1.25.amzn1" version="3.5"><filename>Packages/mod24_wsgi-python35-3.5-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_wsgi-python26" release="1.25.amzn1" version="3.5"><filename>Packages/mod24_wsgi-python26-3.5-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_wsgi-python27" release="1.25.amzn1" version="3.5"><filename>Packages/mod24_wsgi-python27-3.5-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_wsgi-python36" release="1.25.amzn1" version="3.5"><filename>Packages/mod24_wsgi-python36-3.5-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_wsgi-debuginfo" release="1.25.amzn1" version="3.5"><filename>Packages/mod24_wsgi-debuginfo-3.5-1.25.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_wsgi-python34" release="1.25.amzn1" version="3.5"><filename>Packages/mod24_wsgi-python34-3.5-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-988</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-988: medium priority package update for php70 php56</title><issued date="2018-04-05 16:32" /><updated date="2018-04-05 23:15" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13499 CVE-2018-7584: 13500 1551039: 13501 CVE-2018-7584 php: Stack-based buffer under-read in ext/standard/http_fopen_wrapper.c:php_stream_url_wrap_http_ex function when parsing HTTP response allows denial of service 13502 In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string. 13503 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7584" id="CVE-2018-7584" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php70-mcrypt" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-mcrypt-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-process" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-process-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-bcmath" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-bcmath-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xml" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-xml-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mysqlnd" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-mysqlnd-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-snmp" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-snmp-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gmp" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-gmp-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-tidy" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-tidy-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-fpm" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-fpm-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-intl" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-intl-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pgsql" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-pgsql-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo-dblib" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-pdo-dblib-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dbg" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-dbg-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-ldap" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-ldap-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-cli" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-cli-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-zip" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-zip-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-debuginfo" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-debuginfo-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-enchant" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-enchant-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-json" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-json-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-recode" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-recode-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-imap" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-imap-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-embedded" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-embedded-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-opcache" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-opcache-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dba" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-dba-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-devel" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-devel-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-common" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-common-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-pdo-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gd" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-gd-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-odbc" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-odbc-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mbstring" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-mbstring-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-soap" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-soap-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pspell" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-pspell-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xmlrpc" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-xmlrpc-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php70-tidy" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-tidy-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-enchant" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-enchant-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-ldap" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-ldap-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-snmp" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-snmp-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gmp" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-gmp-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dbg" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-dbg-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-embedded" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-embedded-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xmlrpc" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-xmlrpc-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-zip" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-zip-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-intl" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-intl-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-devel" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-devel-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gd" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-gd-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-json" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-json-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pspell" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-pspell-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-soap" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-soap-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-process" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-process-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-fpm" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-fpm-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-opcache" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-opcache-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pgsql" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-pgsql-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mysqlnd" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-mysqlnd-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-recode" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-recode-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-debuginfo" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-debuginfo-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dba" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-dba-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-common" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-common-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-pdo-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo-dblib" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-pdo-dblib-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-cli" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-cli-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xml" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-xml-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-bcmath" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-bcmath-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mbstring" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-mbstring-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-imap" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-imap-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-odbc" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-odbc-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mcrypt" release="1.28.amzn1" version="7.0.29"><filename>Packages/php70-mcrypt-7.0.29-1.28.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-gmp-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-xml-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-imap-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-tidy-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-odbc-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-fpm-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-devel-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-dbg-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-process-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-mbstring-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-pdo-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-xmlrpc-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-gd-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-ldap-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-dba-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-mcrypt-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-intl-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-embedded-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-bcmath-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-common-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-recode-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-opcache-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-enchant-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-mssql-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-pgsql-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-cli-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-soap-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-mysqlnd-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-debuginfo-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-snmp-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-pspell-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-mysqlnd-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-pdo-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-xml-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-bcmath-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-intl-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-ldap-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-pspell-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-process-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-devel-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-soap-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-recode-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-dba-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-gd-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-odbc-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-debuginfo-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-enchant-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-xmlrpc-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-common-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-dbg-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-cli-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-snmp-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-mcrypt-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-pgsql-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-embedded-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-mbstring-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-gmp-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-tidy-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-mssql-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-fpm-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-opcache-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-imap-5.6.35-1.137.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.137.amzn1" version="5.6.35"><filename>Packages/php56-5.6.35-1.137.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-989</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-989: critical priority package update for python-paramiko</title><issued date="2018-04-05 16:41" /><updated date="2018-04-05 23:15" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13504 CVE-2018-7750: 13505 1557130: 13506 CVE-2018-7750 python-paramiko: Authentication bypass in transport.py 13507 transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step. 13508 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7750" id="CVE-2018-7750" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python26-paramiko" release="2.6.amzn1" version="1.15.1"><filename>Packages/python26-paramiko-1.15.1-2.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="python27-paramiko" release="2.6.amzn1" version="1.15.1"><filename>Packages/python27-paramiko-1.15.1-2.6.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-990</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-990: medium priority package update for postgresql93 postgresql94 postgresql95 postgresql96</title><issued date="2018-04-05 16:55" /><updated date="2018-04-05 23:16" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13509 CVE-2018-1058: 13510 A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. 13511 1547044: 13512 CVE-2018-1058 postgresql: Uncontrolled search path element in pg_dump and other client applications 13513 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1058" id="CVE-2018-1058" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql96-libs" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-libs-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-plperl" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-plperl-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-plpython27" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-plpython27-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-server" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-server-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-debuginfo" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-debuginfo-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-docs" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-docs-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-contrib" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-contrib-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-plpython26" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-plpython26-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-devel" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-devel-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-test" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-test-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-static" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-static-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-test" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-test-9.6.8-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plpython27" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-plpython27-9.6.8-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-contrib" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-contrib-9.6.8-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plperl" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-plperl-9.6.8-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-server" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-server-9.6.8-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-static" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-static-9.6.8-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-9.6.8-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-debuginfo" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-debuginfo-9.6.8-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-devel" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-devel-9.6.8-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-docs" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-docs-9.6.8-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-libs" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-libs-9.6.8-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plpython26" release="1.80.amzn1" version="9.6.8"><filename>Packages/postgresql96-plpython26-9.6.8-1.80.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plpython27" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-plpython27-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plperl" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-plperl-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-devel" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-devel-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-test" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-test-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-contrib" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-contrib-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-docs" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-docs-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-server" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-server-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-debuginfo" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-debuginfo-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-static" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-static-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plpython26" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-plpython26-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-libs" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-libs-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plpython27" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-plpython27-9.5.12-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plperl" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-plperl-9.5.12-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-devel" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-devel-9.5.12-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-test" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-test-9.5.12-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-libs" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-libs-9.5.12-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-static" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-static-9.5.12-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-server" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-server-9.5.12-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-docs" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-docs-9.5.12-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-debuginfo" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-debuginfo-9.5.12-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-contrib" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-contrib-9.5.12-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-9.5.12-1.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plpython26" release="1.78.amzn1" version="9.5.12"><filename>Packages/postgresql95-plpython26-9.5.12-1.78.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-docs" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-docs-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython26" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-plpython26-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-server" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-server-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython27" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-plpython27-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-pltcl" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-pltcl-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-devel" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-devel-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-debuginfo" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-debuginfo-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-contrib" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-contrib-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-libs" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-libs-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plperl" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-plperl-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-test" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-test-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython27" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-plpython27-9.3.22-1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-pltcl" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-pltcl-9.3.22-1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-debuginfo" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-debuginfo-9.3.22-1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-devel" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-devel-9.3.22-1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-9.3.22-1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-libs" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-libs-9.3.22-1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-server" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-server-9.3.22-1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-docs" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-docs-9.3.22-1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython26" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-plpython26-9.3.22-1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-test" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-test-9.3.22-1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plperl" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-plperl-9.3.22-1.70.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-contrib" release="1.70.amzn1" version="9.3.22"><filename>Packages/postgresql93-contrib-9.3.22-1.70.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-libs" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-libs-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython26" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-plpython26-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-server" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-server-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-devel" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-devel-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-contrib" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-contrib-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-docs" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-docs-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-debuginfo" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-debuginfo-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-test" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-test-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython27" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-plpython27-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plperl" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-plperl-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-server" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-server-9.4.17-1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-devel" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-devel-9.4.17-1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-9.4.17-1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-debuginfo" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-debuginfo-9.4.17-1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-contrib" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-contrib-9.4.17-1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython26" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-plpython26-9.4.17-1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-test" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-test-9.4.17-1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython27" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-plpython27-9.4.17-1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-docs" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-docs-9.4.17-1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-libs" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-libs-9.4.17-1.74.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plperl" release="1.74.amzn1" version="9.4.17"><filename>Packages/postgresql94-plperl-9.4.17-1.74.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-991</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-991: medium priority package update for nvidia</title><issued date="2018-04-05 17:01" /><updated date="2018-04-05 23:19" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13514 CVE-2018-6253: 13515 13516 13517 CVE-2018-6252: 13518 13519 13520 CVE-2018-6251: 13521 13522 13523 CVE-2018-6250: 13524 13525 13526 CVE-2018-6249: 13527 13528 13529 CVE-2018-6248: 13530 13531 13532 CVE-2018-6247: 13533 13534 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6247" id="CVE-2018-6247" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6253" id="CVE-2018-6253" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6252" id="CVE-2018-6252" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6251" id="CVE-2018-6251" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6250" id="CVE-2018-6250" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6248" id="CVE-2018-6248" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6249" id="CVE-2018-6249" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="2" name="nvidia-dkms" release="2017.09.109.amzn1" version="384.125"><filename>Packages/nvidia-dkms-384.125-2017.09.109.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="nvidia" release="2017.09.109.amzn1" version="384.125"><filename>Packages/nvidia-384.125-2017.09.109.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-993</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-993: medium priority package update for kernel</title><issued date="2018-04-19 04:44" /><updated date="2018-05-10 23:20" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13535 CVE-2018-5803: 13536 An error in the &quot;_sctp_make_chunk()&quot; function (net/sctp/sm_make_chunk.c) when handling SCTP, packet length can be exploited by a malicious local user to cause a kernel crash and a DoS. 13537 1551051: 13538 CVE-2018-5803 kernel: Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service 13539 13540 CVE-2018-1066: 13541 A flaw was found in the Linux kernel&#039;s client-side implementation of the cifs protocol. This flaw allows an attacker controlling the server to kernel panic a client which has the CIFS server mounted. 13542 1539599: 13543 CVE-2018-1066 kernel: Null pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() when empty TargetInfo is returned in NTLMSSP setup negotiation response allowing to crash client's kernel 13544 13545 CVE-2017-18232: 13546 1558066: 13547 CVE-2017-18232 kernel: Mishandling mutex within libsas allowing local Denial of Service 13548 The Serial Attached SCSI (SAS) implementation in the Linux kernel mishandles a mutex within libsas. This allows local users to cause a denial of service (deadlock) by triggering certain error-handling code. 13549 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5803" id="CVE-2018-5803" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18232" id="CVE-2017-18232" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1066" id="CVE-2018-1066" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perf" release="41.60.amzn1" version="4.9.93"><filename>Packages/perf-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-tools-debuginfo-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="41.60.amzn1" version="4.9.93"><filename>Packages/perf-debuginfo-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-tools-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-devel-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-tools-devel-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-headers-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-debuginfo-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-debuginfo-common-i686-4.9.93-41.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-4.9.93-41.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-tools-devel-4.9.93-41.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="41.60.amzn1" version="4.9.93"><filename>Packages/perf-4.9.93-41.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-debuginfo-4.9.93-41.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-tools-debuginfo-4.9.93-41.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-devel-4.9.93-41.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-headers-4.9.93-41.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-tools-4.9.93-41.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="41.60.amzn1" version="4.9.93"><filename>Packages/perf-debuginfo-4.9.93-41.60.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="kernel-doc" release="41.60.amzn1" version="4.9.93"><filename>Packages/kernel-doc-4.9.93-41.60.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-995</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-995: medium priority package update for curl</title><issued date="2018-04-19 04:56" /><updated date="2018-04-19 22:31" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13550 CVE-2018-1000122: 13551 1553398: 13552 CVE-2018-1000122 curl: RTSP RTP buffer over-read 13553 A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage 13554 13555 CVE-2018-1000121: 13556 A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply. 13557 1552631: 13558 CVE-2018-1000121 curl: LDAP NULL pointer dereference 13559 13560 CVE-2018-1000120: 13561 1552628: 13562 CVE-2018-1000120 curl: FTP path trickery leads to NIL byte out of bounds write 13563 It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior. 13564 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000121" id="CVE-2018-1000121" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000120" id="CVE-2018-1000120" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000122" id="CVE-2018-1000122" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libcurl-devel" release="16.84.amzn1" version="7.53.1"><filename>Packages/libcurl-devel-7.53.1-16.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="16.84.amzn1" version="7.53.1"><filename>Packages/curl-debuginfo-7.53.1-16.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl" release="16.84.amzn1" version="7.53.1"><filename>Packages/curl-7.53.1-16.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="16.84.amzn1" version="7.53.1"><filename>Packages/libcurl-7.53.1-16.84.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="16.84.amzn1" version="7.53.1"><filename>Packages/curl-debuginfo-7.53.1-16.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="16.84.amzn1" version="7.53.1"><filename>Packages/curl-7.53.1-16.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="16.84.amzn1" version="7.53.1"><filename>Packages/libcurl-7.53.1-16.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="16.84.amzn1" version="7.53.1"><filename>Packages/libcurl-devel-7.53.1-16.84.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-996</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-996: medium priority package update for stunnel amazon-efs-utils</title><issued date="2018-04-19 04:59" /><updated date="2018-04-20 00:18" /><severity>medium</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="amazon-efs-utils" release="1.amzn1" version="1.2"><filename>Packages/amazon-efs-utils-1.2-1.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="stunnel-debuginfo" release="4.13.amzn1" version="4.56"><filename>Packages/stunnel-debuginfo-4.56-4.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="stunnel" release="4.13.amzn1" version="4.56"><filename>Packages/stunnel-4.56-4.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="stunnel" release="4.13.amzn1" version="4.56"><filename>Packages/stunnel-4.56-4.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="stunnel-debuginfo" release="4.13.amzn1" version="4.56"><filename>Packages/stunnel-debuginfo-4.56-4.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-997</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-997: medium priority package update for exim</title><issued date="2018-04-19 05:07" /><updated date="2018-04-19 22:37" /><severity>medium</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="exim-mysql" release="3.15.amzn1" version="4.90.1"><filename>Packages/exim-mysql-4.90.1-3.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim" release="3.15.amzn1" version="4.90.1"><filename>Packages/exim-4.90.1-3.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-pgsql" release="3.15.amzn1" version="4.90.1"><filename>Packages/exim-pgsql-4.90.1-3.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-mon" release="3.15.amzn1" version="4.90.1"><filename>Packages/exim-mon-4.90.1-3.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-debuginfo" release="3.15.amzn1" version="4.90.1"><filename>Packages/exim-debuginfo-4.90.1-3.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-greylist" release="3.15.amzn1" version="4.90.1"><filename>Packages/exim-greylist-4.90.1-3.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="exim-mysql" release="3.15.amzn1" version="4.90.1"><filename>Packages/exim-mysql-4.90.1-3.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-mon" release="3.15.amzn1" version="4.90.1"><filename>Packages/exim-mon-4.90.1-3.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-debuginfo" release="3.15.amzn1" version="4.90.1"><filename>Packages/exim-debuginfo-4.90.1-3.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-pgsql" release="3.15.amzn1" version="4.90.1"><filename>Packages/exim-pgsql-4.90.1-3.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim" release="3.15.amzn1" version="4.90.1"><filename>Packages/exim-4.90.1-3.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-greylist" release="3.15.amzn1" version="4.90.1"><filename>Packages/exim-greylist-4.90.1-3.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1000</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1000: low priority package update for openssl</title><issued date="2018-04-19 17:38" /><updated date="2018-04-19 23:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13565 CVE-2018-0737: 13566 OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key. 13567 1568253: 13568 CVE-2018-0737 openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys 13569 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737" id="CVE-2018-0737" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="8.107.amzn1" version="1.0.2k"><filename>Packages/openssl-debuginfo-1.0.2k-8.107.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="8.107.amzn1" version="1.0.2k"><filename>Packages/openssl-static-1.0.2k-8.107.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="8.107.amzn1" version="1.0.2k"><filename>Packages/openssl-1.0.2k-8.107.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="8.107.amzn1" version="1.0.2k"><filename>Packages/openssl-devel-1.0.2k-8.107.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="8.107.amzn1" version="1.0.2k"><filename>Packages/openssl-perl-1.0.2k-8.107.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="8.107.amzn1" version="1.0.2k"><filename>Packages/openssl-1.0.2k-8.107.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="8.107.amzn1" version="1.0.2k"><filename>Packages/openssl-devel-1.0.2k-8.107.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="8.107.amzn1" version="1.0.2k"><filename>Packages/openssl-debuginfo-1.0.2k-8.107.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="8.107.amzn1" version="1.0.2k"><filename>Packages/openssl-static-1.0.2k-8.107.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="8.107.amzn1" version="1.0.2k"><filename>Packages/openssl-perl-1.0.2k-8.107.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1002</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1002: critical priority package update for java-1.8.0-openjdk</title><issued date="2018-04-26 16:44" /><updated date="2018-04-26 22:11" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13570 CVE-2018-2815: 13571 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 13572 1567537: 13573 CVE-2018-2815 OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) 13574 13575 CVE-2018-2814: 13576 1567121: 13577 CVE-2018-2814 OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) 13578 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). 13579 13580 CVE-2018-2800: 13581 1568163: 13582 CVE-2018-2800 OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) 13583 Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u181, 7u171 and 8u162; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, JRockit accessible data as well as unauthorized read access to a subset of Java SE, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N). 13584 13585 CVE-2018-2799: 13586 1567542: 13587 CVE-2018-2799 OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) 13588 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 13589 13590 CVE-2018-2798: 13591 1567543: 13592 CVE-2018-2798 OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) 13593 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 13594 13595 CVE-2018-2797: 13596 1567545: 13597 CVE-2018-2797 OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) 13598 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 13599 13600 CVE-2018-2796: 13601 1567546: 13602 CVE-2018-2796 OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) 13603 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 13604 13605 CVE-2018-2795: 13606 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 13607 1567351: 13608 CVE-2018-2795 OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) 13609 13610 CVE-2018-2794: 13611 Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162, 10 and JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, JRockit executes to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). 13612 1567126: 13613 CVE-2018-2794 OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) 13614 13615 CVE-2018-2790: 13616 1568515: 13617 CVE-2018-2790 OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) 13618 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). 13619 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2790" id="CVE-2018-2790" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2796" id="CVE-2018-2796" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2797" id="CVE-2018-2797" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2794" id="CVE-2018-2794" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2795" id="CVE-2018-2795" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2815" id="CVE-2018-2815" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2814" id="CVE-2018-2814" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2798" id="CVE-2018-2798" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2799" id="CVE-2018-2799" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2800" id="CVE-2018-2800" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="7.b10.37.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.171-7.b10.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="7.b10.37.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-1.8.0.171-7.b10.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="7.b10.37.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.171-7.b10.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="7.b10.37.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.171-7.b10.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="7.b10.37.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.171-7.b10.37.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="7.b10.37.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.171-7.b10.37.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc-zip" release="7.b10.37.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.171-7.b10.37.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="7.b10.37.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.171-7.b10.37.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="7.b10.37.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-1.8.0.171-7.b10.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="7.b10.37.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.171-7.b10.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="7.b10.37.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.171-7.b10.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="7.b10.37.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.171-7.b10.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="7.b10.37.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.171-7.b10.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="7.b10.37.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.171-7.b10.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1003</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1003: medium priority package update for python34 python35 python36 python27</title><issued date="2018-04-26 17:28" /><updated date="2018-05-03 22:35" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13620 CVE-2018-1061: 13621 1549192: 13622 CVE-2018-1061 python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib 13623 A flaw was found in the way catastrophic backtracking was implemented in python&#039;s difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service. 13624 13625 CVE-2018-1060: 13626 A flaw was found in the way catastrophic backtracking was implemented in python&#039;s pop3lib&#039;s apop() method. An attacker could use this flaw to cause denial of service. 13627 1549191: 13628 CVE-2018-1060 python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib 13629 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061" id="CVE-2018-1061" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060" id="CVE-2018-1060" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python34-tools" release="1.39.amzn1" version="3.4.8"><filename>Packages/python34-tools-3.4.8-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-libs" release="1.39.amzn1" version="3.4.8"><filename>Packages/python34-libs-3.4.8-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-debuginfo" release="1.39.amzn1" version="3.4.8"><filename>Packages/python34-debuginfo-3.4.8-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-test" release="1.39.amzn1" version="3.4.8"><filename>Packages/python34-test-3.4.8-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34" release="1.39.amzn1" version="3.4.8"><filename>Packages/python34-3.4.8-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-devel" release="1.39.amzn1" version="3.4.8"><filename>Packages/python34-devel-3.4.8-1.39.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python34-test" release="1.39.amzn1" version="3.4.8"><filename>Packages/python34-test-3.4.8-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-devel" release="1.39.amzn1" version="3.4.8"><filename>Packages/python34-devel-3.4.8-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-libs" release="1.39.amzn1" version="3.4.8"><filename>Packages/python34-libs-3.4.8-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-debuginfo" release="1.39.amzn1" version="3.4.8"><filename>Packages/python34-debuginfo-3.4.8-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-tools" release="1.39.amzn1" version="3.4.8"><filename>Packages/python34-tools-3.4.8-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34" release="1.39.amzn1" version="3.4.8"><filename>Packages/python34-3.4.8-1.39.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-devel" release="1.12.amzn1" version="3.5.5"><filename>Packages/python35-devel-3.5.5-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35" release="1.12.amzn1" version="3.5.5"><filename>Packages/python35-3.5.5-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-debuginfo" release="1.12.amzn1" version="3.5.5"><filename>Packages/python35-debuginfo-3.5.5-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-test" release="1.12.amzn1" version="3.5.5"><filename>Packages/python35-test-3.5.5-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-libs" release="1.12.amzn1" version="3.5.5"><filename>Packages/python35-libs-3.5.5-1.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-tools" release="1.12.amzn1" version="3.5.5"><filename>Packages/python35-tools-3.5.5-1.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python35-tools" release="1.12.amzn1" version="3.5.5"><filename>Packages/python35-tools-3.5.5-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-test" release="1.12.amzn1" version="3.5.5"><filename>Packages/python35-test-3.5.5-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-devel" release="1.12.amzn1" version="3.5.5"><filename>Packages/python35-devel-3.5.5-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35" release="1.12.amzn1" version="3.5.5"><filename>Packages/python35-3.5.5-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-debuginfo" release="1.12.amzn1" version="3.5.5"><filename>Packages/python35-debuginfo-3.5.5-1.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-libs" release="1.12.amzn1" version="3.5.5"><filename>Packages/python35-libs-3.5.5-1.12.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-tools" release="1.9.amzn1" version="3.6.5"><filename>Packages/python36-tools-3.6.5-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-test" release="1.9.amzn1" version="3.6.5"><filename>Packages/python36-test-3.6.5-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-devel" release="1.9.amzn1" version="3.6.5"><filename>Packages/python36-devel-3.6.5-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36" release="1.9.amzn1" version="3.6.5"><filename>Packages/python36-3.6.5-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-debug" release="1.9.amzn1" version="3.6.5"><filename>Packages/python36-debug-3.6.5-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-debuginfo" release="1.9.amzn1" version="3.6.5"><filename>Packages/python36-debuginfo-3.6.5-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-libs" release="1.9.amzn1" version="3.6.5"><filename>Packages/python36-libs-3.6.5-1.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python36-devel" release="1.9.amzn1" version="3.6.5"><filename>Packages/python36-devel-3.6.5-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-debug" release="1.9.amzn1" version="3.6.5"><filename>Packages/python36-debug-3.6.5-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-test" release="1.9.amzn1" version="3.6.5"><filename>Packages/python36-test-3.6.5-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-debuginfo" release="1.9.amzn1" version="3.6.5"><filename>Packages/python36-debuginfo-3.6.5-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-libs" release="1.9.amzn1" version="3.6.5"><filename>Packages/python36-libs-3.6.5-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36" release="1.9.amzn1" version="3.6.5"><filename>Packages/python36-3.6.5-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-tools" release="1.9.amzn1" version="3.6.5"><filename>Packages/python36-tools-3.6.5-1.9.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-debuginfo" release="1.123.amzn1" version="2.7.14"><filename>Packages/python27-debuginfo-2.7.14-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libs" release="1.123.amzn1" version="2.7.14"><filename>Packages/python27-libs-2.7.14-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-test" release="1.123.amzn1" version="2.7.14"><filename>Packages/python27-test-2.7.14-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-tools" release="1.123.amzn1" version="2.7.14"><filename>Packages/python27-tools-2.7.14-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-devel" release="1.123.amzn1" version="2.7.14"><filename>Packages/python27-devel-2.7.14-1.123.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27" release="1.123.amzn1" version="2.7.14"><filename>Packages/python27-2.7.14-1.123.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python27-libs" release="1.123.amzn1" version="2.7.14"><filename>Packages/python27-libs-2.7.14-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27" release="1.123.amzn1" version="2.7.14"><filename>Packages/python27-2.7.14-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-debuginfo" release="1.123.amzn1" version="2.7.14"><filename>Packages/python27-debuginfo-2.7.14-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-test" release="1.123.amzn1" version="2.7.14"><filename>Packages/python27-test-2.7.14-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-devel" release="1.123.amzn1" version="2.7.14"><filename>Packages/python27-devel-2.7.14-1.123.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-tools" release="1.123.amzn1" version="2.7.14"><filename>Packages/python27-tools-2.7.14-1.123.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1004</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1004: medium priority package update for httpd24</title><issued date="2018-05-03 16:29" /><updated date="2018-05-03 22:47" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13630 CVE-2018-1312: 13631 1560634: 13632 CVE-2018-1312 httpd: Weak Digest auth nonce generation in mod_auth_digest 13633 In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. 13634 13635 CVE-2018-1303: 13636 1560399: 13637 CVE-2018-1303 httpd: Out of bounds read in mod_cache_socache can allow a remote attacker to cause a denial of service 13638 A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability. 13639 13640 CVE-2018-1302: 13641 1560625: 13642 CVE-2018-1302 httpd: Use-after-free on HTTP/2 stream shutdown 13643 When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk. 13644 13645 CVE-2018-1301: 13646 A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage. 13647 1560643: 13648 CVE-2018-1301 httpd: Out of bound access after failure in reading the HTTP request 13649 13650 CVE-2018-1283: 13651 1560395: 13652 CVE-2018-1283 httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications 13653 It has been discovered that the mod_session module of Apache HTTP Server (httpd), through version 2.4.29, has an improper input validation flaw in the way it handles HTTP session headers in some configurations. A remote attacker may influence their content by using a &quot;Session&quot; header. 13654 13655 CVE-2017-15715: 13656 In Apache httpd 2.4.0 to 2.4.29, the expression specified in &lt;FilesMatch&gt; could match &#039;$&#039; to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename. 13657 1560614: 13658 CVE-2017-15715 httpd: 13659 bypass with a trailing newline in the file name 13660 13661 CVE-2017-15710: 13662 1560599: 13663 CVE-2017-15710 httpd: Out of bound write in mod_authnz_ldap when using too small Accept-Language values 13664 In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user&#039;s credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, &#039;en-US&#039; is truncated to &#039;en&#039;). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all. 13665 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15710" id="CVE-2017-15710" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1301" id="CVE-2018-1301" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1302" id="CVE-2018-1302" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1303" id="CVE-2018-1303" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15715" id="CVE-2017-15715" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1283" id="CVE-2018-1283" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1312" id="CVE-2018-1312" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="httpd24-manual" release="2.78.amzn1" version="2.4.33"><filename>Packages/httpd24-manual-2.4.33-2.78.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-devel" release="2.78.amzn1" version="2.4.33"><filename>Packages/httpd24-devel-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24" release="2.78.amzn1" version="2.4.33"><filename>Packages/httpd24-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_ssl" release="2.78.amzn1" version="2.4.33"><filename>Packages/mod24_ssl-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="2.78.amzn1" version="2.4.33"><filename>Packages/httpd24-debuginfo-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_ldap" release="2.78.amzn1" version="2.4.33"><filename>Packages/mod24_ldap-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="2.78.amzn1" version="2.4.33"><filename>Packages/mod24_proxy_html-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="2.78.amzn1" version="2.4.33"><filename>Packages/mod24_session-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_md" release="2.78.amzn1" version="2.4.33"><filename>Packages/mod24_md-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-tools" release="2.78.amzn1" version="2.4.33"><filename>Packages/httpd24-tools-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="2.78.amzn1" version="2.4.33"><filename>Packages/httpd24-debuginfo-2.4.33-2.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="2.78.amzn1" version="2.4.33"><filename>Packages/httpd24-2.4.33-2.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="2.78.amzn1" version="2.4.33"><filename>Packages/mod24_session-2.4.33-2.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_md" release="2.78.amzn1" version="2.4.33"><filename>Packages/mod24_md-2.4.33-2.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="2.78.amzn1" version="2.4.33"><filename>Packages/mod24_ssl-2.4.33-2.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="2.78.amzn1" version="2.4.33"><filename>Packages/httpd24-devel-2.4.33-2.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="2.78.amzn1" version="2.4.33"><filename>Packages/httpd24-tools-2.4.33-2.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="2.78.amzn1" version="2.4.33"><filename>Packages/mod24_proxy_html-2.4.33-2.78.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="2.78.amzn1" version="2.4.33"><filename>Packages/mod24_ldap-2.4.33-2.78.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1007</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1007: critical priority package update for java-1.7.0-openjdk</title><issued date="2018-05-10 16:50" /><updated date="2018-05-10 23:28" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13666 CVE-2018-2815: 13667 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 13668 1567537: 13669 CVE-2018-2815 OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) 13670 13671 CVE-2018-2814: 13672 1567121: 13673 CVE-2018-2814 OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) 13674 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). 13675 13676 CVE-2018-2800: 13677 1568163: 13678 CVE-2018-2800 OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) 13679 Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u181, 7u171 and 8u162; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, JRockit accessible data as well as unauthorized read access to a subset of Java SE, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N). 13680 13681 CVE-2018-2799: 13682 1567542: 13683 CVE-2018-2799 OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) 13684 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 13685 13686 CVE-2018-2798: 13687 1567543: 13688 CVE-2018-2798 OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) 13689 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 13690 13691 CVE-2018-2797: 13692 1567545: 13693 CVE-2018-2797 OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) 13694 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 13695 13696 CVE-2018-2796: 13697 1567546: 13698 CVE-2018-2796 OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) 13699 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 13700 13701 CVE-2018-2795: 13702 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 13703 1567351: 13704 CVE-2018-2795 OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) 13705 13706 CVE-2018-2794: 13707 Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162, 10 and JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, JRockit executes to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). 13708 1567126: 13709 CVE-2018-2794 OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) 13710 13711 CVE-2018-2790: 13712 1568515: 13713 CVE-2018-2790 OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) 13714 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). 13715 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2790" id="CVE-2018-2790" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2796" id="CVE-2018-2796" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2797" id="CVE-2018-2797" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2794" id="CVE-2018-2794" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2795" id="CVE-2018-2795" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2815" id="CVE-2018-2815" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2814" id="CVE-2018-2814" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2798" id="CVE-2018-2798" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2799" id="CVE-2018-2799" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2800" id="CVE-2018-2800" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.14.1.79.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.181-2.6.14.1.79.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.14.1.79.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-1.7.0.181-2.6.14.1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.14.1.79.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.181-2.6.14.1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.14.1.79.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.181-2.6.14.1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.14.1.79.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.181-2.6.14.1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.14.1.79.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.181-2.6.14.1.79.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.14.1.79.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.181-2.6.14.1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.14.1.79.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.181-2.6.14.1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.14.1.79.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.181-2.6.14.1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.14.1.79.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.181-2.6.14.1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.14.1.79.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-1.7.0.181-2.6.14.1.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1008</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1008: important priority package update for patch</title><issued date="2018-05-10 16:52" /><updated date="2018-05-10 23:29" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13716 CVE-2018-1000156: 13717 1564326: 13718 CVE-2018-1000156 patch: Malicious patch files cause ed to execute arbitrary commands 13719 GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD&#039;s CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time. 13720 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000156" id="CVE-2018-1000156" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="patch" release="10.10.amzn1" version="2.7.1"><filename>Packages/patch-2.7.1-10.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="patch-debuginfo" release="10.10.amzn1" version="2.7.1"><filename>Packages/patch-debuginfo-2.7.1-10.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="patch-debuginfo" release="10.10.amzn1" version="2.7.1"><filename>Packages/patch-debuginfo-2.7.1-10.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="patch" release="10.10.amzn1" version="2.7.1"><filename>Packages/patch-2.7.1-10.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1009</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1009: medium priority package update for ntp</title><issued date="2018-05-10 17:01" /><updated date="2018-05-10 23:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13721 CVE-2018-7185: 13722 The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the &quot;other side&quot; of an interleaved association causing the victim ntpd to reset its association. 13723 1550220: 13724 CVE-2018-7185 ntp: Unauthenticated packet can reset authenticated interleaved association 13725 13726 CVE-2018-7184: 13727 1550218: 13728 CVE-2018-7184 ntp: Interleaved symmetric mode cannot recover from bad state 13729 ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the &quot;received&quot; timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704. 13730 13731 CVE-2018-7183: 13732 Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array. 13733 1550223: 13734 CVE-2018-7183 ntp: decodearr() can write beyond its buffer limit 13735 13736 CVE-2018-7182: 13737 1550208: 13738 CVE-2018-7182 ntp: buffer read overrun leads information leak in ctl_getitem() 13739 The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mode 6 packet with a ntpd instance from 4.2.8p6 through 4.2.8p10. 13740 13741 CVE-2018-7170: 13742 1550214: 13743 CVE-2018-7170 ntp: Ephemeral association time spoofing additional protection 13744 ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim&#039;s clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549. 13745 13746 CVE-2016-1549: 13747 A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim&#039;s clock. 13748 1331463: 13749 CVE-2016-1549 ntp: ephemeral association time spoofing 13750 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7182" id="CVE-2018-7182" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7183" id="CVE-2018-7183" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7184" id="CVE-2018-7184" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7185" id="CVE-2018-7185" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170" id="CVE-2018-7170" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549" id="CVE-2016-1549" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ntpdate" release="1.37.amzn1" version="4.2.8p11"><filename>Packages/ntpdate-4.2.8p11-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp" release="1.37.amzn1" version="4.2.8p11"><filename>Packages/ntp-4.2.8p11-1.37.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-doc" release="1.37.amzn1" version="4.2.8p11"><filename>Packages/ntp-doc-4.2.8p11-1.37.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp-debuginfo" release="1.37.amzn1" version="4.2.8p11"><filename>Packages/ntp-debuginfo-4.2.8p11-1.37.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-perl" release="1.37.amzn1" version="4.2.8p11"><filename>Packages/ntp-perl-4.2.8p11-1.37.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ntpdate" release="1.37.amzn1" version="4.2.8p11"><filename>Packages/ntpdate-4.2.8p11-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp" release="1.37.amzn1" version="4.2.8p11"><filename>Packages/ntp-4.2.8p11-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp-debuginfo" release="1.37.amzn1" version="4.2.8p11"><filename>Packages/ntp-debuginfo-4.2.8p11-1.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1010</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1010: medium priority package update for krb5</title><issued date="2018-09-05 19:27" /><updated date="2018-09-06 21:59" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13751 CVE-2017-7562: 13752 An authentication bypass flaw was found in the way krb5&#039;s certauth interface handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances. 13753 1485510: 13754 CVE-2017-7562 krb5: Authentication bypass by improper validation of certificate EKU and SAN 13755 13756 CVE-2017-11368: 13757 1473560: 13758 CVE-2017-11368 krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure 13759 A denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request. 13760 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11368" id="CVE-2017-11368" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7562" id="CVE-2017-7562" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="krb5-devel" release="19.43.amzn1" version="1.15.1"><filename>Packages/krb5-devel-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server" release="19.43.amzn1" version="1.15.1"><filename>Packages/krb5-server-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-debuginfo" release="19.43.amzn1" version="1.15.1"><filename>Packages/krb5-debuginfo-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-workstation" release="19.43.amzn1" version="1.15.1"><filename>Packages/krb5-workstation-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-libs" release="19.43.amzn1" version="1.15.1"><filename>Packages/krb5-libs-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-pkinit-openssl" release="19.43.amzn1" version="1.15.1"><filename>Packages/krb5-pkinit-openssl-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libkadm5" release="19.43.amzn1" version="1.15.1"><filename>Packages/libkadm5-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server-ldap" release="19.43.amzn1" version="1.15.1"><filename>Packages/krb5-server-ldap-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="krb5-debuginfo" release="19.43.amzn1" version="1.15.1"><filename>Packages/krb5-debuginfo-1.15.1-19.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-workstation" release="19.43.amzn1" version="1.15.1"><filename>Packages/krb5-workstation-1.15.1-19.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-devel" release="19.43.amzn1" version="1.15.1"><filename>Packages/krb5-devel-1.15.1-19.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-pkinit-openssl" release="19.43.amzn1" version="1.15.1"><filename>Packages/krb5-pkinit-openssl-1.15.1-19.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libkadm5" release="19.43.amzn1" version="1.15.1"><filename>Packages/libkadm5-1.15.1-19.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-libs" release="19.43.amzn1" version="1.15.1"><filename>Packages/krb5-libs-1.15.1-19.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server" release="19.43.amzn1" version="1.15.1"><filename>Packages/krb5-server-1.15.1-19.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server-ldap" release="19.43.amzn1" version="1.15.1"><filename>Packages/krb5-server-ldap-1.15.1-19.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1016</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1016: medium priority package update for openssl</title><issued date="2018-05-10 17:29" /><updated date="2018-05-10 23:35" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13761 CVE-2017-3738: 13762 There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository. 13763 1523510: 13764 CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 13765 13766 CVE-2017-3737: 13767 OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an &quot;error state&quot; mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. 13768 1523504: 13769 CVE-2017-3737 openssl: Read/write after SSL object in error state 13770 13771 CVE-2017-3736: 13772 1509169: 13773 CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64 13774 There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. 13775 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3738" id="CVE-2017-3738" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3736" id="CVE-2017-3736" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737" id="CVE-2017-3737" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-static" release="12.109.amzn1" version="1.0.2k"><filename>Packages/openssl-static-1.0.2k-12.109.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="12.109.amzn1" version="1.0.2k"><filename>Packages/openssl-devel-1.0.2k-12.109.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="12.109.amzn1" version="1.0.2k"><filename>Packages/openssl-1.0.2k-12.109.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="12.109.amzn1" version="1.0.2k"><filename>Packages/openssl-debuginfo-1.0.2k-12.109.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="12.109.amzn1" version="1.0.2k"><filename>Packages/openssl-perl-1.0.2k-12.109.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="12.109.amzn1" version="1.0.2k"><filename>Packages/openssl-devel-1.0.2k-12.109.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="12.109.amzn1" version="1.0.2k"><filename>Packages/openssl-1.0.2k-12.109.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="12.109.amzn1" version="1.0.2k"><filename>Packages/openssl-debuginfo-1.0.2k-12.109.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="12.109.amzn1" version="1.0.2k"><filename>Packages/openssl-static-1.0.2k-12.109.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="12.109.amzn1" version="1.0.2k"><filename>Packages/openssl-perl-1.0.2k-12.109.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1017</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1017: important priority package update for glibc</title><issued date="2018-05-10 17:45" /><updated date="2018-05-10 23:38" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13776 CVE-2018-1000001: 13777 1533836: 13778 CVE-2018-1000001 glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation 13779 In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution. 13780 13781 CVE-2017-15804: 13782 The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator. 13783 1505298: 13784 CVE-2017-15804 glibc: Buffer overflow during unescaping of user names with the ~ operator 13785 13786 CVE-2017-15670: 13787 1504804: 13788 CVE-2017-15670 glibc: Buffer overflow in glob with GLOB_TILDE 13789 The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string. 13790 13791 CVE-2017-12132: 13792 The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. 13793 1477529: 13794 CVE-2017-12132 glibc: Fragmentation attacks possible when EDNS0 is enabled 13795 13796 CVE-2015-5180: 13797 1249603: 13798 CVE-2015-5180 glibc: DNS resolver NULL pointer dereference with crafted record type 13799 res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash). 13800 13801 CVE-2014-9402: 13802 The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process. 13803 1175369: 13804 CVE-2014-9402 glibc: denial of service in getnetbyname function 13805 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5180" id="CVE-2015-5180" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000001" id="CVE-2018-1000001" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9402" id="CVE-2014-9402" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15804" id="CVE-2017-15804" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670" id="CVE-2017-15670" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132" id="CVE-2017-12132" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nscd" release="222.173.amzn1" version="2.17"><filename>Packages/nscd-2.17-222.173.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-common" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-222.173.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-222.173.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-222.173.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-2.17-222.173.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-222.173.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-222.173.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-222.173.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-222.173.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-222.173.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-222.173.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-222.173.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-2.17-222.173.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-222.173.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-222.173.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="222.173.amzn1" version="2.17"><filename>Packages/nscd-2.17-222.173.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-222.173.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="222.173.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-222.173.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1018</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1018: low priority package update for openssh</title><issued date="2018-05-10 17:51" /><updated date="2018-05-10 23:39" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13806 CVE-2017-15906: 13807 The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files. 13808 1506630: 13809 CVE-2017-15906 openssh: Improper write operations in readonly mode allow for zero-length file creation 13810 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15906" id="CVE-2017-15906" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openssh-cavs" release="16.69.amzn1" version="7.4p1"><filename>Packages/openssh-cavs-7.4p1-16.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh" release="16.69.amzn1" version="7.4p1"><filename>Packages/openssh-7.4p1-16.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam_ssh_agent_auth" release="2.16.69.amzn1" version="0.10.3"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.16.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-keycat" release="16.69.amzn1" version="7.4p1"><filename>Packages/openssh-keycat-7.4p1-16.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-ldap" release="16.69.amzn1" version="7.4p1"><filename>Packages/openssh-ldap-7.4p1-16.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-clients" release="16.69.amzn1" version="7.4p1"><filename>Packages/openssh-clients-7.4p1-16.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-debuginfo" release="16.69.amzn1" version="7.4p1"><filename>Packages/openssh-debuginfo-7.4p1-16.69.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-server" release="16.69.amzn1" version="7.4p1"><filename>Packages/openssh-server-7.4p1-16.69.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssh" release="16.69.amzn1" version="7.4p1"><filename>Packages/openssh-7.4p1-16.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-keycat" release="16.69.amzn1" version="7.4p1"><filename>Packages/openssh-keycat-7.4p1-16.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-cavs" release="16.69.amzn1" version="7.4p1"><filename>Packages/openssh-cavs-7.4p1-16.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam_ssh_agent_auth" release="2.16.69.amzn1" version="0.10.3"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.16.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-ldap" release="16.69.amzn1" version="7.4p1"><filename>Packages/openssh-ldap-7.4p1-16.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-clients" release="16.69.amzn1" version="7.4p1"><filename>Packages/openssh-clients-7.4p1-16.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-debuginfo" release="16.69.amzn1" version="7.4p1"><filename>Packages/openssh-debuginfo-7.4p1-16.69.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-server" release="16.69.amzn1" version="7.4p1"><filename>Packages/openssh-server-7.4p1-16.69.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1019</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1019: medium priority package update for php56 php70 php71</title><issued date="2018-05-10 18:23" /><updated date="2018-05-10 23:42" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13811 CVE-2018-10549: 13812 1573797: 13813 CVE-2018-10549 php: Out-of-bounds read in ext/exif/exif.c:exif_read_data() when reading crafted JPEG data 13814 An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final &#039;\0&#039; character. 13815 13816 CVE-2018-10548: 13817 An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value. 13818 1573805: 13819 CVE-2018-10548 php: Null pointer dereference due to mishandling of ldap_get_dn return value allows denial-of-service by malicious LDAP server or man-in-the-middle attacker 13820 13821 CVE-2018-10547: 13822 An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712. 13823 1573814: 13824 CVE-2018-10547 php: Reflected XSS vulnerability on PHAR 403 and 404 error pages 13825 13826 CVE-2018-10546: 13827 1573802: 13828 CVE-2018-10546 php: Infinite loop in ext/iconv/iconv.c when using stream filter with convert.incov on invalid sequence leads to denial-of-service 13829 An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences. 13830 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10547" id="CVE-2018-10547" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10546" id="CVE-2018-10546" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10549" id="CVE-2018-10549" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10548" id="CVE-2018-10548" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-opcache" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-opcache-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-embedded-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-dba-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-odbc-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-intl-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-tidy-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-mysqlnd-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-devel-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-gd-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-bcmath-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-fpm-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-soap-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-mbstring-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-pspell-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-recode-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-pdo-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-xml-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-common-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-snmp-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-imap-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-cli-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-dbg-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-ldap-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-pgsql-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-debuginfo-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-xmlrpc-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-mcrypt-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-enchant-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-mssql-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-gmp-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-process-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-enchant-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-tidy-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-fpm-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-mbstring-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-xmlrpc-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-imap-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-snmp-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-opcache-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-intl-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-xml-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-gd-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-debuginfo-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-dbg-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-recode-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-mysqlnd-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-embedded-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-bcmath-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-dba-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-cli-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-gmp-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-pdo-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-mssql-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-pgsql-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-ldap-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-soap-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-mcrypt-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-process-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-common-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-pspell-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-odbc-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.138.amzn1" version="5.6.36"><filename>Packages/php56-devel-5.6.36-1.138.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-soap" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-soap-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-debuginfo" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-debuginfo-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-json" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-json-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-opcache" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-opcache-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mysqlnd" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-mysqlnd-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pgsql" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-pgsql-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo-dblib" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-pdo-dblib-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gd" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-gd-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dba" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-dba-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-embedded" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-embedded-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gmp" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-gmp-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-intl" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-intl-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-recode" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-recode-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-imap" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-imap-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dbg" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-dbg-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-pdo-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-fpm" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-fpm-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pspell" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-pspell-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mbstring" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-mbstring-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-common" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-common-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-devel" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-devel-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xmlrpc" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-xmlrpc-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mcrypt" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-mcrypt-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-bcmath" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-bcmath-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-enchant" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-enchant-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xml" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-xml-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-process" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-process-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-cli" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-cli-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-snmp" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-snmp-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-odbc" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-odbc-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-tidy" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-tidy-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-ldap" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-ldap-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php71-dba" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-dba-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gmp" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-gmp-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-ldap" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-ldap-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xmlrpc" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-xmlrpc-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-opcache" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-opcache-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo-dblib" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-pdo-dblib-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mysqlnd" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-mysqlnd-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-cli" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-cli-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xml" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-xml-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-fpm" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-fpm-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-enchant" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-enchant-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mcrypt" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-mcrypt-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-bcmath" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-bcmath-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dbg" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-dbg-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-recode" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-recode-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-snmp" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-snmp-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pgsql" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-pgsql-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-embedded" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-embedded-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-intl" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-intl-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-imap" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-imap-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pspell" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-pspell-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-json" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-json-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-tidy" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-tidy-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-common" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-common-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-process" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-process-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-devel" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-devel-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-odbc" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-odbc-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-soap" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-soap-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gd" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-gd-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mbstring" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-mbstring-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-debuginfo" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-debuginfo-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo" release="1.32.amzn1" version="7.1.17"><filename>Packages/php71-pdo-7.1.17-1.32.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gmp" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-gmp-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-debuginfo" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-debuginfo-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mysqlnd" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-mysqlnd-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pspell" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-pspell-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-soap" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-soap-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-common" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-common-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-imap" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-imap-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-recode" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-recode-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-enchant" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-enchant-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-tidy" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-tidy-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xml" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-xml-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-zip" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-zip-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-process" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-process-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mcrypt" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-mcrypt-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-cli" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-cli-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-json" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-json-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-ldap" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-ldap-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dbg" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-dbg-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-intl" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-intl-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-snmp" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-snmp-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-fpm" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-fpm-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gd" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-gd-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pgsql" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-pgsql-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-opcache" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-opcache-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-odbc" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-odbc-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-embedded" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-embedded-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-pdo-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dba" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-dba-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xmlrpc" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-xmlrpc-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo-dblib" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-pdo-dblib-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-devel" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-devel-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-bcmath" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-bcmath-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mbstring" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-mbstring-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php70-common" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-common-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dbg" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-dbg-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mysqlnd" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-mysqlnd-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-recode" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-recode-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-bcmath" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-bcmath-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mcrypt" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-mcrypt-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-enchant" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-enchant-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xml" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-xml-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-embedded" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-embedded-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-fpm" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-fpm-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pspell" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-pspell-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xmlrpc" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-xmlrpc-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-pdo-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gmp" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-gmp-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dba" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-dba-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gd" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-gd-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-zip" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-zip-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo-dblib" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-pdo-dblib-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-debuginfo" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-debuginfo-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-odbc" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-odbc-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-json" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-json-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pgsql" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-pgsql-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-snmp" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-snmp-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-intl" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-intl-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-soap" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-soap-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-ldap" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-ldap-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-imap" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-imap-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-cli" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-cli-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-process" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-process-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-tidy" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-tidy-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mbstring" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-mbstring-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-devel" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-devel-7.0.30-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-opcache" release="1.29.amzn1" version="7.0.30"><filename>Packages/php70-opcache-7.0.30-1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1023</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1023: important priority package update for kernel</title><issued date="2018-05-25 18:12" /><updated date="2019-01-25 03:44" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13831 CVE-2018-8897: 13832 1567074: 13833 CVE-2018-8897 Kernel: error in exception handling leads to DoS 13834 A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in the denial of service. 13835 13836 CVE-2018-7995: 13837 1553911: 13838 CVE-2018-7995 kernel: Race condition in the store_int_with_restart() function in cpu/mcheck/mce.c 13839 A race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck&lt;cpu number&gt; directory. 13840 13841 CVE-2018-1108: 13842 A weakness was found in the Linux kernel&#039;s implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated. 13843 1567306: 13844 CVE-2018-1108 kernel: drivers: getrandom(2) unblocks too early after system boot 13845 13846 CVE-2018-1091: 13847 1558149: 13848 CVE-2018-1091 kernel: guest kernel crash during core dump on POWER9 host 13849 A flaw was found in the Linux kernel where a crash can be triggered from unprivileged userspace during core dump on a POWER system with a certain configuration. This is due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path leading to a denial of service. 13850 13851 CVE-2018-10901: 13852 A flaw was found in Linux kernel&#039;s KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host&#039;s userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges. 13853 1601849: 13854 CVE-2018-10901 kernel: kvm: vmx: host GDT limit corruption 13855 13856 CVE-2018-1087: 13857 1566837: 13858 CVE-2018-1087 Kernel: KVM: error in exception handling leads to wrong debug stack value 13859 A flaw was found in the way the Linux kernel&#039;s KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest. 13860 13861 CVE-2018-1068: 13862 A flaw was found in the Linux kernel&#039;s implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory. 13863 1552048: 13864 CVE-2018-1068 kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c 13865 13866 CVE-2018-10675: 13867 The do_get_mempolicy() function in mm/mempolicy.c in the Linux kernel allows local users to hit a use-after-free bug via crafted system calls and thus cause a denial of service (DoS) or possibly have unspecified other impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. 13868 1575065: 13869 CVE-2018-10675 kernel: mm: use-after-free in do_get_mempolicy function allows local DoS or other unspecified impact 13870 13871 CVE-2018-1000199: 13872 An address corruption flaw was discovered in the Linux kernel built with hardware breakpoint (CONFIG_HAVE_HW_BREAKPOINT) support. While modifying a h/w breakpoint via &#039;modify_user_hw_breakpoint&#039; routine, an unprivileged user/process could use this flaw to crash the system kernel resulting in DoS OR to potentially escalate privileges on a the system. 13873 1568477: 13874 CVE-2018-1000199 kernel: ptrace() incorrect error handling leads to corruption and DoS 13875 13876 CVE-2017-16939: 13877 1517220: 13878 CVE-2017-16939 Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation 13879 The Linux kernel is vulerable to a use-after-free flaw when Transformation User configuration interface(CONFIG_XFRM_USER) compile-time configuration were enabled. This vulnerability occurs while closing a xfrm netlink socket in xfrm_dump_policy_done. A user/process could abuse this flaw to potentially escalate their privileges on a system. 13880 13881 CVE-2017-13215: 13882 A flaw was found in the Linux kernel&#039;s skcipher component, which affects the skcipher_recvmsg function. Attackers using a specific input can lead to a privilege escalation. 13883 1535173: 13884 CVE-2017-13215 kernel: crypto: privilege escalation in skcipher_recvmsg function 13885 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1068" id="CVE-2018-1068" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1108" id="CVE-2018-1108" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8897" id="CVE-2018-8897" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1091" id="CVE-2018-1091" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13215" id="CVE-2017-13215" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1087" id="CVE-2018-1087" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16939" id="CVE-2017-16939" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000199" id="CVE-2018-1000199" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10675" id="CVE-2018-10675" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10901" id="CVE-2018-10901" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7995" id="CVE-2018-7995" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-tools-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-tools-debuginfo-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-tools-devel-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-debuginfo-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-devel-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="52.37.amzn1" version="4.14.42"><filename>Packages/perf-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="52.37.amzn1" version="4.14.42"><filename>Packages/perf-debuginfo-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-headers-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-4.14.42-52.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-debuginfo-common-i686-4.14.42-52.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-headers-4.14.42-52.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="52.37.amzn1" version="4.14.42"><filename>Packages/perf-debuginfo-4.14.42-52.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-tools-4.14.42-52.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="52.37.amzn1" version="4.14.42"><filename>Packages/perf-4.14.42-52.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-tools-debuginfo-4.14.42-52.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-debuginfo-4.14.42-52.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-devel-4.14.42-52.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="52.37.amzn1" version="4.14.42"><filename>Packages/kernel-tools-devel-4.14.42-52.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1024</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1024: low priority package update for dhcp</title><issued date="2018-05-25 18:16" /><updated date="2018-05-29 23:01" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13886 CVE-2018-1111: 13887 A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Amazon Linux 2. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. 13888 1567974: 13889 CVE-2018-1111 dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script 13890 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111" id="CVE-2018-1111" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="12" name="dhcp-debuginfo" release="53.P1.28.amzn1" version="4.1.1"><filename>Packages/dhcp-debuginfo-4.1.1-53.P1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp-devel" release="53.P1.28.amzn1" version="4.1.1"><filename>Packages/dhcp-devel-4.1.1-53.P1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp" release="53.P1.28.amzn1" version="4.1.1"><filename>Packages/dhcp-4.1.1-53.P1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhclient" release="53.P1.28.amzn1" version="4.1.1"><filename>Packages/dhclient-4.1.1-53.P1.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="12" name="dhcp-common" release="53.P1.28.amzn1" version="4.1.1"><filename>Packages/dhcp-common-4.1.1-53.P1.28.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-devel" release="53.P1.28.amzn1" version="4.1.1"><filename>Packages/dhcp-devel-4.1.1-53.P1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-debuginfo" release="53.P1.28.amzn1" version="4.1.1"><filename>Packages/dhcp-debuginfo-4.1.1-53.P1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp-common" release="53.P1.28.amzn1" version="4.1.1"><filename>Packages/dhcp-common-4.1.1-53.P1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhcp" release="53.P1.28.amzn1" version="4.1.1"><filename>Packages/dhcp-4.1.1-53.P1.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="12" name="dhclient" release="53.P1.28.amzn1" version="4.1.1"><filename>Packages/dhclient-4.1.1-53.P1.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1025</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1025: low priority package update for gnupg2</title><issued date="2018-05-25 18:21" /><updated date="2018-07-24 21:04" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13891 CVE-2018-9234: 13892 1563930: 13893 CVE-2018-9234 GnuPG: Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys 13894 GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey. 13895 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9234" id="CVE-2018-9234" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnupg2-smime" release="2.32.amzn1" version="2.0.28"><filename>Packages/gnupg2-smime-2.0.28-2.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg2-debuginfo" release="2.32.amzn1" version="2.0.28"><filename>Packages/gnupg2-debuginfo-2.0.28-2.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg2" release="2.32.amzn1" version="2.0.28"><filename>Packages/gnupg2-2.0.28-2.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2-smime" release="2.32.amzn1" version="2.0.28"><filename>Packages/gnupg2-smime-2.0.28-2.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2-debuginfo" release="2.32.amzn1" version="2.0.28"><filename>Packages/gnupg2-debuginfo-2.0.28-2.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2" release="2.32.amzn1" version="2.0.28"><filename>Packages/gnupg2-2.0.28-2.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1026</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1026: medium priority package update for mysql57</title><issued date="2018-05-25 18:22" /><updated date="2018-05-29 23:09" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 13896 CVE-2018-2846: 13897 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Performance Schema). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13898 1568958: 13899 CVE-2018-2846 mysql: Server: Performance Schema unspecified vulnerability (CPU Apr 2018) 13900 13901 CVE-2018-2839: 13902 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13903 1568957: 13904 CVE-2018-2839 mysql: Server: DML unspecified vulnerability (CPU Apr 2018) 13905 13906 CVE-2018-2819: 13907 1568956: 13908 CVE-2018-2819 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 13909 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 13910 13911 CVE-2018-2818: 13912 1568955: 13913 CVE-2018-2818 mysql: Server : Security : Privileges unspecified vulnerability (CPU Apr 2018) 13914 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13915 13916 CVE-2018-2817: 13917 1568954: 13918 CVE-2018-2817 mysql: Server: DDL unspecified vulnerability (CPU Apr 2018) 13919 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 13920 13921 CVE-2018-2816: 13922 1568953: 13923 CVE-2018-2816 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018) 13924 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13925 13926 CVE-2018-2813: 13927 1568951: 13928 CVE-2018-2813 mysql: Server: DDL unspecified vulnerability (CPU Apr 2018) 13929 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 13930 13931 CVE-2018-2812: 13932 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). 13933 1568950: 13934 CVE-2018-2812 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018) 13935 13936 CVE-2018-2810: 13937 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13938 1568949: 13939 CVE-2018-2810 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 13940 13941 CVE-2018-2787: 13942 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). 13943 1568946: 13944 CVE-2018-2787 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 13945 13946 CVE-2018-2786: 13947 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). 13948 1568945: 13949 CVE-2018-2786 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 13950 13951 CVE-2018-2784: 13952 1568944: 13953 CVE-2018-2784 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 13954 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 13955 13956 CVE-2018-2782: 13957 1568943: 13958 CVE-2018-2782 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 13959 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 13960 13961 CVE-2018-2781: 13962 1568942: 13963 CVE-2018-2781 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018) 13964 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13965 13966 CVE-2018-2780: 13967 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 13968 1568941: 13969 CVE-2018-2780 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018) 13970 13971 CVE-2018-2779: 13972 1568940: 13973 CVE-2018-2779 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018) 13974 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13975 13976 CVE-2018-2778: 13977 1568938: 13978 CVE-2018-2778 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018) 13979 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13980 13981 CVE-2018-2777: 13982 1568937: 13983 CVE-2018-2777 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 13984 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13985 13986 CVE-2018-2776: 13987 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Group Replication GCS). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via XCom to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 13988 1568936: 13989 CVE-2018-2776 mysql: Group Replication GCS unspecified vulnerability (CPU Apr 2018) 13990 13991 CVE-2018-2775: 13992 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 13993 1568934: 13994 CVE-2018-2775 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018) 13995 13996 CVE-2018-2773: 13997 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 13998 1568932: 13999 CVE-2018-2773 mysql: Client programs unspecified vulnerability (CPU Apr 2018) 14000 14001 CVE-2018-2771: 14002 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Locking). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 14003 1568931: 14004 CVE-2018-2771 mysql: Server: Locking unspecified vulnerability (CPU Apr 2018) 14005 14006 CVE-2018-2769: 14007 1568927: 14008 CVE-2018-2769 mysql: Server: Pluggable Auth unspecified vulnerability (CPU Apr 2018) 14009 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14010 14011 CVE-2018-2766: 14012 1568926: 14013 CVE-2018-2766 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 14014 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14015 14016 CVE-2018-2762: 14017 1568925: 14018 CVE-2018-2762 mysql: Server: Connection unspecified vulnerability (CPU Apr 2018) 14019 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Connection). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14020 14021 CVE-2018-2761: 14022 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 14023 1568924: 14024 CVE-2018-2761 mysql: Client programs unspecified vulnerability (CPU Apr 2018) 14025 14026 CVE-2018-2759: 14027 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14028 1568923: 14029 CVE-2018-2759 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 14030 14031 CVE-2018-2758: 14032 1568922: 14033 CVE-2018-2758 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2018) 14034 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 14035 14036 CVE-2018-2755: 14037 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). 14038 1568921: 14039 CVE-2018-2755 mysql: Server: Replication unspecified vulnerability (CPU Apr 2018) 14040 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2819" id="CVE-2018-2819" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2759" id="CVE-2018-2759" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2839" id="CVE-2018-2839" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2755" id="CVE-2018-2755" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2846" id="CVE-2018-2846" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2779" id="CVE-2018-2779" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2775" id="CVE-2018-2775" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2817" id="CVE-2018-2817" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2816" id="CVE-2018-2816" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2771" id="CVE-2018-2771" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2813" id="CVE-2018-2813" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2773" id="CVE-2018-2773" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2762" id="CVE-2018-2762" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2761" id="CVE-2018-2761" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2777" id="CVE-2018-2777" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2766" id="CVE-2018-2766" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2769" id="CVE-2018-2769" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2758" id="CVE-2018-2758" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2810" id="CVE-2018-2810" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2781" id="CVE-2018-2781" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2780" id="CVE-2018-2780" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2782" id="CVE-2018-2782" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2784" id="CVE-2018-2784" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2787" id="CVE-2018-2787" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2786" id="CVE-2018-2786" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2778" id="CVE-2018-2778" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2812" id="CVE-2018-2812" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2776" id="CVE-2018-2776" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2818" id="CVE-2018-2818" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql57-server" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-server-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-common" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-common-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-devel" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-devel-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-test" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-test-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-errmsg" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-errmsg-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-embedded" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-embedded-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-debuginfo" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-debuginfo-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-libs" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-libs-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-embedded-devel" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-embedded-devel-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-server" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-server-5.7.22-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-common" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-common-5.7.22-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-libs" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-libs-5.7.22-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-test" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-test-5.7.22-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-5.7.22-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-devel" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-devel-5.7.22-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-debuginfo" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-debuginfo-5.7.22-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-errmsg" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-errmsg-5.7.22-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-embedded-devel" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-embedded-devel-5.7.22-2.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-embedded" release="2.7.amzn1" version="5.7.22"><filename>Packages/mysql57-embedded-5.7.22-2.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1027</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1027: medium priority package update for mysql56</title><issued date="2018-05-25 18:26" /><updated date="2018-05-29 23:13" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14041 CVE-2018-2819: 14042 1568956: 14043 CVE-2018-2819 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 14044 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 14045 14046 CVE-2018-2818: 14047 1568955: 14048 CVE-2018-2818 mysql: Server : Security : Privileges unspecified vulnerability (CPU Apr 2018) 14049 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14050 14051 CVE-2018-2817: 14052 1568954: 14053 CVE-2018-2817 mysql: Server: DDL unspecified vulnerability (CPU Apr 2018) 14054 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 14055 14056 CVE-2018-2813: 14057 1568951: 14058 CVE-2018-2813 mysql: Server: DDL unspecified vulnerability (CPU Apr 2018) 14059 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 14060 14061 CVE-2018-2787: 14062 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). 14063 1568946: 14064 CVE-2018-2787 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 14065 14066 CVE-2018-2784: 14067 1568944: 14068 CVE-2018-2784 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 14069 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 14070 14071 CVE-2018-2782: 14072 1568943: 14073 CVE-2018-2782 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 14074 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 14075 14076 CVE-2018-2781: 14077 1568942: 14078 CVE-2018-2781 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018) 14079 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14080 14081 CVE-2018-2773: 14082 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 14083 1568932: 14084 CVE-2018-2773 mysql: Client programs unspecified vulnerability (CPU Apr 2018) 14085 14086 CVE-2018-2771: 14087 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Locking). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 14088 1568931: 14089 CVE-2018-2771 mysql: Server: Locking unspecified vulnerability (CPU Apr 2018) 14090 14091 CVE-2018-2766: 14092 1568926: 14093 CVE-2018-2766 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 14094 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14095 14096 CVE-2018-2761: 14097 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 14098 1568924: 14099 CVE-2018-2761 mysql: Client programs unspecified vulnerability (CPU Apr 2018) 14100 14101 CVE-2018-2758: 14102 1568922: 14103 CVE-2018-2758 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2018) 14104 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 14105 14106 CVE-2018-2755: 14107 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). 14108 1568921: 14109 CVE-2018-2755 mysql: Server: Replication unspecified vulnerability (CPU Apr 2018) 14110 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2761" id="CVE-2018-2761" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2755" id="CVE-2018-2755" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2766" id="CVE-2018-2766" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2758" id="CVE-2018-2758" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2781" id="CVE-2018-2781" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2782" id="CVE-2018-2782" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2819" id="CVE-2018-2819" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2784" id="CVE-2018-2784" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2787" id="CVE-2018-2787" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2817" id="CVE-2018-2817" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2773" id="CVE-2018-2773" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2771" id="CVE-2018-2771" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2813" id="CVE-2018-2813" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2818" id="CVE-2018-2818" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql56" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-libs" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-libs-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-test" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-test-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded-devel" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-bench" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-bench-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-common" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-common-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-errmsg" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-errmsg-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-server" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-server-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-devel" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-devel-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-embedded-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-debuginfo" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded-devel" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-embedded-devel-5.6.40-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-debuginfo" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-debuginfo-5.6.40-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-libs" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-libs-5.6.40-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-server" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-server-5.6.40-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-bench" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-bench-5.6.40-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-5.6.40-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-embedded-5.6.40-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-test" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-test-5.6.40-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-devel" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-devel-5.6.40-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-common" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-common-5.6.40-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-errmsg" release="1.29.amzn1" version="5.6.40"><filename>Packages/mysql56-errmsg-5.6.40-1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1028</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1028: medium priority package update for mysql55</title><issued date="2018-05-25 18:26" /><updated date="2018-05-29 23:15" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14111 CVE-2018-2819: 14112 1568956: 14113 CVE-2018-2819 mysql: InnoDB unspecified vulnerability (CPU Apr 2018) 14114 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 14115 14116 CVE-2018-2818: 14117 1568955: 14118 CVE-2018-2818 mysql: Server : Security : Privileges unspecified vulnerability (CPU Apr 2018) 14119 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14120 14121 CVE-2018-2817: 14122 1568954: 14123 CVE-2018-2817 mysql: Server: DDL unspecified vulnerability (CPU Apr 2018) 14124 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 14125 14126 CVE-2018-2813: 14127 1568951: 14128 CVE-2018-2813 mysql: Server: DDL unspecified vulnerability (CPU Apr 2018) 14129 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 14130 14131 CVE-2018-2781: 14132 1568942: 14133 CVE-2018-2781 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018) 14134 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14135 14136 CVE-2018-2773: 14137 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 14138 1568932: 14139 CVE-2018-2773 mysql: Client programs unspecified vulnerability (CPU Apr 2018) 14140 14141 CVE-2018-2771: 14142 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Locking). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 14143 1568931: 14144 CVE-2018-2771 mysql: Server: Locking unspecified vulnerability (CPU Apr 2018) 14145 14146 CVE-2018-2761: 14147 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 14148 1568924: 14149 CVE-2018-2761 mysql: Client programs unspecified vulnerability (CPU Apr 2018) 14150 14151 CVE-2018-2755: 14152 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). 14153 1568921: 14154 CVE-2018-2755 mysql: Server: Replication unspecified vulnerability (CPU Apr 2018) 14155 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2761" id="CVE-2018-2761" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2755" id="CVE-2018-2755" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2781" id="CVE-2018-2781" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2819" id="CVE-2018-2819" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2818" id="CVE-2018-2818" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2817" id="CVE-2018-2817" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2771" id="CVE-2018-2771" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2813" id="CVE-2018-2813" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2773" id="CVE-2018-2773" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql55-bench" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-bench-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-embedded-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-config" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql-config-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-debuginfo-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-libs-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-test" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-test-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-server" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-server-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-devel-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-embedded-devel-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-embedded-5.5.60-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-devel-5.5.60-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-config" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql-config-5.5.60-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-test-5.5.60-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-server-5.5.60-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-bench-5.5.60-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-libs-5.5.60-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-debuginfo-5.5.60-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-embedded-devel-5.5.60-1.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="1.21.amzn1" version="5.5.60"><filename>Packages/mysql55-5.5.60-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1034</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1034: important priority package update for qemu-kvm</title><issued date="2018-06-08 18:29" /><updated date="2018-06-11 21:29" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14156 CVE-2018-7858: 14157 Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by leveraging incorrect region calculation when updating VGA display. 14158 1553402: 14159 CVE-2018-7858 QEMU: cirrus: OOB access when updating VGA display 14160 14161 CVE-2018-5683: 14162 1530356: 14163 CVE-2018-5683 Qemu: Out-of-bounds read in vga_draw_text routine 14164 An out-of-bounds read access issue was found in the VGA emulator of QEMU. It could occur in vga_draw_text routine, while updating display area for a vnc client. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS. 14165 14166 CVE-2018-3639: 14167 1566890: 14168 CVE-2018-3639 hw: cpu: speculative store bypass 14169 An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load &amp; Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. 14170 14171 CVE-2017-15268: 14172 A memory leakage issue was found in the I/O channels websockets implementation of the Quick Emulator (QEMU). It could occur while sending screen updates to a client, which is slow to read and process them further. A privileged guest user could use this flaw to cause a denial of service on the host and/or potentially crash the QEMU process instance on the host. 14173 1496879: 14174 CVE-2017-15268 QEMU: I/O: potential memory exhaustion via websock connection to VNC 14175 14176 CVE-2017-15124: 14177 1525195: 14178 CVE-2017-15124 Qemu: memory exhaustion through framebuffer update request message in VNC server 14179 VNC server implementation in Quick Emulator (QEMU) was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host. 14180 14181 CVE-2017-13711: 14182 1486400: 14183 CVE-2017-13711 QEMU: Slirp: use-after-free when sending response 14184 A use-after-free issue was found in the Slirp networking implementation of the Quick emulator (QEMU). It occurs when a Socket referenced from multiple packets is freed while responding to a message. A user/process could use this flaw to crash the QEMU process on the host resulting in denial of service. 14185 14186 CVE-2017-13672: 14187 An out-of-bounds read access issue was found in the VGA display emulator built into the Quick emulator (QEMU). It could occur while reading VGA memory to update graphics display. A privileged user/process inside guest could use this flaw to crash the QEMU process on the host resulting in denial of service situation. 14188 1486560: 14189 CVE-2017-13672 QEMU: vga: OOB read access during display update 14190 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15268" id="CVE-2017-15268" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5683" id="CVE-2018-5683" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639" id="CVE-2018-3639" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13711" id="CVE-2017-13711" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15124" id="CVE-2017-15124" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7858" id="CVE-2018-7858" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13672" id="CVE-2017-13672" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="10" name="qemu-kvm" release="156.8.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-1.5.3-156.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm-tools" release="156.8.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-tools-1.5.3-156.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-img" release="156.8.amzn1" version="1.5.3"><filename>Packages/qemu-img-1.5.3-156.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm-debuginfo" release="156.8.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-debuginfo-1.5.3-156.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm-common" release="156.8.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-common-1.5.3-156.8.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1035</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1035: important priority package update for git</title><issued date="2018-06-08 18:31" /><updated date="2018-06-11 21:30" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14191 CVE-2018-11235: 14192 1583862: 14193 CVE-2018-11235 git: arbitrary code execution when recursively cloning a malicious repository 14194 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs &quot;git clone --recurse-submodules&quot; because submodule &quot;names&quot; are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with &quot;../&quot; in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. 14195 14196 CVE-2018-11233: 14197 1583888: 14198 CVE-2018-11233 git: path sanity-checks on NTFS can read arbitrary memory 14199 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. 14200 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235" id="CVE-2018-11235" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11233" id="CVE-2018-11233" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="git-bzr" release="2.58.amzn1" version="2.14.4"><filename>Packages/git-bzr-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-cvs" release="2.58.amzn1" version="2.14.4"><filename>Packages/git-cvs-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git-SVN" release="2.58.amzn1" version="2.14.4"><filename>Packages/perl-Git-SVN-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git" release="2.58.amzn1" version="2.14.4"><filename>Packages/perl-Git-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-email" release="2.58.amzn1" version="2.14.4"><filename>Packages/git-email-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-all" release="2.58.amzn1" version="2.14.4"><filename>Packages/git-all-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-hg" release="2.58.amzn1" version="2.14.4"><filename>Packages/git-hg-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git" release="2.58.amzn1" version="2.14.4"><filename>Packages/emacs-git-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git" release="2.58.amzn1" version="2.14.4"><filename>Packages/git-2.14.4-2.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="git-daemon" release="2.58.amzn1" version="2.14.4"><filename>Packages/git-daemon-2.14.4-2.58.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-p4" release="2.58.amzn1" version="2.14.4"><filename>Packages/git-p4-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="gitweb" release="2.58.amzn1" version="2.14.4"><filename>Packages/gitweb-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git-el" release="2.58.amzn1" version="2.14.4"><filename>Packages/emacs-git-el-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-svn" release="2.58.amzn1" version="2.14.4"><filename>Packages/git-svn-2.14.4-2.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="git-debuginfo" release="2.58.amzn1" version="2.14.4"><filename>Packages/git-debuginfo-2.14.4-2.58.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="git-daemon" release="2.58.amzn1" version="2.14.4"><filename>Packages/git-daemon-2.14.4-2.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git" release="2.58.amzn1" version="2.14.4"><filename>Packages/git-2.14.4-2.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-debuginfo" release="2.58.amzn1" version="2.14.4"><filename>Packages/git-debuginfo-2.14.4-2.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-svn" release="2.58.amzn1" version="2.14.4"><filename>Packages/git-svn-2.14.4-2.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1036</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1036: important priority package update for 389-ds-base</title><issued date="2018-06-08 18:32" /><updated date="2018-06-11 21:31" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14201 CVE-2018-1089: 14202 1559802: 14203 CVE-2018-1089 389-ds-base: ns-slapd crash via large filter value in ldapsearch 14204 It was found that 389-ds-base did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service. 14205 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1089" id="CVE-2018-1089" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base" release="21.56.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-1.3.7.5-21.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-snmp" release="21.56.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-snmp-1.3.7.5-21.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="21.56.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-libs-1.3.7.5-21.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="21.56.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-devel-1.3.7.5-21.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="21.56.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-debuginfo-1.3.7.5-21.56.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="21.56.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-debuginfo-1.3.7.5-21.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="21.56.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-devel-1.3.7.5-21.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="21.56.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-1.3.7.5-21.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="21.56.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-libs-1.3.7.5-21.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-snmp" release="21.56.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-snmp-1.3.7.5-21.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1037</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1037: important priority package update for java-1.7.0-openjdk</title><issued date="2018-06-08 18:32" /><updated date="2018-06-11 21:32" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14206 CVE-2018-3639: 14207 1566890: 14208 CVE-2018-3639 hw: cpu: speculative store bypass 14209 An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load &amp; Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. 14210 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639" id="CVE-2018-3639" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.14.8.80.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.181-2.6.14.8.80.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.14.8.80.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.181-2.6.14.8.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.14.8.80.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.181-2.6.14.8.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.14.8.80.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.181-2.6.14.8.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.14.8.80.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-1.7.0.181-2.6.14.8.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.14.8.80.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.181-2.6.14.8.80.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.14.8.80.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.181-2.6.14.8.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.14.8.80.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.181-2.6.14.8.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.14.8.80.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.181-2.6.14.8.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.14.8.80.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-1.7.0.181-2.6.14.8.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.14.8.80.amzn1" version="1.7.0.181"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.181-2.6.14.8.80.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1038</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1038: important priority package update for kernel</title><issued date="2018-06-08 18:33" /><updated date="2018-09-06 22:05" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14211 CVE-2018-3693: 14212 1581650: 14213 CVE-2018-3693 Kernel: speculative bounds check bypass store 14214 An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side-channel attacks. 14215 14216 CVE-2018-3639: 14217 1566890: 14218 CVE-2018-3639 hw: cpu: speculative store bypass 14219 An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load &amp; Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. 14220 14221 CVE-2018-1120: 14222 1575472: 14223 CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service 14224 By mmap()ing a FUSE-backed file onto a process&#039;s memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc/&lt;pid&gt;/cmdline (or /proc/&lt;pid&gt;/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks). 14225 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1120" id="CVE-2018-1120" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639" id="CVE-2018-3639" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3693" id="CVE-2018-3693" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perf-debuginfo" release="56.37.amzn1" version="4.14.47"><filename>Packages/perf-debuginfo-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-headers-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-debuginfo-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-tools-debuginfo-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="56.37.amzn1" version="4.14.47"><filename>Packages/perf-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-devel-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-tools-devel-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-tools-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-tools-debuginfo-4.14.47-56.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="56.37.amzn1" version="4.14.47"><filename>Packages/perf-debuginfo-4.14.47-56.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-devel-4.14.47-56.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-debuginfo-common-i686-4.14.47-56.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-tools-devel-4.14.47-56.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-debuginfo-4.14.47-56.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="56.37.amzn1" version="4.14.47"><filename>Packages/perf-4.14.47-56.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-headers-4.14.47-56.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-4.14.47-56.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="56.37.amzn1" version="4.14.47"><filename>Packages/kernel-tools-4.14.47-56.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1039</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1039: important priority package update for java-1.8.0-openjdk</title><issued date="2018-06-08 18:34" /><updated date="2018-06-11 21:33" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14226 CVE-2018-3639: 14227 1566890: 14228 CVE-2018-3639 hw: cpu: speculative store bypass 14229 An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load &amp; Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. 14230 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639" id="CVE-2018-3639" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="8.b10.38.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.171-8.b10.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="8.b10.38.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.171-8.b10.38.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc-zip" release="8.b10.38.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.171-8.b10.38.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="8.b10.38.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.171-8.b10.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="8.b10.38.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.171-8.b10.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="8.b10.38.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.171-8.b10.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="8.b10.38.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-1.8.0.171-8.b10.38.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="8.b10.38.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.171-8.b10.38.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="8.b10.38.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.171-8.b10.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="8.b10.38.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.171-8.b10.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="8.b10.38.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.171-8.b10.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="8.b10.38.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.171-8.b10.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="8.b10.38.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.171-8.b10.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="8.b10.38.amzn1" version="1.8.0.171"><filename>Packages/java-1.8.0-openjdk-1.8.0.171-8.b10.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1040</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1040: medium priority package update for wget</title><issued date="2018-06-08 18:35" /><updated date="2018-06-11 21:34" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14231 CVE-2018-0494: 14232 1575634: 14233 CVE-2018-0494 wget: Cookie injection allows malicious website to write arbitrary cookie entries into cookie jar 14234 A cookie injection flaw was found in wget. An attacker can create a malicious website which, when accessed, overrides cookies belonging to arbitrary domains. 14235 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0494" id="CVE-2018-0494" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="wget-debuginfo" release="4.29.amzn1" version="1.18"><filename>Packages/wget-debuginfo-1.18-4.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wget" release="4.29.amzn1" version="1.18"><filename>Packages/wget-1.18-4.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="wget" release="4.29.amzn1" version="1.18"><filename>Packages/wget-1.18-4.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wget-debuginfo" release="4.29.amzn1" version="1.18"><filename>Packages/wget-debuginfo-1.18-4.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1044</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1044: medium priority package update for kernel</title><issued date="2018-06-27 21:53" /><updated date="2018-07-24 21:03" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14236 CVE-2018-12232: 14237 1590215: 14238 CVE-2018-12232 kernel: NULL pointer dereference if close and fchownat system calls share a socket file descriptor 14239 A NULL pointer dereference issue was found in the Linux kernel. If the close() and fchownat() system calls share a socket file descriptor as an argument, then the two calls can race and trigger a NULL pointer dereference leading to a system crash and a denial of service. 14240 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12232" id="CVE-2018-12232" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-devel" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-devel-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-tools-debuginfo-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="60.38.amzn1" version="4.14.51"><filename>Packages/perf-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-tools-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-debuginfo-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-headers-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-tools-devel-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="60.38.amzn1" version="4.14.51"><filename>Packages/perf-debuginfo-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="60.38.amzn1" version="4.14.51"><filename>Packages/perf-debuginfo-4.14.51-60.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-devel-4.14.51-60.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-debuginfo-common-i686-4.14.51-60.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-tools-debuginfo-4.14.51-60.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-headers-4.14.51-60.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-tools-devel-4.14.51-60.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-tools-4.14.51-60.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-4.14.51-60.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="60.38.amzn1" version="4.14.51"><filename>Packages/kernel-debuginfo-4.14.51-60.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="60.38.amzn1" version="4.14.51"><filename>Packages/perf-4.14.51-60.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1045</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1045: important priority package update for gnupg gnupg2</title><issued date="2018-06-27 21:57" /><updated date="2018-07-24 21:05" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14241 CVE-2018-12020: 14242 A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have other unintended consequences if applications take action(s) based on parsed verbose gnupg output. 14243 1589620: 14244 CVE-2018-12020 gnupg2: Improper sanitization of filenames allows for the display of fake status messages and the bypass of signature verification 14245 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020" id="CVE-2018-12020" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="gnupg" release="1.29.amzn1" version="1.4.19"><filename>Packages/gnupg-1.4.19-1.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg-debuginfo" release="1.29.amzn1" version="1.4.19"><filename>Packages/gnupg-debuginfo-1.4.19-1.29.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnupg" release="1.29.amzn1" version="1.4.19"><filename>Packages/gnupg-1.4.19-1.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg-debuginfo" release="1.29.amzn1" version="1.4.19"><filename>Packages/gnupg-debuginfo-1.4.19-1.29.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg2-smime" release="2.32.amzn1" version="2.0.28"><filename>Packages/gnupg2-smime-2.0.28-2.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg2-debuginfo" release="2.32.amzn1" version="2.0.28"><filename>Packages/gnupg2-debuginfo-2.0.28-2.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="gnupg2" release="2.32.amzn1" version="2.0.28"><filename>Packages/gnupg2-2.0.28-2.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2-smime" release="2.32.amzn1" version="2.0.28"><filename>Packages/gnupg2-smime-2.0.28-2.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2-debuginfo" release="2.32.amzn1" version="2.0.28"><filename>Packages/gnupg2-debuginfo-2.0.28-2.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="gnupg2" release="2.32.amzn1" version="2.0.28"><filename>Packages/gnupg2-2.0.28-2.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1046</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1046: medium priority package update for kernel</title><issued date="2018-07-23 20:51" /><updated date="2018-07-24 21:06" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14246 CVE-2018-11412: 14247 1582358: 14248 CVE-2018-11412 kernel: out-of-bounds memcpy in fs/ext4/inline.c:ext4_read_inline_data() with crafted ext4 image 14249 The fs/ext4/inline.c:ext4_read_inline_data() function in the Linux kernel performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode. The unbound copy can cause memory corruption or possible privilege escalation. 14250 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11412" id="CVE-2018-11412" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-debuginfo-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-tools-devel-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-devel-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-tools-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="62.37.amzn1" version="4.14.55"><filename>Packages/perf-debuginfo-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-tools-debuginfo-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="62.37.amzn1" version="4.14.55"><filename>Packages/perf-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-headers-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-headers-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-tools-debuginfo-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-tools-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-debuginfo-common-i686-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-devel-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="62.37.amzn1" version="4.14.55"><filename>Packages/perf-debuginfo-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-tools-devel-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="62.37.amzn1" version="4.14.55"><filename>Packages/perf-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-debuginfo-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-4.14.55-62.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1047</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1047: medium priority package update for ant</title><issued date="2018-07-23 20:56" /><updated date="2018-07-24 21:07" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14251 CVE-2018-10886: 14252 It was discovered that Ant&#039;s unzip and untar targets permit the extraction of files outside the target directory. A crafted zip or tar file submitted to an Ant build could create or overwrite arbitrary files with the privileges of the user running Ant. 14253 1584407: 14254 CVE-2018-10886 ant: arbitrary file write vulnerability and arbitrary code execution using a specially crafted zip file 14255 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10886" id="CVE-2018-10886" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="ant-javadoc" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-javadoc-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-commons-net" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-commons-net-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-commons-logging" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-commons-logging-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-antlr" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-antlr-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-apache-oro" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-apache-oro-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-apache-resolver" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-apache-resolver-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-scripts" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-scripts-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-testutil" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-testutil-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-swing" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-swing-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-manual" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-manual-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-jdepend" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-jdepend-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-apache-bsf" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-apache-bsf-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-apache-xalan2" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-apache-xalan2-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-jmf" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-jmf-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-javamail" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-javamail-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-apache-log4j" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-apache-log4j-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-apache-bcel" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-apache-bcel-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-jsch" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-jsch-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-junit" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-junit-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ant-apache-regexp" release="1.14.amzn1" version="1.8.3"><filename>Packages/ant-apache-regexp-1.8.3-1.14.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1048</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1048: low priority package update for kernel</title><issued date="2018-08-04 23:47" /><updated date="2018-08-06 18:27" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14256 CVE-2018-13094: 14257 An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A NULL pointer dereference may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. This can lead to a system crash and a denial of service. 14258 1597771: 14259 CVE-2018-13094 kernel: NULL pointer dereference in xfs_da_shrink_inode function 14260 14261 CVE-2018-13093: 14262 1597766: 14263 CVE-2018-13093 kernel: NULL pointer dereference in lookup_slow function 14264 An issue was discovered in the XFS filesystem in fs/xfs/xfs_icache.c in the Linux kernel. There is a NULL pointer dereference leading to a system panic in lookup_slow() on a NULL inode-&gt;i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during an allocation. 14265 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13093" id="CVE-2018-13093" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13094" id="CVE-2018-13094" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perf-debuginfo" release="64.43.amzn1" version="4.14.59"><filename>Packages/perf-debuginfo-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-tools-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="64.43.amzn1" version="4.14.59"><filename>Packages/perf-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-headers-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-tools-debuginfo-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-tools-devel-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-devel-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-debuginfo-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-headers-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-tools-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-debuginfo-common-i686-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-debuginfo-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="64.43.amzn1" version="4.14.59"><filename>Packages/perf-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-tools-debuginfo-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-devel-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="64.43.amzn1" version="4.14.59"><filename>Packages/perf-debuginfo-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-tools-devel-4.14.59-64.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1049</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1049: critical priority package update for kernel</title><issued date="2018-08-04 23:48" /><updated date="2018-08-06 19:10" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14266 CVE-2018-5390: 14267 TBD 14268 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5390" id="CVE-2018-5390" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perf-debuginfo" release="64.43.amzn1" version="4.14.59"><filename>Packages/perf-debuginfo-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-tools-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="64.43.amzn1" version="4.14.59"><filename>Packages/perf-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-headers-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-tools-debuginfo-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-tools-devel-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-devel-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-debuginfo-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-headers-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-tools-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-debuginfo-common-i686-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-debuginfo-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="64.43.amzn1" version="4.14.59"><filename>Packages/perf-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-tools-debuginfo-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-devel-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="64.43.amzn1" version="4.14.59"><filename>Packages/perf-debuginfo-4.14.59-64.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="64.43.amzn1" version="4.14.59"><filename>Packages/kernel-tools-devel-4.14.59-64.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1054</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1054: medium priority package update for java-1.8.0-openjdk</title><issued date="2018-08-09 16:07" /><updated date="2018-08-09 21:42" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14269 CVE-2018-2952: 14270 1600925: 14271 CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) 14272 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171; JRockit: R28.3.18. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). 14273 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2952" id="CVE-2018-2952" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="8.b13.39.39.amzn1" version="1.8.0.181"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.181-8.b13.39.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="8.b13.39.39.amzn1" version="1.8.0.181"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.181-8.b13.39.39.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="8.b13.39.39.amzn1" version="1.8.0.181"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.181-8.b13.39.39.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="8.b13.39.39.amzn1" version="1.8.0.181"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.181-8.b13.39.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="8.b13.39.39.amzn1" version="1.8.0.181"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.181-8.b13.39.39.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc-zip" release="8.b13.39.39.amzn1" version="1.8.0.181"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.181-8.b13.39.39.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="8.b13.39.39.amzn1" version="1.8.0.181"><filename>Packages/java-1.8.0-openjdk-1.8.0.181-8.b13.39.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="8.b13.39.39.amzn1" version="1.8.0.181"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.181-8.b13.39.39.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="8.b13.39.39.amzn1" version="1.8.0.181"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.181-8.b13.39.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="8.b13.39.39.amzn1" version="1.8.0.181"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.181-8.b13.39.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="8.b13.39.39.amzn1" version="1.8.0.181"><filename>Packages/java-1.8.0-openjdk-1.8.0.181-8.b13.39.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="8.b13.39.39.amzn1" version="1.8.0.181"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.181-8.b13.39.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="8.b13.39.39.amzn1" version="1.8.0.181"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.181-8.b13.39.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="8.b13.39.39.amzn1" version="1.8.0.181"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.181-8.b13.39.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1055</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1055: important priority package update for tomcat7 tomcat80</title><issued date="2018-08-09 16:10" /><updated date="2018-08-09 21:44" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14274 CVE-2018-8034: 14275 1607580: 14276 CVE-2018-8034 tomcat: host name verification missing in WebSocket client 14277 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. 14278 14279 CVE-2018-8014: 14280 1579611: 14281 CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins 14282 The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable &#039;supportsCredentials&#039; for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. 14283 14284 CVE-2018-1336: 14285 1607591: 14286 CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS 14287 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. 14288 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034" id="CVE-2018-8034" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1336" id="CVE-2018-1336" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014" id="CVE-2018-8014" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat80-lib" release="1.80.amzn1" version="8.0.53"><filename>Packages/tomcat80-lib-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80" release="1.80.amzn1" version="8.0.53"><filename>Packages/tomcat80-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-servlet-3.1-api" release="1.80.amzn1" version="8.0.53"><filename>Packages/tomcat80-servlet-3.1-api-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-el-3.0-api" release="1.80.amzn1" version="8.0.53"><filename>Packages/tomcat80-el-3.0-api-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-docs-webapp" release="1.80.amzn1" version="8.0.53"><filename>Packages/tomcat80-docs-webapp-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-log4j" release="1.80.amzn1" version="8.0.53"><filename>Packages/tomcat80-log4j-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-webapps" release="1.80.amzn1" version="8.0.53"><filename>Packages/tomcat80-webapps-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-jsp-2.3-api" release="1.80.amzn1" version="8.0.53"><filename>Packages/tomcat80-jsp-2.3-api-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-admin-webapps" release="1.80.amzn1" version="8.0.53"><filename>Packages/tomcat80-admin-webapps-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat80-javadoc" release="1.80.amzn1" version="8.0.53"><filename>Packages/tomcat80-javadoc-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.33.amzn1" version="7.0.90"><filename>Packages/tomcat7-el-2.2-api-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.33.amzn1" version="7.0.90"><filename>Packages/tomcat7-log4j-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.33.amzn1" version="7.0.90"><filename>Packages/tomcat7-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.33.amzn1" version="7.0.90"><filename>Packages/tomcat7-javadoc-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.33.amzn1" version="7.0.90"><filename>Packages/tomcat7-docs-webapp-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.33.amzn1" version="7.0.90"><filename>Packages/tomcat7-servlet-3.0-api-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.33.amzn1" version="7.0.90"><filename>Packages/tomcat7-admin-webapps-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.33.amzn1" version="7.0.90"><filename>Packages/tomcat7-lib-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.33.amzn1" version="7.0.90"><filename>Packages/tomcat7-jsp-2.2-api-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.33.amzn1" version="7.0.90"><filename>Packages/tomcat7-webapps-7.0.90-1.33.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1056</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1056: important priority package update for tomcat8</title><issued date="2018-08-09 16:12" /><updated date="2018-08-09 21:46" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14289 CVE-2018-8037: 14290 A bug in the tracking of connection closures can lead to reuse of user sessions in a new connection. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31. 14291 1607582: 14292 CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up 14293 14294 CVE-2018-8034: 14295 1607580: 14296 CVE-2018-8034 tomcat: host name verification missing in WebSocket client 14297 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. 14298 14299 CVE-2018-8014: 14300 1579611: 14301 CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins 14302 The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable &#039;supportsCredentials&#039; for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. 14303 14304 CVE-2018-1336: 14305 1607591: 14306 CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS 14307 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. 14308 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034" id="CVE-2018-8034" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8037" id="CVE-2018-8037" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1336" id="CVE-2018-1336" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014" id="CVE-2018-8014" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.78.amzn1" version="8.5.32"><filename>Packages/tomcat8-log4j-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.78.amzn1" version="8.5.32"><filename>Packages/tomcat8-lib-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8" release="1.78.amzn1" version="8.5.32"><filename>Packages/tomcat8-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.78.amzn1" version="8.5.32"><filename>Packages/tomcat8-el-3.0-api-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.78.amzn1" version="8.5.32"><filename>Packages/tomcat8-admin-webapps-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.78.amzn1" version="8.5.32"><filename>Packages/tomcat8-jsp-2.3-api-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.78.amzn1" version="8.5.32"><filename>Packages/tomcat8-servlet-3.1-api-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.78.amzn1" version="8.5.32"><filename>Packages/tomcat8-docs-webapp-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.78.amzn1" version="8.5.32"><filename>Packages/tomcat8-webapps-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.78.amzn1" version="8.5.32"><filename>Packages/tomcat8-javadoc-8.5.32-1.78.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1057</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1057: important priority package update for yum-utils</title><issued date="2018-08-09 16:13" /><updated date="2018-08-09 21:46" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14309 CVE-2018-10897: 14310 A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. 14311 1600221: 14312 CVE-2018-10897 yum-utils: reposync: improper path validation may lead to directory traversal 14313 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10897" id="CVE-2018-10897" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="yum-updateonboot" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-updateonboot-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-ps" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-ps-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-rpm-warm-cache" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-rpm-warm-cache-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-tmprepo" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-tmprepo-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-ovl" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-ovl-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-fastestmirror" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-fastestmirror-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-auto-update-debug-info" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-auto-update-debug-info-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-filter-data" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-filter-data-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-versionlock" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-versionlock-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-remove-with-leaves" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-remove-with-leaves-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-pre-transaction-actions" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-pre-transaction-actions-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-show-leaves" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-show-leaves-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-tsflags" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-tsflags-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-utils" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-utils-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-local" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-local-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-upgrade-helper" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-upgrade-helper-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-refresh-updatesd" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-refresh-updatesd-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-changelog" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-changelog-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-protectbase" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-protectbase-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-copr" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-copr-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-aliases" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-aliases-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-merge-conf" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-merge-conf-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-keys" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-keys-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-post-transaction-actions" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-post-transaction-actions-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-priorities" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-priorities-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-verify" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-verify-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-puppetverify" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-puppetverify-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-list-data" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-list-data-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-NetworkManager-dispatcher" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-NetworkManager-dispatcher-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="yum-plugin-fs-snapshot" release="46.30.amzn1" version="1.1.31"><filename>Packages/yum-plugin-fs-snapshot-1.1.31-46.30.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1058</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1058: critical priority package update for kernel</title><issued date="2018-08-10 20:26" /><updated date="2018-08-14 17:53" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14314 CVE-2018-5391: 14315 14316 14317 CVE-2018-3646: 14318 14319 14320 CVE-2018-3620: 14321 14322 14323 CVE-2018-3615: 14324 14325 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615" id="CVE-2018-3615" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5391" id="CVE-2018-5391" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620" id="CVE-2018-3620" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646" id="CVE-2018-3646" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="65.117.amzn1" version="4.14.62"><filename>Packages/perf-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-headers-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="65.117.amzn1" version="4.14.62"><filename>Packages/perf-debuginfo-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-debuginfo-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-tools-devel-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-tools-debuginfo-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-tools-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-devel-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-headers-4.14.62-65.117.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="65.117.amzn1" version="4.14.62"><filename>Packages/perf-4.14.62-65.117.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-4.14.62-65.117.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-debuginfo-4.14.62-65.117.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-tools-debuginfo-4.14.62-65.117.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-devel-4.14.62-65.117.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-debuginfo-common-i686-4.14.62-65.117.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-tools-devel-4.14.62-65.117.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="65.117.amzn1" version="4.14.62"><filename>Packages/perf-debuginfo-4.14.62-65.117.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="65.117.amzn1" version="4.14.62"><filename>Packages/kernel-tools-4.14.62-65.117.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1062</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1062: medium priority package update for httpd24</title><issued date="2018-08-22 18:56" /><updated date="2018-08-23 17:29" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14326 CVE-2018-8011: 14327 By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.33). 14328 1605052: 14329 CVE-2018-8011 httpd: mod_md: NULL pointer dereference causing httpd child process crash 14330 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8011" id="CVE-2018-8011" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="1.82.amzn1" version="2.4.34"><filename>Packages/mod24_proxy_html-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-devel" release="1.82.amzn1" version="2.4.34"><filename>Packages/httpd24-devel-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_ssl" release="1.82.amzn1" version="2.4.34"><filename>Packages/mod24_ssl-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd24-manual" release="1.82.amzn1" version="2.4.34"><filename>Packages/httpd24-manual-2.4.34-1.82.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-tools" release="1.82.amzn1" version="2.4.34"><filename>Packages/httpd24-tools-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_md" release="1.82.amzn1" version="2.4.34"><filename>Packages/mod24_md-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_ldap" release="1.82.amzn1" version="2.4.34"><filename>Packages/mod24_ldap-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="1.82.amzn1" version="2.4.34"><filename>Packages/mod24_session-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24" release="1.82.amzn1" version="2.4.34"><filename>Packages/httpd24-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="1.82.amzn1" version="2.4.34"><filename>Packages/httpd24-debuginfo-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="1.82.amzn1" version="2.4.34"><filename>Packages/httpd24-2.4.34-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_md" release="1.82.amzn1" version="2.4.34"><filename>Packages/mod24_md-2.4.34-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="1.82.amzn1" version="2.4.34"><filename>Packages/mod24_ssl-2.4.34-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="1.82.amzn1" version="2.4.34"><filename>Packages/mod24_ldap-2.4.34-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="1.82.amzn1" version="2.4.34"><filename>Packages/httpd24-tools-2.4.34-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="1.82.amzn1" version="2.4.34"><filename>Packages/mod24_proxy_html-2.4.34-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="1.82.amzn1" version="2.4.34"><filename>Packages/httpd24-debuginfo-2.4.34-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="1.82.amzn1" version="2.4.34"><filename>Packages/httpd24-devel-2.4.34-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="1.82.amzn1" version="2.4.34"><filename>Packages/mod24_session-2.4.34-1.82.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1064</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1064: medium priority package update for java-1.7.0-openjdk</title><issued date="2018-08-22 18:58" /><updated date="2018-08-23 17:30" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14331 CVE-2018-2952: 14332 1600925: 14333 CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) 14334 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171; JRockit: R28.3.18. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). 14335 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2952" id="CVE-2018-2952" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.15.4.82.amzn1" version="1.7.0.191"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.191-2.6.15.4.82.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.15.4.82.amzn1" version="1.7.0.191"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.191-2.6.15.4.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.15.4.82.amzn1" version="1.7.0.191"><filename>Packages/java-1.7.0-openjdk-1.7.0.191-2.6.15.4.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.15.4.82.amzn1" version="1.7.0.191"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.191-2.6.15.4.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.15.4.82.amzn1" version="1.7.0.191"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.191-2.6.15.4.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.15.4.82.amzn1" version="1.7.0.191"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.191-2.6.15.4.82.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.15.4.82.amzn1" version="1.7.0.191"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.191-2.6.15.4.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.15.4.82.amzn1" version="1.7.0.191"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.191-2.6.15.4.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.15.4.82.amzn1" version="1.7.0.191"><filename>Packages/java-1.7.0-openjdk-1.7.0.191-2.6.15.4.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.15.4.82.amzn1" version="1.7.0.191"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.191-2.6.15.4.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.15.4.82.amzn1" version="1.7.0.191"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.191-2.6.15.4.82.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1065</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1065: medium priority package update for openssl</title><issued date="2018-08-22 18:59" /><updated date="2018-08-23 17:31" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14336 CVE-2018-0739: 14337 Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n). 14338 1561266: 14339 CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service 14340 14341 CVE-2018-0733: 14342 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). 14343 1561260: 14344 CVE-2018-0733 openssl: Implementation bug in PA-RISC CRYPTO_memcmp function allows attackers to forge authenticated messages in a reduced number of attempts 14345 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0733" id="CVE-2018-0733" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739" id="CVE-2018-0739" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-perl" release="12.110.amzn1" version="1.0.2k"><filename>Packages/openssl-perl-1.0.2k-12.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="12.110.amzn1" version="1.0.2k"><filename>Packages/openssl-static-1.0.2k-12.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="12.110.amzn1" version="1.0.2k"><filename>Packages/openssl-devel-1.0.2k-12.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="12.110.amzn1" version="1.0.2k"><filename>Packages/openssl-debuginfo-1.0.2k-12.110.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="12.110.amzn1" version="1.0.2k"><filename>Packages/openssl-1.0.2k-12.110.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="12.110.amzn1" version="1.0.2k"><filename>Packages/openssl-static-1.0.2k-12.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="12.110.amzn1" version="1.0.2k"><filename>Packages/openssl-devel-1.0.2k-12.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="12.110.amzn1" version="1.0.2k"><filename>Packages/openssl-perl-1.0.2k-12.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="12.110.amzn1" version="1.0.2k"><filename>Packages/openssl-debuginfo-1.0.2k-12.110.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="12.110.amzn1" version="1.0.2k"><filename>Packages/openssl-1.0.2k-12.110.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1066</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1066: low priority package update for php56 php70 php71</title><issued date="2018-08-22 19:30" /><updated date="2018-08-23 17:33" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14346 CVE-2018-14883: 14347 1609637: 14348 CVE-2018-14883 php: exif: integer overflow leading to out-of-bound buffer read in exif_thumbnail_extract() 14349 An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c. 14350 14351 CVE-2018-14851: 14352 exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file. 14353 1609642: 14354 CVE-2018-14851 php: exif: buffer over-read in exif_process_IFD_in_MAKERNOTE() 14355 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14851" id="CVE-2018-14851" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14883" id="CVE-2018-14883" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-ldap" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-ldap-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-pgsql-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-gmp-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-dbg-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-fpm-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-process-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-xml-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-imap-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-pspell-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-cli-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-mysqlnd-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-common-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-debuginfo-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-opcache-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-snmp-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-devel-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-tidy-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-mcrypt-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-intl-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-mbstring-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-soap-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-xmlrpc-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-bcmath-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-dba-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-odbc-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-embedded-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-mssql-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-gd-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-recode-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-pdo-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-enchant-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-ldap-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-pgsql-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-debuginfo-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-enchant-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-pdo-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-bcmath-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-mcrypt-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-xml-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-fpm-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-mysqlnd-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-soap-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-gd-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-intl-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-recode-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-snmp-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-dba-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-embedded-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-xmlrpc-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-mbstring-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-opcache-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-pspell-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-gmp-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-common-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-odbc-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-cli-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-imap-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-process-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-devel-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-dbg-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-tidy-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.139.amzn1" version="5.6.37"><filename>Packages/php56-mssql-5.6.37-1.139.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-enchant" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-enchant-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xmlrpc" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-xmlrpc-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gmp" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-gmp-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-common" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-common-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mcrypt" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-mcrypt-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-debuginfo" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-debuginfo-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-ldap" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-ldap-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-soap" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-soap-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-process" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-process-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-opcache" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-opcache-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mysqlnd" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-mysqlnd-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dbg" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-dbg-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-cli" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-cli-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-bcmath" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-bcmath-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-intl" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-intl-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dba" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-dba-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-json" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-json-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pgsql" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-pgsql-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-zip" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-zip-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gd" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-gd-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mbstring" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-mbstring-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-recode" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-recode-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-embedded" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-embedded-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-imap" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-imap-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-pdo-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-snmp" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-snmp-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xml" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-xml-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-tidy" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-tidy-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-devel" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-devel-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo-dblib" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-pdo-dblib-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-odbc" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-odbc-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pspell" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-pspell-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-fpm" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-fpm-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php70-opcache" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-opcache-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-soap" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-soap-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xmlrpc" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-xmlrpc-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-bcmath" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-bcmath-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-odbc" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-odbc-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-enchant" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-enchant-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mysqlnd" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-mysqlnd-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-common" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-common-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pgsql" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-pgsql-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-devel" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-devel-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dbg" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-dbg-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-cli" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-cli-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-pdo-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-imap" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-imap-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mcrypt" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-mcrypt-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mbstring" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-mbstring-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-process" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-process-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-intl" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-intl-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-zip" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-zip-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xml" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-xml-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dba" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-dba-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-tidy" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-tidy-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-recode" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-recode-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-snmp" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-snmp-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gd" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-gd-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-fpm" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-fpm-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo-dblib" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-pdo-dblib-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pspell" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-pspell-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-debuginfo" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-debuginfo-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gmp" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-gmp-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-ldap" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-ldap-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-json" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-json-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-embedded" release="1.30.amzn1" version="7.0.31"><filename>Packages/php70-embedded-7.0.31-1.30.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-recode" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-recode-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xml" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-xml-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-tidy" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-tidy-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dba" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-dba-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-json" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-json-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo-dblib" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-pdo-dblib-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-odbc" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-odbc-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-imap" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-imap-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mcrypt" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-mcrypt-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-pdo-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dbg" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-dbg-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-intl" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-intl-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-devel" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-devel-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-process" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-process-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-fpm" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-fpm-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gd" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-gd-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-ldap" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-ldap-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-enchant" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-enchant-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-snmp" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-snmp-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mysqlnd" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-mysqlnd-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-debuginfo" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-debuginfo-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-soap" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-soap-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-cli" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-cli-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-opcache" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-opcache-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gmp" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-gmp-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-bcmath" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-bcmath-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-common" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-common-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pspell" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-pspell-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xmlrpc" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-xmlrpc-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mbstring" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-mbstring-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-embedded" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-embedded-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pgsql" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-pgsql-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php71-embedded" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-embedded-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dbg" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-dbg-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mcrypt" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-mcrypt-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gmp" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-gmp-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-fpm" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-fpm-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-intl" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-intl-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mysqlnd" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-mysqlnd-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-tidy" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-tidy-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo-dblib" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-pdo-dblib-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-common" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-common-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-pdo-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-json" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-json-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pgsql" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-pgsql-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gd" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-gd-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pspell" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-pspell-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xmlrpc" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-xmlrpc-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-imap" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-imap-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-cli" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-cli-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-ldap" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-ldap-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-process" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-process-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-soap" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-soap-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dba" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-dba-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-odbc" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-odbc-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-opcache" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-opcache-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-recode" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-recode-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-enchant" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-enchant-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-bcmath" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-bcmath-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xml" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-xml-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mbstring" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-mbstring-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-devel" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-devel-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-debuginfo" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-debuginfo-7.1.20-1.33.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-snmp" release="1.33.amzn1" version="7.1.20"><filename>Packages/php71-snmp-7.1.20-1.33.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1067</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1067: medium priority package update for php72</title><issued date="2018-08-22 19:31" /><updated date="2018-08-23 17:35" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14356 CVE-2018-14883: 14357 1609637: 14358 CVE-2018-14883 php: exif: integer overflow leading to out-of-bound buffer read in exif_thumbnail_extract() 14359 An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c. 14360 14361 CVE-2018-14851: 14362 exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file. 14363 1609642: 14364 CVE-2018-14851 php: exif: buffer over-read in exif_process_IFD_in_MAKERNOTE() 14365 14366 CVE-2018-12882: 14367 1595502: 14368 CVE-2018-12882 php: Use-after-free reachable via the exif.c:exif_read_from_impl() function 14369 exif_read_from_impl in ext/exif/exif.c in PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file) because it closes a stream that it is not responsible for closing. The vulnerable code is reachable through the PHP exif_read_data function. 14370 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12882" id="CVE-2018-12882" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14851" id="CVE-2018-14851" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14883" id="CVE-2018-14883" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php72-pspell" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-pspell-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-json" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-json-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-enchant" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-enchant-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pgsql" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-pgsql-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-common" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-common-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-bcmath" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-bcmath-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-snmp" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-snmp-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-odbc" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-odbc-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-dbg" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-dbg-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-intl" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-intl-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-gd" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-gd-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-cli" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-cli-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-embedded" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-embedded-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-imap" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-imap-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-xmlrpc" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-xmlrpc-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-opcache" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-opcache-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-xml" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-xml-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-tidy" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-tidy-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-mbstring" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-mbstring-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pdo" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-pdo-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-devel" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-devel-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-dba" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-dba-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-process" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-process-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-debuginfo" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-debuginfo-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-mysqlnd" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-mysqlnd-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-ldap" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-ldap-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-gmp" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-gmp-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-recode" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-recode-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-soap" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-soap-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pdo-dblib" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-pdo-dblib-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-fpm" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-fpm-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php72-xml" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-xml-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pdo-dblib" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-pdo-dblib-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-imap" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-imap-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-bcmath" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-bcmath-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pspell" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-pspell-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-opcache" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-opcache-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-gd" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-gd-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-embedded" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-embedded-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-snmp" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-snmp-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-dba" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-dba-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-mbstring" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-mbstring-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-ldap" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-ldap-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-mysqlnd" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-mysqlnd-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-json" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-json-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pgsql" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-pgsql-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-intl" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-intl-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-common" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-common-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-odbc" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-odbc-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-recode" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-recode-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-debuginfo" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-debuginfo-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-fpm" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-fpm-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-gmp" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-gmp-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-dbg" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-dbg-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-process" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-process-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-devel" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-devel-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-xmlrpc" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-xmlrpc-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-cli" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-cli-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-enchant" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-enchant-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pdo" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-pdo-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-tidy" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-tidy-7.2.8-1.5.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-soap" release="1.5.amzn1" version="7.2.8"><filename>Packages/php72-soap-7.2.8-1.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1068</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1068: medium priority package update for mysql55</title><issued date="2018-08-22 19:33" /><updated date="2018-08-23 17:51" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14371 CVE-2018-3081: 14372 Vulnerability in the MySQL Client component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.0 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H). 14373 1602424: 14374 CVE-2018-3081 mysql: Client programs unspecified vulnerability (CPU Jul 2018) 14375 14376 CVE-2018-3070: 14377 1602369: 14378 CVE-2018-3070 mysql: Client mysqldump unspecified vulnerability (CPU Jul 2018) 14379 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 14380 14381 CVE-2018-3066: 14382 1602366: 14383 CVE-2018-3066 mysql: Server: Options unspecified vulnerability (CPU Jul 2018) 14384 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N). 14385 14386 CVE-2018-3063: 14387 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.60 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14388 1602363: 14389 CVE-2018-3063 mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2018) 14390 14391 CVE-2018-3058: 14392 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: MyISAM). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). 14393 1602356: 14394 CVE-2018-3058 mysql: MyISAM unspecified vulnerability (CPU Jul 2018) 14395 14396 CVE-2018-2767: 14397 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N). 14398 1564965: 14399 CVE-2018-2767 mysql: use of SSL/TLS not enforced in libmysqld (Return of BACKRONYM) 14400 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3081" id="CVE-2018-3081" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2767" id="CVE-2018-2767" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3070" id="CVE-2018-3070" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3066" id="CVE-2018-3066" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3058" id="CVE-2018-3058" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3063" id="CVE-2018-3063" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-embedded-devel-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-server" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-server-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-embedded-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-bench" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-bench-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-config" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql-config-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-debuginfo-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-libs-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-test" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-test-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-devel-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-server-5.5.61-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-test-5.5.61-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-embedded-devel-5.5.61-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-config" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql-config-5.5.61-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-debuginfo-5.5.61-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-bench-5.5.61-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-5.5.61-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-libs-5.5.61-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-embedded-5.5.61-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="1.22.amzn1" version="5.5.61"><filename>Packages/mysql55-devel-5.5.61-1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1069</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1069: medium priority package update for mysql56</title><issued date="2018-08-22 19:34" /><updated date="2018-08-23 17:59" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14401 CVE-2018-3081: 14402 Vulnerability in the MySQL Client component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.0 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H). 14403 1602424: 14404 CVE-2018-3081 mysql: Client programs unspecified vulnerability (CPU Jul 2018) 14405 14406 CVE-2018-3070: 14407 1602369: 14408 CVE-2018-3070 mysql: Client mysqldump unspecified vulnerability (CPU Jul 2018) 14409 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 14410 14411 CVE-2018-3066: 14412 1602366: 14413 CVE-2018-3066 mysql: Server: Options unspecified vulnerability (CPU Jul 2018) 14414 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N). 14415 14416 CVE-2018-3064: 14417 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H). 14418 1602364: 14419 CVE-2018-3064 mysql: InnoDB unspecified vulnerability (CPU Jul 2018) 14420 14421 CVE-2018-3062: 14422 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via memcached to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). 14423 1602360: 14424 CVE-2018-3062 mysql: Server: Memcached unspecified vulnerability (CPU Jul 2018) 14425 14426 CVE-2018-3058: 14427 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: MyISAM). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). 14428 1602356: 14429 CVE-2018-3058 mysql: MyISAM unspecified vulnerability (CPU Jul 2018) 14430 14431 CVE-2018-2767: 14432 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N). 14433 1564965: 14434 CVE-2018-2767 mysql: use of SSL/TLS not enforced in libmysqld (Return of BACKRONYM) 14435 14436 CVE-2018-0739: 14437 Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n). 14438 1561266: 14439 CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service 14440 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2767" id="CVE-2018-2767" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3070" id="CVE-2018-3070" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3066" id="CVE-2018-3066" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3064" id="CVE-2018-3064" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3062" id="CVE-2018-3062" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739" id="CVE-2018-0739" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3081" id="CVE-2018-3081" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3058" id="CVE-2018-3058" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql56" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-test" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-test-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-bench" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-bench-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-debuginfo" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-debuginfo-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-embedded-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-libs" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-libs-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-errmsg" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-errmsg-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-common" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-common-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded-devel" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-embedded-devel-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-devel" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-devel-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-server" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-server-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-bench" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-bench-5.6.41-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-embedded-5.6.41-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-common" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-common-5.6.41-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-server" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-server-5.6.41-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-test" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-test-5.6.41-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-5.6.41-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-devel" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-devel-5.6.41-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-debuginfo" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-debuginfo-5.6.41-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-errmsg" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-errmsg-5.6.41-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded-devel" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-embedded-devel-5.6.41-1.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-libs" release="1.30.amzn1" version="5.6.41"><filename>Packages/mysql56-libs-5.6.41-1.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1070</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1070: medium priority package update for mysql57</title><issued date="2018-08-22 19:35" /><updated date="2018-08-23 18:26" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14441 CVE-2018-3081: 14442 Vulnerability in the MySQL Client component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.0 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H). 14443 1602424: 14444 CVE-2018-3081 mysql: Client programs unspecified vulnerability (CPU Jul 2018) 14445 14446 CVE-2018-3077: 14447 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14448 1602375: 14449 CVE-2018-3077 mysql: Server: DDL unspecified vulnerability (CPU Jul 2018) 14450 14451 CVE-2018-3071: 14452 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Audit Log). Supported versions that are affected are 5.7.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14453 1602370: 14454 CVE-2018-3071 mysql: Audit Log unspecified vulnerability (CPU Jul 2018) 14455 14456 CVE-2018-3070: 14457 1602369: 14458 CVE-2018-3070 mysql: Client mysqldump unspecified vulnerability (CPU Jul 2018) 14459 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 14460 14461 CVE-2018-3066: 14462 1602366: 14463 CVE-2018-3066 mysql: Server: Options unspecified vulnerability (CPU Jul 2018) 14464 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N). 14465 14466 CVE-2018-3065: 14467 1602365: 14468 CVE-2018-3065 mysql: Server: DML unspecified vulnerability (CPU Jul 2018) 14469 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 14470 14471 CVE-2018-3064: 14472 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H). 14473 1602364: 14474 CVE-2018-3064 mysql: InnoDB unspecified vulnerability (CPU Jul 2018) 14475 14476 CVE-2018-3062: 14477 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via memcached to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). 14478 1602360: 14479 CVE-2018-3062 mysql: Server: Memcached unspecified vulnerability (CPU Jul 2018) 14480 14481 CVE-2018-3061: 14482 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14483 1602359: 14484 CVE-2018-3061 mysql: Server: DML unspecified vulnerability (CPU Jul 2018) 14485 14486 CVE-2018-3060: 14487 1602357: 14488 CVE-2018-3060 mysql: InnoDB unspecified vulnerability (CPU Jul 2018) 14489 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H). 14490 14491 CVE-2018-3058: 14492 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: MyISAM). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). 14493 1602356: 14494 CVE-2018-3058 mysql: MyISAM unspecified vulnerability (CPU Jul 2018) 14495 14496 CVE-2018-3056: 14497 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). 14498 1602355: 14499 CVE-2018-3056 mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2018) 14500 14501 CVE-2018-3054: 14502 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14503 1602354: 14504 CVE-2018-3054 mysql: Server: DDL unspecified vulnerability (CPU Jul 2018) 14505 14506 CVE-2018-2767: 14507 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N). 14508 1564965: 14509 CVE-2018-2767 mysql: use of SSL/TLS not enforced in libmysqld (Return of BACKRONYM) 14510 14511 CVE-2018-0739: 14512 Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n). 14513 1561266: 14514 CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service 14515 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2767" id="CVE-2018-2767" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3070" id="CVE-2018-3070" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3066" id="CVE-2018-3066" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3065" id="CVE-2018-3065" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3064" id="CVE-2018-3064" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3062" id="CVE-2018-3062" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3061" id="CVE-2018-3061" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3060" id="CVE-2018-3060" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739" id="CVE-2018-0739" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3056" id="CVE-2018-3056" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3054" id="CVE-2018-3054" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3071" id="CVE-2018-3071" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3081" id="CVE-2018-3081" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3058" id="CVE-2018-3058" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3077" id="CVE-2018-3077" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql57-server" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-server-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-devel" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-devel-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-embedded" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-embedded-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-debuginfo" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-debuginfo-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-errmsg" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-errmsg-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-test" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-test-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-embedded-devel" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-embedded-devel-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-libs" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-libs-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-common" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-common-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql57" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-5.7.23-2.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-embedded-devel" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-embedded-devel-5.7.23-2.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-debuginfo" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-debuginfo-5.7.23-2.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-server" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-server-5.7.23-2.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-common" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-common-5.7.23-2.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-test" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-test-5.7.23-2.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-errmsg" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-errmsg-5.7.23-2.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-libs" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-libs-5.7.23-2.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-embedded" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-embedded-5.7.23-2.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-devel" release="2.8.amzn1" version="5.7.23"><filename>Packages/mysql57-devel-5.7.23-2.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1071</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1071: medium priority package update for docker</title><issued date="2018-09-05 19:30" /><updated date="2018-09-06 22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14516 CVE-2018-10892: 14517 1598581: 14518 CVE-2018-10892 docker: container breakout without selinux in enforcing mode 14519 The default OCI Linux spec in oci/defaults{_linux}.go in Docker/Moby, from 1.11 to current, does not block /proc/acpi pathnames. The flaw allows an attacker to modify host&#039;s hardware like enabling/disabling Bluetooth or turning up/down keyboard brightness. 14520 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10892" id="CVE-2018-10892" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="docker" release="2.16.amzn1" version="18.06.1ce"><filename>Packages/docker-18.06.1ce-2.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="docker-debuginfo" release="2.16.amzn1" version="18.06.1ce"><filename>Packages/docker-debuginfo-18.06.1ce-2.16.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1072</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1072: medium priority package update for libxml2</title><issued date="2018-09-05 19:31" /><updated date="2018-09-06 22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14521 CVE-2018-14404: 14522 1595985: 14523 CVE-2018-14404 libxml2: NULL pointer dereference in xpath.c:xmlXPathCompOpEval() can allow attackers to cause a denial of service 14524 A null pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing invalid XPath expression. Applications processing untrusted XSL format inputs with the use of libxml2 library may be vulnerable to denial of service attack due to crash of the application. 14525 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404" id="CVE-2018-14404" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libxml2-static" release="6.3.52.amzn1" version="2.9.1"><filename>Packages/libxml2-static-2.9.1-6.3.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2" release="6.3.52.amzn1" version="2.9.1"><filename>Packages/libxml2-2.9.1-6.3.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-python27" release="6.3.52.amzn1" version="2.9.1"><filename>Packages/libxml2-python27-2.9.1-6.3.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-debuginfo" release="6.3.52.amzn1" version="2.9.1"><filename>Packages/libxml2-debuginfo-2.9.1-6.3.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-devel" release="6.3.52.amzn1" version="2.9.1"><filename>Packages/libxml2-devel-2.9.1-6.3.52.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxml2-python26" release="6.3.52.amzn1" version="2.9.1"><filename>Packages/libxml2-python26-2.9.1-6.3.52.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-devel" release="6.3.52.amzn1" version="2.9.1"><filename>Packages/libxml2-devel-2.9.1-6.3.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-static" release="6.3.52.amzn1" version="2.9.1"><filename>Packages/libxml2-static-2.9.1-6.3.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-debuginfo" release="6.3.52.amzn1" version="2.9.1"><filename>Packages/libxml2-debuginfo-2.9.1-6.3.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2" release="6.3.52.amzn1" version="2.9.1"><filename>Packages/libxml2-2.9.1-6.3.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-python26" release="6.3.52.amzn1" version="2.9.1"><filename>Packages/libxml2-python26-2.9.1-6.3.52.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxml2-python27" release="6.3.52.amzn1" version="2.9.1"><filename>Packages/libxml2-python27-2.9.1-6.3.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1073</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1073: important priority package update for qemu-kvm</title><issued date="2018-09-05 19:33" /><updated date="2018-09-06 22:01" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14526 CVE-2018-7550: 14527 1549798: 14528 CVE-2018-7550 QEMU: i386: multiboot OOB access while loading kernel image 14529 Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur while loading a kernel image during the guest boot, if mh_load_end_addr address is greater than the mh_bss_end_addr address. A user or process could use this flaw to potentially achieve arbitrary code execution on a host. 14530 14531 CVE-2018-11806: 14532 A heap buffer overflow issue was found in the way SLiRP networking back-end in QEMU processes fragmented packets. It could occur while reassembling the fragmented datagrams of an incoming packet. A privileged user/process inside guest could use this flaw to crash the QEMU process resulting in DoS or potentially leverage it to execute arbitrary code on the host with privileges of the QEMU process. 14533 1586245: 14534 CVE-2018-11806 QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams 14535 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806" id="CVE-2018-11806" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7550" id="CVE-2018-7550" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="10" name="qemu-kvm-common" release="156.15.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-common-1.5.3-156.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-img" release="156.15.amzn1" version="1.5.3"><filename>Packages/qemu-img-1.5.3-156.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm" release="156.15.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-1.5.3-156.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm-debuginfo" release="156.15.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-debuginfo-1.5.3-156.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm-tools" release="156.15.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-tools-1.5.3-156.15.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1074</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1074: important priority package update for postgresql96</title><issued date="2018-09-05 20:39" /><updated date="2018-09-06 22:02" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14536 CVE-2018-10925: 14537 1612619: 14538 CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements 14539 It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with &quot;INSERT ... ON CONFLICT DO UPDATE&quot;. An attacker with &quot;CREATE TABLE&quot; privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain &quot;INSERT&quot; and limited &quot;UPDATE&quot; privileges to a particular table, they could exploit this to update other columns in the same table. 14540 14541 CVE-2018-10915: 14542 1609891: 14543 CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses 14544 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with &quot;host&quot; or &quot;hostaddr&quot; connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. 14545 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10925" id="CVE-2018-10925" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915" id="CVE-2018-10915" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql96-plpython26" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-plpython26-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-docs" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-docs-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-plperl" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-plperl-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-debuginfo" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-debuginfo-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-test" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-test-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-devel" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-devel-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-plpython27" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-plpython27-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-libs" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-libs-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-contrib" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-contrib-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-static" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-static-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-server" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-server-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plperl" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-plperl-9.6.10-1.81.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-devel" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-devel-9.6.10-1.81.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-server" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-server-9.6.10-1.81.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plpython26" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-plpython26-9.6.10-1.81.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-debuginfo" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-debuginfo-9.6.10-1.81.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-test" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-test-9.6.10-1.81.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plpython27" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-plpython27-9.6.10-1.81.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-contrib" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-contrib-9.6.10-1.81.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-9.6.10-1.81.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-static" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-static-9.6.10-1.81.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-docs" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-docs-9.6.10-1.81.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-libs" release="1.81.amzn1" version="9.6.10"><filename>Packages/postgresql96-libs-9.6.10-1.81.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1075</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1075: low priority package update for openssh</title><issued date="2018-09-05 20:41" /><updated date="2018-09-06 22:02" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14546 CVE-2018-15473: 14547 1619063: 14548 CVE-2018-15473 openssh: User enumeration via malformed packets in authentication requests 14549 OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. 14550 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15473" id="CVE-2018-15473" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="openssh-keycat" release="16.71.amzn1" version="7.4p1"><filename>Packages/openssh-keycat-7.4p1-16.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-debuginfo" release="16.71.amzn1" version="7.4p1"><filename>Packages/openssh-debuginfo-7.4p1-16.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-server" release="16.71.amzn1" version="7.4p1"><filename>Packages/openssh-server-7.4p1-16.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-cavs" release="16.71.amzn1" version="7.4p1"><filename>Packages/openssh-cavs-7.4p1-16.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-clients" release="16.71.amzn1" version="7.4p1"><filename>Packages/openssh-clients-7.4p1-16.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh-ldap" release="16.71.amzn1" version="7.4p1"><filename>Packages/openssh-ldap-7.4p1-16.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="openssh" release="16.71.amzn1" version="7.4p1"><filename>Packages/openssh-7.4p1-16.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pam_ssh_agent_auth" release="2.16.71.amzn1" version="0.10.3"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.16.71.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="openssh-server" release="16.71.amzn1" version="7.4p1"><filename>Packages/openssh-server-7.4p1-16.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-clients" release="16.71.amzn1" version="7.4p1"><filename>Packages/openssh-clients-7.4p1-16.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-keycat" release="16.71.amzn1" version="7.4p1"><filename>Packages/openssh-keycat-7.4p1-16.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-cavs" release="16.71.amzn1" version="7.4p1"><filename>Packages/openssh-cavs-7.4p1-16.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh" release="16.71.amzn1" version="7.4p1"><filename>Packages/openssh-7.4p1-16.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pam_ssh_agent_auth" release="2.16.71.amzn1" version="0.10.3"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.16.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-ldap" release="16.71.amzn1" version="7.4p1"><filename>Packages/openssh-ldap-7.4p1-16.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="openssh-debuginfo" release="16.71.amzn1" version="7.4p1"><filename>Packages/openssh-debuginfo-7.4p1-16.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1076</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1076: important priority package update for pcre</title><issued date="2018-09-05 20:42" /><updated date="2018-09-06 22:03" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14551 CVE-2016-3191: 14552 The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542. 14553 1311503: 14554 CVE-2016-3191 pcre: workspace overflow for (*ACCEPT) with deeply nested parentheses (8.39/13, 10.22/12) 14555 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191" id="CVE-2016-3191" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="pcre" release="7.8.amzn1" version="8.21"><filename>Packages/pcre-8.21-7.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pcre-tools" release="7.8.amzn1" version="8.21"><filename>Packages/pcre-tools-8.21-7.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pcre-debuginfo" release="7.8.amzn1" version="8.21"><filename>Packages/pcre-debuginfo-8.21-7.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pcre-devel" release="7.8.amzn1" version="8.21"><filename>Packages/pcre-devel-8.21-7.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="pcre-static" release="7.8.amzn1" version="8.21"><filename>Packages/pcre-static-8.21-7.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="pcre-static" release="7.8.amzn1" version="8.21"><filename>Packages/pcre-static-8.21-7.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pcre-debuginfo" release="7.8.amzn1" version="8.21"><filename>Packages/pcre-debuginfo-8.21-7.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pcre-tools" release="7.8.amzn1" version="8.21"><filename>Packages/pcre-tools-8.21-7.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pcre-devel" release="7.8.amzn1" version="8.21"><filename>Packages/pcre-devel-8.21-7.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="pcre" release="7.8.amzn1" version="8.21"><filename>Packages/pcre-8.21-7.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1079</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1079: important priority package update for postgresql93 postgresql94 postgresql95</title><issued date="2018-09-19 17:04" /><updated date="2018-09-19 23:31" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14556 CVE-2018-10925: 14557 1612619: 14558 CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements 14559 It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with &quot;INSERT ... ON CONFLICT DO UPDATE&quot;. An attacker with &quot;CREATE TABLE&quot; privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain &quot;INSERT&quot; and limited &quot;UPDATE&quot; privileges to a particular table, they could exploit this to update other columns in the same table. 14560 14561 CVE-2018-10915: 14562 1609891: 14563 CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses 14564 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with &quot;host&quot; or &quot;hostaddr&quot; connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. 14565 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10925" id="CVE-2018-10925" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915" id="CVE-2018-10915" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql94-plpython26" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-plpython26-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-contrib" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-contrib-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython27" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-plpython27-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-libs" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-libs-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-docs" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-docs-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-devel" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-devel-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-test" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-test-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-debuginfo" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-debuginfo-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-server" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-server-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plperl" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-plperl-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-libs" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-libs-9.4.19-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython27" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-plpython27-9.4.19-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-9.4.19-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-debuginfo" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-debuginfo-9.4.19-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython26" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-plpython26-9.4.19-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-contrib" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-contrib-9.4.19-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-devel" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-devel-9.4.19-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-test" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-test-9.4.19-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plperl" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-plperl-9.4.19-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-docs" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-docs-9.4.19-1.75.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-server" release="1.75.amzn1" version="9.4.19"><filename>Packages/postgresql94-server-9.4.19-1.75.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython27" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-plpython27-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-libs" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-libs-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-pltcl" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-pltcl-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-test" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-test-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-server" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-server-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-debuginfo" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-debuginfo-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-devel" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-devel-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-contrib" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-contrib-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plperl" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-plperl-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython26" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-plpython26-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-docs" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-docs-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython26" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-plpython26-9.3.24-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-9.3.24-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-contrib" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-contrib-9.3.24-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plperl" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-plperl-9.3.24-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-docs" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-docs-9.3.24-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-pltcl" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-pltcl-9.3.24-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-test" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-test-9.3.24-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-libs" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-libs-9.3.24-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-debuginfo" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-debuginfo-9.3.24-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython27" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-plpython27-9.3.24-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-server" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-server-9.3.24-1.71.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-devel" release="1.71.amzn1" version="9.3.24"><filename>Packages/postgresql93-devel-9.3.24-1.71.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plpython27" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-plpython27-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-debuginfo" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-debuginfo-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plperl" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-plperl-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-static" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-static-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-docs" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-docs-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plpython26" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-plpython26-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-devel" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-devel-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-libs" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-libs-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-test" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-test-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-server" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-server-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-contrib" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-contrib-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-test" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-test-9.5.14-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-static" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-static-9.5.14-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-server" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-server-9.5.14-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-devel" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-devel-9.5.14-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plpython27" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-plpython27-9.5.14-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-libs" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-libs-9.5.14-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plperl" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-plperl-9.5.14-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-docs" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-docs-9.5.14-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-9.5.14-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-contrib" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-contrib-9.5.14-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-debuginfo" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-debuginfo-9.5.14-1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plpython26" release="1.79.amzn1" version="9.5.14"><filename>Packages/postgresql95-plpython26-9.5.14-1.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1080</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1080: important priority package update for postgresql92</title><issued date="2018-09-19 17:08" /><updated date="2018-09-19 23:32" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14566 CVE-2018-10915: 14567 1609891: 14568 CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses 14569 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with &quot;host&quot; or &quot;hostaddr&quot; connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. 14570 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915" id="CVE-2018-10915" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql92-contrib" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-contrib-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-server-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-test" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-test-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-libs" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-libs-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython27" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-plpython27-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-debuginfo" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-debuginfo-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-server-compat" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-server-compat-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-pltcl" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-pltcl-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-docs" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-docs-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plpython26" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-plpython26-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-plperl" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-plperl-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql92-devel" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-devel-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-server-9.2.24-2.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-libs" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-libs-9.2.24-2.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-server-compat" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-server-compat-9.2.24-2.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-contrib" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-contrib-9.2.24-2.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython27" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-plpython27-9.2.24-2.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-docs" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-docs-9.2.24-2.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-devel" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-devel-9.2.24-2.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-debuginfo" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-debuginfo-9.2.24-2.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-pltcl" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-pltcl-9.2.24-2.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-9.2.24-2.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plperl" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-plperl-9.2.24-2.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-plpython26" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-plpython26-9.2.24-2.66.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql92-test" release="2.66.amzn1" version="9.2.24"><filename>Packages/postgresql92-test-9.2.24-2.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1081</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1081: medium priority package update for squid</title><issued date="2018-09-19 17:10" /><updated date="2018-09-19 23:33" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14571 CVE-2018-1000027: 14572 1536942: 14573 CVE-2018-1000027 squid: Incorrect pointer handling in HTTP processing and certificate download can lead to denial of service 14574 The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later. 14575 14576 CVE-2018-1000024: 14577 The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP response payload containing valid but unusual ESI syntax.. This vulnerability appears to have been fixed in 4.0.23 and later. 14578 1536939: 14579 CVE-2018-1000024 squid: Incorrect pointer handling when processing ESI Responses can lead to denial of service 14580 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000024" id="CVE-2018-1000024" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000027" id="CVE-2018-1000027" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="7" name="squid-debuginfo" release="11.35.amzn1" version="3.5.20"><filename>Packages/squid-debuginfo-3.5.20-11.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="7" name="squid" release="11.35.amzn1" version="3.5.20"><filename>Packages/squid-3.5.20-11.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="7" name="squid-migration-script" release="11.35.amzn1" version="3.5.20"><filename>Packages/squid-migration-script-3.5.20-11.35.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="7" name="squid" release="11.35.amzn1" version="3.5.20"><filename>Packages/squid-3.5.20-11.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="7" name="squid-migration-script" release="11.35.amzn1" version="3.5.20"><filename>Packages/squid-migration-script-3.5.20-11.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="7" name="squid-debuginfo" release="11.35.amzn1" version="3.5.20"><filename>Packages/squid-debuginfo-3.5.20-11.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1082</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1082: important priority package update for bind</title><issued date="2018-09-19 17:17" /><updated date="2018-09-19 23:34" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14581 CVE-2018-5740: 14582 1613595: 14583 CVE-2018-5740 bind: processing of certain records when "deny-answer-aliases" is in use may trigger an assert leading to a denial of service 14584 A denial of service flaw was discovered in bind versions that include the &quot;deny-answer-aliases&quot; feature. This flaw may allow a remote attacker to trigger an INSIST assert in named leading to termination of the process and a denial of service condition. 14585 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5740" id="CVE-2018-5740" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-libs" release="0.68.rc1.58.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.68.rc1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.68.rc1.58.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.68.rc1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.68.rc1.58.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.68.rc1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.68.rc1.58.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.68.rc1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.68.rc1.58.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.68.rc1.58.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.68.rc1.58.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.58.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.68.rc1.58.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.68.rc1.58.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.68.rc1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.68.rc1.58.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.68.rc1.58.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.68.rc1.58.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.68.rc1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.68.rc1.58.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.68.rc1.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.68.rc1.58.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.68.rc1.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1083</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1083: low priority package update for ntp</title><issued date="2018-09-19 17:19" /><updated date="2018-09-19 23:35" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14586 CVE-2018-7170: 14587 1550214: 14588 CVE-2018-7170 ntp: Ephemeral association time spoofing additional protection 14589 ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim&#039;s clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549. 14590 14591 CVE-2018-12327: 14592 The ntpq and ntpdc command-line utilities that are part of ntp package are vulnerable to stack-based buffer overflow via crafted hostname. Applications using these vulnerable utilities with an untrusted input may be potentially exploited, resulting in a crash or arbitrary code execution under privileges of that application. 14593 1593580: 14594 CVE-2018-12327 ntp: Stack-based buffer overflow in ntpq and ntpdc allows denial of service or code execution 14595 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12327" id="CVE-2018-12327" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170" id="CVE-2018-7170" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="ntp-perl" release="1.39.amzn1" version="4.2.8p12"><filename>Packages/ntp-perl-4.2.8p12-1.39.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp-debuginfo" release="1.39.amzn1" version="4.2.8p12"><filename>Packages/ntp-debuginfo-4.2.8p12-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp" release="1.39.amzn1" version="4.2.8p12"><filename>Packages/ntp-4.2.8p12-1.39.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-doc" release="1.39.amzn1" version="4.2.8p12"><filename>Packages/ntp-doc-4.2.8p12-1.39.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntpdate" release="1.39.amzn1" version="4.2.8p12"><filename>Packages/ntpdate-4.2.8p12-1.39.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ntpdate" release="1.39.amzn1" version="4.2.8p12"><filename>Packages/ntpdate-4.2.8p12-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp" release="1.39.amzn1" version="4.2.8p12"><filename>Packages/ntp-4.2.8p12-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp-debuginfo" release="1.39.amzn1" version="4.2.8p12"><filename>Packages/ntp-debuginfo-4.2.8p12-1.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1084</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1084: important priority package update for procmail</title><issued date="2018-09-19 19:22" /><updated date="2018-09-19 23:36" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14596 CVE-2017-16844: 14597 1500070: 14598 CVE-2017-16844 procmail: Heap-based buffer overflow in loadbuf function in formisc.c 14599 A heap-based buffer overflow flaw was found in procmail&#039;s formail utility. A remote attacker could send a specially crafted email that, when processed by formail, could cause formail to crash or, possibly, execute arbitrary code as the user running formail. 14600 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16844" id="CVE-2017-16844" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="procmail-debuginfo" release="25.1.7.amzn1" version="3.22"><filename>Packages/procmail-debuginfo-3.22-25.1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="procmail" release="25.1.7.amzn1" version="3.22"><filename>Packages/procmail-3.22-25.1.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="procmail" release="25.1.7.amzn1" version="3.22"><filename>Packages/procmail-3.22-25.1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="procmail-debuginfo" release="25.1.7.amzn1" version="3.22"><filename>Packages/procmail-debuginfo-3.22-25.1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1085</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1085: important priority package update for mod_perl mod24_perl</title><issued date="2018-10-03 02:54" /><updated date="2018-10-04 22:01" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14601 CVE-2011-2767: 14602 1623265: 14603 CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess 14604 mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator&#039;s control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes. 14605 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2767" id="CVE-2011-2767" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod24_perl-devel" release="7.20.amzn1" version="2.0.7"><filename>Packages/mod24_perl-devel-2.0.7-7.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_perl" release="7.20.amzn1" version="2.0.7"><filename>Packages/mod24_perl-2.0.7-7.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_perl-debuginfo" release="7.20.amzn1" version="2.0.7"><filename>Packages/mod24_perl-debuginfo-2.0.7-7.20.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod24_perl" release="7.20.amzn1" version="2.0.7"><filename>Packages/mod24_perl-2.0.7-7.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_perl-devel" release="7.20.amzn1" version="2.0.7"><filename>Packages/mod24_perl-devel-2.0.7-7.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_perl-debuginfo" release="7.20.amzn1" version="2.0.7"><filename>Packages/mod24_perl-debuginfo-2.0.7-7.20.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_perl" release="7.28.amzn1" version="2.0.7"><filename>Packages/mod_perl-2.0.7-7.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_perl-debuginfo" release="7.28.amzn1" version="2.0.7"><filename>Packages/mod_perl-debuginfo-2.0.7-7.28.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod_perl-devel" release="7.28.amzn1" version="2.0.7"><filename>Packages/mod_perl-devel-2.0.7-7.28.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod_perl-debuginfo" release="7.28.amzn1" version="2.0.7"><filename>Packages/mod_perl-debuginfo-2.0.7-7.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_perl-devel" release="7.28.amzn1" version="2.0.7"><filename>Packages/mod_perl-devel-2.0.7-7.28.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod_perl" release="7.28.amzn1" version="2.0.7"><filename>Packages/mod_perl-2.0.7-7.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1086</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1086: important priority package update for kernel</title><issued date="2018-10-03 02:57" /><updated date="2018-10-04 22:02" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14606 CVE-2018-17182: 14607 1631205: 14608 CVE-2018-17182 kernel: Use-after-free in the vmacache_flush_all function resulting in a possible privilege escalation 14609 A security flaw was discovered in the Linux kernel. The vmacache_flush_all() function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations. 14610 14611 CVE-2018-16658: 14612 An information leak was discovered in the Linux kernel in cdrom_ioctl_drive_status() function in drivers/cdrom/cdrom.c that could be used by local attackers to read kernel memory at certain location. 14613 1627731: 14614 CVE-2018-16658 kernel: Information leak in cdrom_ioctl_drive_status 14615 14616 CVE-2018-14633: 14617 1626035: 14618 CVE-2018-14633 kernel: stack-based buffer overflow in chap_server_compute_md5() in iscsi target 14619 A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target&#039;s code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely. 14620 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16658" id="CVE-2018-16658" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14633" id="CVE-2018-14633" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17182" id="CVE-2018-17182" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-debuginfo-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="68.55.amzn1" version="4.14.72"><filename>Packages/perf-debuginfo-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="68.55.amzn1" version="4.14.72"><filename>Packages/perf-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-devel-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-tools-debuginfo-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-tools-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-headers-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-tools-devel-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-debuginfo-common-i686-4.14.72-68.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-headers-4.14.72-68.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-tools-devel-4.14.72-68.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-4.14.72-68.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-tools-4.14.72-68.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="68.55.amzn1" version="4.14.72"><filename>Packages/perf-4.14.72-68.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-debuginfo-4.14.72-68.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-tools-debuginfo-4.14.72-68.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="68.55.amzn1" version="4.14.72"><filename>Packages/kernel-devel-4.14.72-68.55.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="68.55.amzn1" version="4.14.72"><filename>Packages/perf-debuginfo-4.14.72-68.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1087</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1087: important priority package update for kernel</title><issued date="2018-10-03 19:23" /><updated date="2018-10-04 22:14" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14621 CVE-2018-14634: 14622 An integer overflow flaw was found in the Linux kernel&#039;s create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. 14623 1624498: 14624 CVE-2018-14634 kernel: Integer overflow in Linux's create_elf_tables function 14625 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14634" id="CVE-2018-14634" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="46.32.amzn1" version="4.14.26"><filename>Packages/perf-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-tools-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-headers-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-tools-devel-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-tools-debuginfo-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="46.32.amzn1" version="4.14.26"><filename>Packages/perf-debuginfo-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-devel-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-debuginfo-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-devel-4.14.26-46.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-debuginfo-4.14.26-46.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="46.32.amzn1" version="4.14.26"><filename>Packages/perf-4.14.26-46.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-tools-4.14.26-46.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-tools-devel-4.14.26-46.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-headers-4.14.26-46.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-tools-debuginfo-4.14.26-46.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="46.32.amzn1" version="4.14.26"><filename>Packages/perf-debuginfo-4.14.26-46.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-4.14.26-46.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="46.32.amzn1" version="4.14.26"><filename>Packages/kernel-debuginfo-common-i686-4.14.26-46.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1090</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1090: medium priority package update for php56 php70 php71 php72</title><issued date="2018-10-17 21:56" /><updated date="2018-10-18 22:18" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14626 CVE-2018-17082: 14627 1629552: 14628 CVE-2018-17082 php: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request 14629 The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a &quot;Transfer-Encoding: chunked&quot; request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c. 14630 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17082" id="CVE-2018-17082" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php56-recode" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-recode-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-process-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-dba-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-opcache-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-odbc-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-debuginfo-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-mbstring-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-common-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-devel-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-xml-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-dbg-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-bcmath-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-mysqlnd-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-imap-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-pgsql-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-pspell-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-gmp-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-embedded-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-intl-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-tidy-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-snmp-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-ldap-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-gd-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-mcrypt-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-mssql-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-fpm-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-cli-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-enchant-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-xmlrpc-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-soap-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-pdo-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-soap-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-debuginfo-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-ldap-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-intl-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-opcache-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-enchant-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-recode-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-xmlrpc-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-mssql-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-fpm-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-pgsql-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-odbc-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-pspell-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-cli-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-common-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-dba-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-tidy-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-mbstring-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-pdo-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-mysqlnd-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-mcrypt-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-process-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-embedded-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-devel-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-dbg-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-gd-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-imap-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-xml-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-snmp-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-bcmath-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.140.amzn1" version="5.6.38"><filename>Packages/php56-gmp-5.6.38-1.140.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mcrypt" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-mcrypt-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-devel" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-devel-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-embedded" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-embedded-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo-dblib" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-pdo-dblib-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-odbc" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-odbc-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-process" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-process-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dbg" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-dbg-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-cli" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-cli-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pgsql" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-pgsql-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dba" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-dba-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pspell" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-pspell-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-recode" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-recode-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-imap" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-imap-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-bcmath" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-bcmath-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-common" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-common-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xmlrpc" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-xmlrpc-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-fpm" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-fpm-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-debuginfo" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-debuginfo-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-json" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-json-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mbstring" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-mbstring-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-pdo-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mysqlnd" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-mysqlnd-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-ldap" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-ldap-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-tidy" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-tidy-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-soap" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-soap-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gmp" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-gmp-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-enchant" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-enchant-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xml" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-xml-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-opcache" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-opcache-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gd" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-gd-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-intl" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-intl-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-snmp" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-snmp-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php71-debuginfo" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-debuginfo-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pspell" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-pspell-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pgsql" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-pgsql-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dba" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-dba-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-snmp" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-snmp-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-recode" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-recode-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mbstring" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-mbstring-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dbg" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-dbg-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-opcache" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-opcache-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xmlrpc" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-xmlrpc-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-intl" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-intl-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-devel" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-devel-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-imap" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-imap-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-common" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-common-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-soap" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-soap-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-process" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-process-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo-dblib" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-pdo-dblib-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-bcmath" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-bcmath-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xml" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-xml-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-enchant" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-enchant-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-odbc" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-odbc-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gd" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-gd-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gmp" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-gmp-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-fpm" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-fpm-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-pdo-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-ldap" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-ldap-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mysqlnd" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-mysqlnd-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-json" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-json-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-embedded" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-embedded-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mcrypt" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-mcrypt-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-tidy" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-tidy-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-cli" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-cli-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71" release="1.34.amzn1" version="7.1.23"><filename>Packages/php71-7.1.23-1.34.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dba" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-dba-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-common" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-common-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-odbc" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-odbc-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-enchant" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-enchant-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xmlrpc" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-xmlrpc-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-opcache" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-opcache-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mysqlnd" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-mysqlnd-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gmp" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-gmp-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-soap" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-soap-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-bcmath" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-bcmath-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-intl" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-intl-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-debuginfo" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-debuginfo-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-zip" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-zip-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-recode" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-recode-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-embedded" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-embedded-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mbstring" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-mbstring-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-snmp" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-snmp-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dbg" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-dbg-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gd" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-gd-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-tidy" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-tidy-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo-dblib" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-pdo-dblib-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-process" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-process-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-json" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-json-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-imap" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-imap-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-ldap" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-ldap-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-pdo-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pspell" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-pspell-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pgsql" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-pgsql-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-devel" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-devel-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-fpm" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-fpm-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xml" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-xml-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mcrypt" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-mcrypt-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-cli" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-cli-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php70-dbg" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-dbg-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gmp" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-gmp-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-common" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-common-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-snmp" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-snmp-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mbstring" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-mbstring-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo-dblib" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-pdo-dblib-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-fpm" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-fpm-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gd" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-gd-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-ldap" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-ldap-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xml" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-xml-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-odbc" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-odbc-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-intl" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-intl-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-process" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-process-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-enchant" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-enchant-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pgsql" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-pgsql-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dba" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-dba-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-bcmath" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-bcmath-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-tidy" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-tidy-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-cli" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-cli-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-pdo-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-json" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-json-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mcrypt" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-mcrypt-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mysqlnd" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-mysqlnd-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xmlrpc" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-xmlrpc-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-zip" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-zip-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-embedded" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-embedded-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-recode" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-recode-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-opcache" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-opcache-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-soap" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-soap-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-imap" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-imap-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-debuginfo" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-debuginfo-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-devel" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-devel-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pspell" release="1.31.amzn1" version="7.0.32"><filename>Packages/php70-pspell-7.0.32-1.31.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-recode" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-recode-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-tidy" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-tidy-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-dba" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-dba-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-json" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-json-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-gd" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-gd-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-devel" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-devel-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-gmp" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-gmp-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-ldap" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-ldap-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-dbg" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-dbg-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-debuginfo" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-debuginfo-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pgsql" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-pgsql-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-odbc" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-odbc-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-xml" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-xml-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-xmlrpc" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-xmlrpc-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pdo" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-pdo-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-snmp" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-snmp-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-bcmath" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-bcmath-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-enchant" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-enchant-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pdo-dblib" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-pdo-dblib-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-common" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-common-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-embedded" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-embedded-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-imap" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-imap-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-mysqlnd" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-mysqlnd-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-opcache" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-opcache-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-process" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-process-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-intl" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-intl-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pspell" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-pspell-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-mbstring" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-mbstring-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-fpm" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-fpm-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-soap" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-soap-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-cli" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-cli-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php72-pdo-dblib" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-pdo-dblib-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-imap" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-imap-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-opcache" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-opcache-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-devel" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-devel-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-dbg" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-dbg-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-mbstring" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-mbstring-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-bcmath" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-bcmath-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-recode" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-recode-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-dba" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-dba-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-soap" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-soap-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-enchant" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-enchant-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-snmp" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-snmp-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-debuginfo" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-debuginfo-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-gmp" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-gmp-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-mysqlnd" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-mysqlnd-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-fpm" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-fpm-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-embedded" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-embedded-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-common" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-common-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-process" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-process-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-json" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-json-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pgsql" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-pgsql-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pdo" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-pdo-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-xml" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-xml-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-intl" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-intl-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-cli" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-cli-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-gd" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-gd-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-ldap" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-ldap-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-odbc" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-odbc-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pspell" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-pspell-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-xmlrpc" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-xmlrpc-7.2.11-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-tidy" release="1.6.amzn1" version="7.2.11"><filename>Packages/php72-tidy-7.2.11-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1091</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1091: important priority package update for spamassassin</title><issued date="2018-10-17 21:58" /><updated date="2018-10-18 22:19" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14631 CVE-2018-11781: 14632 A flaw was found in the way a local user on the SpamAssassin server could inject code in the meta rule syntax. This could cause the arbitrary code execution on the server when these rules are being processed. 14633 1629536: 14634 CVE-2018-11781 spamassassin: Local user code injection in the meta rule syntax 14635 14636 CVE-2018-11780: 14637 1629532: 14638 CVE-2018-11780 spamassassin: Potential remote code execution vulnerability in PDFInfo plugin 14639 A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2. 14640 14641 CVE-2017-15705: 14642 1629521: 14643 CVE-2017-15705 spamassassin: Certain unclosed tags in crafted emails allow for scan timeouts and result in denial of service 14644 A flaw was found in the way SpamAssassin processes HTML email containing unclosed HTML tags. A carefully crafted mail message could cause SpamAssassin to consume significant resources. If a large number of these messages are sent, a denial of service could occur potentially delaying or preventing the delivery of email. 14645 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15705" id="CVE-2017-15705" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11780" id="CVE-2018-11780" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11781" id="CVE-2018-11781" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="spamassassin-debuginfo" release="2.14.amzn1" version="3.4.2"><filename>Packages/spamassassin-debuginfo-3.4.2-2.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="spamassassin" release="2.14.amzn1" version="3.4.2"><filename>Packages/spamassassin-3.4.2-2.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="spamassassin-debuginfo" release="2.14.amzn1" version="3.4.2"><filename>Packages/spamassassin-debuginfo-3.4.2-2.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="spamassassin" release="2.14.amzn1" version="3.4.2"><filename>Packages/spamassassin-3.4.2-2.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1092</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1092: important priority package update for gitolite3</title><issued date="2018-10-17 22:01" /><updated date="2018-10-18 22:22" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14646 CVE-2018-16976: 14647 14648 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16976" id="CVE-2018-16976" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="1" name="gitolite3" release="1.1.amzn1" version="3.6.9"><filename>Packages/gitolite3-3.6.9-1.1.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1093</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1093: important priority package update for git</title><issued date="2018-10-17 22:02" /><updated date="2018-10-18 22:23" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14649 CVE-2018-17456: 14650 1636619: 14651 CVE-2018-17456 git: arbitrary code execution via .gitmodules 14652 Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive &quot;git clone&quot; of a superproject if a .gitmodules file has a URL field beginning with a &#039;-&#039; character. 14653 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17456" id="CVE-2018-17456" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="git-p4" release="1.59.amzn1" version="2.14.5"><filename>Packages/git-p4-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-email" release="1.59.amzn1" version="2.14.5"><filename>Packages/git-email-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git-SVN" release="1.59.amzn1" version="2.14.5"><filename>Packages/perl-Git-SVN-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-hg" release="1.59.amzn1" version="2.14.5"><filename>Packages/git-hg-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git" release="1.59.amzn1" version="2.14.5"><filename>Packages/emacs-git-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git-el" release="1.59.amzn1" version="2.14.5"><filename>Packages/emacs-git-el-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-all" release="1.59.amzn1" version="2.14.5"><filename>Packages/git-all-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-daemon" release="1.59.amzn1" version="2.14.5"><filename>Packages/git-daemon-2.14.5-1.59.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git" release="1.59.amzn1" version="2.14.5"><filename>Packages/perl-Git-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-bzr" release="1.59.amzn1" version="2.14.5"><filename>Packages/git-bzr-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-cvs" release="1.59.amzn1" version="2.14.5"><filename>Packages/git-cvs-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-svn" release="1.59.amzn1" version="2.14.5"><filename>Packages/git-svn-2.14.5-1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="git" release="1.59.amzn1" version="2.14.5"><filename>Packages/git-2.14.5-1.59.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="gitweb" release="1.59.amzn1" version="2.14.5"><filename>Packages/gitweb-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-debuginfo" release="1.59.amzn1" version="2.14.5"><filename>Packages/git-debuginfo-2.14.5-1.59.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="git-debuginfo" release="1.59.amzn1" version="2.14.5"><filename>Packages/git-debuginfo-2.14.5-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-svn" release="1.59.amzn1" version="2.14.5"><filename>Packages/git-svn-2.14.5-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-daemon" release="1.59.amzn1" version="2.14.5"><filename>Packages/git-daemon-2.14.5-1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git" release="1.59.amzn1" version="2.14.5"><filename>Packages/git-2.14.5-1.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1094</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1094: medium priority package update for 389-ds-base</title><issued date="2018-10-23 18:40" /><updated date="2018-10-23 23:53" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14654 CVE-2018-14638: 14655 1626079: 14656 CVE-2018-14638 389-ds-base: Crash in delete_passwdPolicy when persistent search connections are terminated unexpectedly 14657 A double-free of a password policy structure was found in the way slapd was handling certain errors during persistent search. A unauthenticated attacker could use this flaw to crash Directory Server. 14658 14659 CVE-2018-14624: 14660 1619450: 14661 CVE-2018-14624 389-ds-base: Server crash through modify command with large DN 14662 A vulnerability was discovered in 389-ds-base. The lock controlling the error log was not correctly used when re-opening the log file in log__error_emergency(). An attacker could send a flood of modifications to a very large DN, which would cause slapd to crash. 14663 14664 CVE-2018-10935: 14665 1613606: 14666 CVE-2018-10935 389-ds-base: ldapsearch with server side sort allows users to cause a crash 14667 A flaw was found in the 389 Directory Server that allows users to cause a crash in the LDAP server using ldapsearch with server side sort. 14668 14669 CVE-2018-10850: 14670 1588056: 14671 CVE-2018-10850 389-ds-base: race condition on reference counter leads to DoS using persistent search 14672 A race condition was found in the way 389-ds-base handles persistent search, resulting in a crash if the server is under load. An anonymous attacker could use this flaw to trigger a denial of service. 14673 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10850" id="CVE-2018-10850" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14624" id="CVE-2018-14624" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10935" id="CVE-2018-10935" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14638" id="CVE-2018-14638" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="28.58.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-devel-1.3.7.5-28.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-snmp" release="28.58.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-snmp-1.3.7.5-28.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="28.58.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-debuginfo-1.3.7.5-28.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="28.58.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-libs-1.3.7.5-28.58.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base" release="28.58.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-1.3.7.5-28.58.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="28.58.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-1.3.7.5-28.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="28.58.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-debuginfo-1.3.7.5-28.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="28.58.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-devel-1.3.7.5-28.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="28.58.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-libs-1.3.7.5-28.58.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-snmp" release="28.58.amzn1" version="1.3.7.5"><filename>Packages/389-ds-base-snmp-1.3.7.5-28.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1095</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1095: medium priority package update for nss</title><issued date="2018-10-23 18:41" /><updated date="2018-10-23 23:53" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14674 CVE-2018-12384: 14675 A flaw was found in the way NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. A man-in-the-middle attacker could use this flaw in a passive replay attack. 14676 1622089: 14677 CVE-2018-12384 nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello 14678 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12384" id="CVE-2018-12384" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="nss-debuginfo" release="5.82.amzn1" version="3.36.0"><filename>Packages/nss-debuginfo-3.36.0-5.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss" release="5.82.amzn1" version="3.36.0"><filename>Packages/nss-3.36.0-5.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-sysinit" release="5.82.amzn1" version="3.36.0"><filename>Packages/nss-sysinit-3.36.0-5.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-tools" release="5.82.amzn1" version="3.36.0"><filename>Packages/nss-tools-3.36.0-5.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-devel" release="5.82.amzn1" version="3.36.0"><filename>Packages/nss-devel-3.36.0-5.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nss-pkcs11-devel" release="5.82.amzn1" version="3.36.0"><filename>Packages/nss-pkcs11-devel-3.36.0-5.82.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="nss-devel" release="5.82.amzn1" version="3.36.0"><filename>Packages/nss-devel-3.36.0-5.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-sysinit" release="5.82.amzn1" version="3.36.0"><filename>Packages/nss-sysinit-3.36.0-5.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-debuginfo" release="5.82.amzn1" version="3.36.0"><filename>Packages/nss-debuginfo-3.36.0-5.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss" release="5.82.amzn1" version="3.36.0"><filename>Packages/nss-3.36.0-5.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-tools" release="5.82.amzn1" version="3.36.0"><filename>Packages/nss-tools-3.36.0-5.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nss-pkcs11-devel" release="5.82.amzn1" version="3.36.0"><filename>Packages/nss-pkcs11-devel-3.36.0-5.82.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1096</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1096: critical priority package update for python-paramiko</title><issued date="2018-10-23 18:43" /><updated date="2018-10-23 23:57" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14679 CVE-2018-1000805: 14680 Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity. 14681 1637263: 14682 CVE-2018-1000805 python-paramiko: Authentication bypass in auth_handler.py 14683 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000805" id="CVE-2018-1000805" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python27-paramiko" release="2.7.amzn1" version="1.15.1"><filename>Packages/python27-paramiko-1.15.1-2.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="python26-paramiko" release="2.7.amzn1" version="1.15.1"><filename>Packages/python26-paramiko-1.15.1-2.7.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1097</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1097: critical priority package update for java-1.8.0-openjdk</title><issued date="2018-11-05 19:33" /><updated date="2018-11-08 00:57" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14684 CVE-2018-3214: 14685 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are Java SE: 6u201, 7u191 and 8u182; Java SE Embedded: 8u181; JRockit: R28.3.19. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 14686 1639301: 14687 CVE-2018-3214 OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) 14688 14689 CVE-2018-3183: 14690 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Scripting). Supported versions that are affected are Java SE: 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). 14691 1639268: 14692 CVE-2018-3183 OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) 14693 14694 CVE-2018-3180: 14695 1639484: 14696 CVE-2018-3180 OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) 14697 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). 14698 14699 CVE-2018-3169: 14700 1639293: 14701 CVE-2018-3169 OpenJDK: Improper field access checks (Hotspot, 8199226) 14702 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). 14703 14704 CVE-2018-3149: 14705 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). 14706 1639834: 14707 CVE-2018-3149 OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) 14708 14709 CVE-2018-3139: 14710 1639442: 14711 CVE-2018-3139 OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) 14712 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). 14713 14714 CVE-2018-3136: 14715 1639755: 14716 CVE-2018-3136 OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) 14717 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N). 14718 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3149" id="CVE-2018-3149" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3136" id="CVE-2018-3136" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3139" id="CVE-2018-3139" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3180" id="CVE-2018-3180" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3169" id="CVE-2018-3169" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3214" id="CVE-2018-3214" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3183" id="CVE-2018-3183" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="0.42.amzn1" version="1.8.0.191.b12"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.191.b12-0.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.42.amzn1" version="1.8.0.191.b12"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.191.b12-0.42.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="0.42.amzn1" version="1.8.0.191.b12"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.191.b12-0.42.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="0.42.amzn1" version="1.8.0.191.b12"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.191.b12-0.42.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc-zip" release="0.42.amzn1" version="1.8.0.191.b12"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.191.b12-0.42.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="0.42.amzn1" version="1.8.0.191.b12"><filename>Packages/java-1.8.0-openjdk-1.8.0.191.b12-0.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="0.42.amzn1" version="1.8.0.191.b12"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.191.b12-0.42.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="0.42.amzn1" version="1.8.0.191.b12"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.191.b12-0.42.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="0.42.amzn1" version="1.8.0.191.b12"><filename>Packages/java-1.8.0-openjdk-1.8.0.191.b12-0.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="0.42.amzn1" version="1.8.0.191.b12"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.191.b12-0.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.42.amzn1" version="1.8.0.191.b12"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.191.b12-0.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="0.42.amzn1" version="1.8.0.191.b12"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.191.b12-0.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="0.42.amzn1" version="1.8.0.191.b12"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.191.b12-0.42.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="0.42.amzn1" version="1.8.0.191.b12"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.191.b12-0.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1098</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1098: medium priority package update for openssl</title><issued date="2018-10-30 20:50" /><updated date="2018-11-01 23:45" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14719 CVE-2018-0732: 14720 During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o). 14721 1591100: 14722 CVE-2018-0732 openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang 14723 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732" id="CVE-2018-0732" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-perl" release="13.111.amzn1" version="1.0.2k"><filename>Packages/openssl-perl-1.0.2k-13.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="13.111.amzn1" version="1.0.2k"><filename>Packages/openssl-1.0.2k-13.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="13.111.amzn1" version="1.0.2k"><filename>Packages/openssl-devel-1.0.2k-13.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="13.111.amzn1" version="1.0.2k"><filename>Packages/openssl-debuginfo-1.0.2k-13.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="13.111.amzn1" version="1.0.2k"><filename>Packages/openssl-static-1.0.2k-13.111.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="13.111.amzn1" version="1.0.2k"><filename>Packages/openssl-perl-1.0.2k-13.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="13.111.amzn1" version="1.0.2k"><filename>Packages/openssl-devel-1.0.2k-13.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="13.111.amzn1" version="1.0.2k"><filename>Packages/openssl-debuginfo-1.0.2k-13.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="13.111.amzn1" version="1.0.2k"><filename>Packages/openssl-1.0.2k-13.111.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="13.111.amzn1" version="1.0.2k"><filename>Packages/openssl-static-1.0.2k-13.111.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1099</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1099: medium priority package update for tomcat7</title><issued date="2018-11-05 19:35" /><updated date="2018-11-08 00:58" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14724 CVE-2018-11784: 14725 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to &#039;/foo/&#039; when the user requested &#039;/foo&#039;) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. 14726 1636512: 14727 CVE-2018-11784 tomcat: Open redirect in default servlet 14728 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11784" id="CVE-2018-11784" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7" release="1.34.amzn1" version="7.0.91"><filename>Packages/tomcat7-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.34.amzn1" version="7.0.91"><filename>Packages/tomcat7-docs-webapp-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.34.amzn1" version="7.0.91"><filename>Packages/tomcat7-log4j-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.34.amzn1" version="7.0.91"><filename>Packages/tomcat7-admin-webapps-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.34.amzn1" version="7.0.91"><filename>Packages/tomcat7-jsp-2.2-api-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.34.amzn1" version="7.0.91"><filename>Packages/tomcat7-webapps-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.34.amzn1" version="7.0.91"><filename>Packages/tomcat7-lib-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.34.amzn1" version="7.0.91"><filename>Packages/tomcat7-el-2.2-api-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.34.amzn1" version="7.0.91"><filename>Packages/tomcat7-javadoc-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.34.amzn1" version="7.0.91"><filename>Packages/tomcat7-servlet-3.0-api-7.0.91-1.34.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1100</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1100: important priority package update for kernel</title><issued date="2018-11-05 19:47" /><updated date="2018-11-08 00:59" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14729 CVE-2018-18021: 14730 1635475: 14731 CVE-2018-18021 kernel: Privilege escalation on arm64 via KVM hypervisor 14732 A vulnerability was discovered in the Linux kernel that allows an attacker to escalate privileges with using a 64-bit ARM architecture. A local attacker with permission to create KVM-based virtual machines can both panic the hypervisor by triggering an illegal exception return (resulting in a DoS) and to redirect execution elsewhere within the hypervisor with full register control, instead of causing a return to the guest. 14733 14734 CVE-2018-17972: 14735 1636349: 14736 CVE-2018-17972 kernel: Unprivileged users able to inspect kernel stacks of arbitrary tasks 14737 An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task. 14738 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18021" id="CVE-2018-18021" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17972" id="CVE-2018-17972" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-devel" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-devel-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-headers-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-tools-debuginfo-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-tools-devel-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="69.57.amzn1" version="4.14.77"><filename>Packages/perf-debuginfo-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="69.57.amzn1" version="4.14.77"><filename>Packages/perf-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-tools-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-debuginfo-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="69.57.amzn1" version="4.14.77"><filename>Packages/perf-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-devel-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="69.57.amzn1" version="4.14.77"><filename>Packages/perf-debuginfo-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-debuginfo-common-i686-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-tools-devel-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-debuginfo-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-tools-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-tools-debuginfo-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-headers-4.14.77-69.57.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1101</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1101: medium priority package update for python35</title><issued date="2018-11-05 21:47" /><updated date="2018-11-08 01:01" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14739 CVE-2018-14647: 14740 1631822: 14741 CVE-2018-14647 python: Missing salt initialization in _elementtree.c module 14742 Python&#039;s elementtree C accelerator failed to initialise Expat&#039;s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat&#039;s internal data structures, consuming large amounts CPU and RAM. 14743 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647" id="CVE-2018-14647" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python35-debuginfo" release="1.13.amzn1" version="3.5.6"><filename>Packages/python35-debuginfo-3.5.6-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-tools" release="1.13.amzn1" version="3.5.6"><filename>Packages/python35-tools-3.5.6-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35" release="1.13.amzn1" version="3.5.6"><filename>Packages/python35-3.5.6-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-devel" release="1.13.amzn1" version="3.5.6"><filename>Packages/python35-devel-3.5.6-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-test" release="1.13.amzn1" version="3.5.6"><filename>Packages/python35-test-3.5.6-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-libs" release="1.13.amzn1" version="3.5.6"><filename>Packages/python35-libs-3.5.6-1.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python35-libs" release="1.13.amzn1" version="3.5.6"><filename>Packages/python35-libs-3.5.6-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-test" release="1.13.amzn1" version="3.5.6"><filename>Packages/python35-test-3.5.6-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-debuginfo" release="1.13.amzn1" version="3.5.6"><filename>Packages/python35-debuginfo-3.5.6-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35" release="1.13.amzn1" version="3.5.6"><filename>Packages/python35-3.5.6-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-devel" release="1.13.amzn1" version="3.5.6"><filename>Packages/python35-devel-3.5.6-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-tools" release="1.13.amzn1" version="3.5.6"><filename>Packages/python35-tools-3.5.6-1.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1102</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1102: medium priority package update for openssl</title><issued date="2018-12-05 23:20" /><updated date="2018-12-07 00:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14744 CVE-2018-0739: 14745 Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n). 14746 1561266: 14747 CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service 14748 14749 CVE-2018-0495: 14750 Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. 14751 1591163: 14752 CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries 14753 14754 CVE-2017-3735: 14755 1486144: 14756 CVE-2017-3735 openssl: Malformed X.509 IPAdressFamily could cause OOB read 14757 While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g. 14758 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495" id="CVE-2018-0495" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3735" id="CVE-2017-3735" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739" id="CVE-2018-0739" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl-perl" release="16.146.amzn1" version="1.0.2k"><filename>Packages/openssl-perl-1.0.2k-16.146.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="16.146.amzn1" version="1.0.2k"><filename>Packages/openssl-devel-1.0.2k-16.146.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl" release="16.146.amzn1" version="1.0.2k"><filename>Packages/openssl-1.0.2k-16.146.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="16.146.amzn1" version="1.0.2k"><filename>Packages/openssl-static-1.0.2k-16.146.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="16.146.amzn1" version="1.0.2k"><filename>Packages/openssl-debuginfo-1.0.2k-16.146.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="16.146.amzn1" version="1.0.2k"><filename>Packages/openssl-static-1.0.2k-16.146.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="16.146.amzn1" version="1.0.2k"><filename>Packages/openssl-1.0.2k-16.146.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="16.146.amzn1" version="1.0.2k"><filename>Packages/openssl-devel-1.0.2k-16.146.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="16.146.amzn1" version="1.0.2k"><filename>Packages/openssl-perl-1.0.2k-16.146.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="16.146.amzn1" version="1.0.2k"><filename>Packages/openssl-debuginfo-1.0.2k-16.146.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1104</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1104: medium priority package update for httpd24</title><issued date="2018-12-13 17:29" /><updated date="2018-12-14 01:02" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14759 CVE-2018-11763: 14760 In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. 14761 1633399: 14762 CVE-2018-11763 httpd: DoS for HTTP/2 connections by continuous SETTINGS 14763 1633399: 14764 CVE-2018-11763 httpd: DoS for HTTP/2 connections by continuous SETTINGS frames 14765 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11763" id="CVE-2018-11763" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="httpd24-tools" release="1.83.amzn1" version="2.4.37"><filename>Packages/httpd24-tools-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24" release="1.83.amzn1" version="2.4.37"><filename>Packages/httpd24-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="1.83.amzn1" version="2.4.37"><filename>Packages/httpd24-debuginfo-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="1.83.amzn1" version="2.4.37"><filename>Packages/mod24_session-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_md" release="1.83.amzn1" version="2.4.37"><filename>Packages/mod24_md-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="httpd24-manual" release="1.83.amzn1" version="2.4.37"><filename>Packages/httpd24-manual-2.4.37-1.83.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_ssl" release="1.83.amzn1" version="2.4.37"><filename>Packages/mod24_ssl-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-devel" release="1.83.amzn1" version="2.4.37"><filename>Packages/httpd24-devel-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_ldap" release="1.83.amzn1" version="2.4.37"><filename>Packages/mod24_ldap-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="1.83.amzn1" version="2.4.37"><filename>Packages/mod24_proxy_html-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="1.83.amzn1" version="2.4.37"><filename>Packages/httpd24-tools-2.4.37-1.83.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="1.83.amzn1" version="2.4.37"><filename>Packages/mod24_proxy_html-2.4.37-1.83.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="1.83.amzn1" version="2.4.37"><filename>Packages/httpd24-debuginfo-2.4.37-1.83.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="1.83.amzn1" version="2.4.37"><filename>Packages/httpd24-2.4.37-1.83.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_md" release="1.83.amzn1" version="2.4.37"><filename>Packages/mod24_md-2.4.37-1.83.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="1.83.amzn1" version="2.4.37"><filename>Packages/mod24_session-2.4.37-1.83.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="1.83.amzn1" version="2.4.37"><filename>Packages/mod24_ldap-2.4.37-1.83.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="1.83.amzn1" version="2.4.37"><filename>Packages/httpd24-devel-2.4.37-1.83.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="1.83.amzn1" version="2.4.37"><filename>Packages/mod24_ssl-2.4.37-1.83.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1106</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1106: medium priority package update for 389-ds-base</title><issued date="2018-12-06 00:18" /><updated date="2018-12-07 00:32" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14766 CVE-2018-14648: 14767 1630668: 14768 CVE-2018-14648 389-ds-base: Mishandled search requests in servers/slapd/search.c:do_search() allows for denial of service 14769 It was found that a specially crafted search query could lead to excessive CPU consumption in the do_search() function. An unauthenticated attacker could use this flaw to provoke a denial of service. 14770 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14648" id="CVE-2018-14648" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="18.60.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-debuginfo-1.3.8.4-18.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="18.60.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-devel-1.3.8.4-18.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="18.60.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-libs-1.3.8.4-18.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base" release="18.60.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-1.3.8.4-18.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-snmp" release="18.60.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-snmp-1.3.8.4-18.60.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-snmp" release="18.60.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-snmp-1.3.8.4-18.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="18.60.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-libs-1.3.8.4-18.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="18.60.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-debuginfo-1.3.8.4-18.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="18.60.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-1.3.8.4-18.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="18.60.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-devel-1.3.8.4-18.60.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1107</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1107: medium priority package update for zsh</title><issued date="2018-12-06 00:20" /><updated date="2018-12-07 00:44" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14771 CVE-2018-7549: 14772 1549858: 14773 CVE-2018-7549 zsh: crash on copying empty hash table 14774 A NULL pointer dereference flaw was found in the code responsible for saving hashtables of the zsh package. An attacker could use this flaw to cause a denial of service by crashing the user shell. 14775 In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset -p. 14776 14777 CVE-2018-1100: 14778 1563395: 14779 CVE-2018-1100 zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution 14780 A buffer overflow flaw was found in the zsh shell check path functionality. A local, unprivileged user can create a specially crafted message file, which, if used to set a custom &quot;you have new mail&quot; message, leads to code execution in the context of the user who receives the message. If the user affected is privileged, this leads to privilege escalation. 14781 14782 CVE-2018-1083: 14783 1557382: 14784 CVE-2018-1083 zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c 14785 A buffer overflow flaw was found in the zsh shell auto-complete functionality. A local, unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use auto-complete to traverse the before mentioned path. If the user affected is privileged, this leads to privilege escalation. 14786 14787 CVE-2018-1071: 14788 1553531: 14789 CVE-2018-1071 zsh: Stack-based buffer overflow in exec.c:hashcmd() 14790 zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function. A local attacker could exploit this to cause a denial of service. 14791 14792 CVE-2017-18206: 14793 In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. 14794 1549861: 14795 CVE-2017-18206 zsh: buffer overrun in xsymlinks 14796 1549861: 14797 CVE-2017-18206 zsh: buffer overrun in symlinks 14798 A buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do a symbolic link resolution in the aforementioned path. If the user affected is privileged, this leads to privilege escalation. 14799 14800 CVE-2017-18205: 14801 1549862: 14802 CVE-2017-18205 zsh: NULL dereference in cd in sh compatibility mode under given circumstances 14803 A NULL pointer dereference flaw was found in the code responsible for the cd builtin command of the zsh package. An attacker could use this flaw to cause a denial of service by crashing the user shell. 14804 In builtin.c in zsh before 5.4, when sh compatibility mode is used, there is a NULL pointer dereference during processing of the cd command with no argument if HOME is not set. 14805 14806 CVE-2014-10072: 14807 1549836: 14808 CVE-2014-10072 zsh: buffer overflow when scanning very long directory paths for symbolic links 14809 A buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do symbolic link resolution in the aforementioned path. An attacker could exploit this vulnerability to cause a denial of service condition on the target. 14810 14811 CVE-2014-10071: 14812 A buffer overflow flaw was found in the zsh shell file descriptor redirection functionality. An attacker could use this flaw to cause a denial of service by crashing the user shell. 14813 1549855: 14814 CVE-2014-10071 zsh: buffer overflow for very long fds in >& fd syntax 14815 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1100" id="CVE-2018-1100" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1071" id="CVE-2018-1071" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18205" id="CVE-2017-18205" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18206" id="CVE-2017-18206" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10071" id="CVE-2014-10071" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7549" id="CVE-2018-7549" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10072" id="CVE-2014-10072" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1083" id="CVE-2018-1083" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="zsh" release="31.17.amzn1" version="5.0.2"><filename>Packages/zsh-5.0.2-31.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="zsh-debuginfo" release="31.17.amzn1" version="5.0.2"><filename>Packages/zsh-debuginfo-5.0.2-31.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="zsh-html" release="31.17.amzn1" version="5.0.2"><filename>Packages/zsh-html-5.0.2-31.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="zsh" release="31.17.amzn1" version="5.0.2"><filename>Packages/zsh-5.0.2-31.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="zsh-html" release="31.17.amzn1" version="5.0.2"><filename>Packages/zsh-html-5.0.2-31.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="zsh-debuginfo" release="31.17.amzn1" version="5.0.2"><filename>Packages/zsh-debuginfo-5.0.2-31.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1108</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1108: medium priority package update for python27</title><issued date="2018-12-06 00:22" /><updated date="2018-12-07 00:46" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14816 CVE-2018-1061: 14817 1549192: 14818 CVE-2018-1061 python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib 14819 A flaw was found in the way catastrophic backtracking was implemented in python&#039;s difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service. 14820 14821 CVE-2018-1060: 14822 A flaw was found in the way catastrophic backtracking was implemented in python&#039;s pop3lib&#039;s apop() method. An attacker could use this flaw to cause denial of service. 14823 1549191: 14824 CVE-2018-1060 python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib 14825 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061" id="CVE-2018-1061" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060" id="CVE-2018-1060" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python27-debuginfo" release="1.124.amzn1" version="2.7.15"><filename>Packages/python27-debuginfo-2.7.15-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libs" release="1.124.amzn1" version="2.7.15"><filename>Packages/python27-libs-2.7.15-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-devel" release="1.124.amzn1" version="2.7.15"><filename>Packages/python27-devel-2.7.15-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-tools" release="1.124.amzn1" version="2.7.15"><filename>Packages/python27-tools-2.7.15-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-test" release="1.124.amzn1" version="2.7.15"><filename>Packages/python27-test-2.7.15-1.124.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27" release="1.124.amzn1" version="2.7.15"><filename>Packages/python27-2.7.15-1.124.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python27-libs" release="1.124.amzn1" version="2.7.15"><filename>Packages/python27-libs-2.7.15-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-debuginfo" release="1.124.amzn1" version="2.7.15"><filename>Packages/python27-debuginfo-2.7.15-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-test" release="1.124.amzn1" version="2.7.15"><filename>Packages/python27-test-2.7.15-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27" release="1.124.amzn1" version="2.7.15"><filename>Packages/python27-2.7.15-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-devel" release="1.124.amzn1" version="2.7.15"><filename>Packages/python27-devel-2.7.15-1.124.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-tools" release="1.124.amzn1" version="2.7.15"><filename>Packages/python27-tools-2.7.15-1.124.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1109</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1109: medium priority package update for glibc</title><issued date="2018-12-06 00:24" /><updated date="2018-12-07 00:49" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14826 CVE-2018-6485: 14827 1542102: 14828 CVE-2018-6485 glibc: Integer overflow in posix_memalign in memalign functions 14829 An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption. 14830 14831 CVE-2018-11237: 14832 A buffer overflow has been discovered in the GNU C Library (aka glibc or libc6) in the __mempcpy_avx512_no_vzeroupper function when particular conditions are met. An attacker could use this vulnerability to cause a denial of service or potentially execute code. 14833 1581274: 14834 CVE-2018-11237 glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper 14835 14836 CVE-2018-11236: 14837 stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. 14838 1581269: 14839 CVE-2018-11236 glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow 14840 14841 CVE-2017-16997: 14842 1526865: 14843 CVE-2017-16997 glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries 14844 elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the &quot;./&quot; directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution. 14845 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11236" id="CVE-2018-11236" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485" id="CVE-2018-6485" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16997" id="CVE-2017-16997" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11237" id="CVE-2018-11237" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glibc-common" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-260.175.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo-common" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-260.175.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-utils" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-260.175.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-2.17-260.175.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-devel" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-260.175.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="nscd" release="260.175.amzn1" version="2.17"><filename>Packages/nscd-2.17-260.175.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-static" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-260.175.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-debuginfo" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-260.175.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glibc-headers" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-260.175.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glibc" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-2.17-260.175.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-common" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-common-2.17-260.175.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-headers" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-headers-2.17-260.175.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-2.17-260.175.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-debuginfo-common" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-debuginfo-common-2.17-260.175.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-utils" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-utils-2.17-260.175.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-static" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-static-2.17-260.175.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="nscd" release="260.175.amzn1" version="2.17"><filename>Packages/nscd-2.17-260.175.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glibc-devel" release="260.175.amzn1" version="2.17"><filename>Packages/glibc-devel-2.17-260.175.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1110</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1110: low priority package update for poppler</title><issued date="2018-12-06 00:26" /><updated date="2018-12-07 00:51" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14846 CVE-2018-13988: 14847 Poppler through 0.62 contains an out of bounds read vulnerability due to an incorrect memory access that is not mapped in its memory space, as demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF file. 14848 1602838: 14849 CVE-2018-13988 poppler: out of bounds read in pdfunite 14850 14851 CVE-2018-10768: 14852 There is a NULL pointer dereference in the AnnotPath::getCoordsLength function in Annot.h in an Ubuntu package for Poppler 0.24.5. A crafted input will lead to a remote denial of service attack. Later Ubuntu packages such as for Poppler 0.41.0 are not affected. 14853 1576169: 14854 CVE-2018-10768 poppler: NULL pointer dereference in Annot.h:AnnotPath::getCoordsLength() allows for denial of service via crafted PDF 14855 14856 CVE-2017-18267: 14857 The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler through 0.64.0 allows remote attackers to cause a denial of service (infinite recursion) via a crafted PDF file, as demonstrated by pdftops. 14858 1578777: 14859 CVE-2017-18267 poppler: Infinite recursion in fofi/FoFiType1C.cc:FoFiType1C::cvtGlyph() function allows denial of service 14860 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18267" id="CVE-2017-18267" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13988" id="CVE-2018-13988" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10768" id="CVE-2018-10768" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="poppler-debuginfo" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-debuginfo-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-glib-devel" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-glib-devel-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-cpp-devel" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-cpp-devel-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-glib" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-glib-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-devel" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-devel-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-utils" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-utils-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-cpp" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-cpp-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="poppler-devel" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-devel-0.26.5-20.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-glib" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-glib-0.26.5-20.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-cpp-devel" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-cpp-devel-0.26.5-20.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-utils" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-utils-0.26.5-20.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-glib-devel" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-glib-devel-0.26.5-20.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-cpp" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-cpp-0.26.5-20.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-debuginfo" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-debuginfo-0.26.5-20.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler" release="20.18.amzn1" version="0.26.5"><filename>Packages/poppler-0.26.5-20.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1111</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1111: critical priority package update for java-1.7.0-openjdk</title><issued date="2018-12-06 00:28" /><updated date="2018-12-07 00:54" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14861 CVE-2018-3214: 14862 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are Java SE: 6u201, 7u191 and 8u182; Java SE Embedded: 8u181; JRockit: R28.3.19. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 14863 1639301: 14864 CVE-2018-3214 OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) 14865 14866 CVE-2018-3180: 14867 1639484: 14868 CVE-2018-3180 OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) 14869 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). 14870 14871 CVE-2018-3169: 14872 1639293: 14873 CVE-2018-3169 OpenJDK: Improper field access checks (Hotspot, 8199226) 14874 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). 14875 14876 CVE-2018-3149: 14877 Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). 14878 1639834: 14879 CVE-2018-3149 OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) 14880 14881 CVE-2018-3139: 14882 1639442: 14883 CVE-2018-3139 OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) 14884 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). 14885 14886 CVE-2018-3136: 14887 1639755: 14888 CVE-2018-3136 OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) 14889 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N). 14890 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3149" id="CVE-2018-3149" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3136" id="CVE-2018-3136" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3139" id="CVE-2018-3139" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3180" id="CVE-2018-3180" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3169" id="CVE-2018-3169" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3214" id="CVE-2018-3214" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.16.0.77.amzn1" version="1.7.0.201"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.201-2.6.16.0.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.16.0.77.amzn1" version="1.7.0.201"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.201-2.6.16.0.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.16.0.77.amzn1" version="1.7.0.201"><filename>Packages/java-1.7.0-openjdk-1.7.0.201-2.6.16.0.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.16.0.77.amzn1" version="1.7.0.201"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.201-2.6.16.0.77.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.16.0.77.amzn1" version="1.7.0.201"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.201-2.6.16.0.77.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.16.0.77.amzn1" version="1.7.0.201"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.201-2.6.16.0.77.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.16.0.77.amzn1" version="1.7.0.201"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.201-2.6.16.0.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.16.0.77.amzn1" version="1.7.0.201"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.201-2.6.16.0.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.16.0.77.amzn1" version="1.7.0.201"><filename>Packages/java-1.7.0-openjdk-1.7.0.201-2.6.16.0.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.16.0.77.amzn1" version="1.7.0.201"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.201-2.6.16.0.77.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.16.0.77.amzn1" version="1.7.0.201"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.201-2.6.16.0.77.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1112</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1112: low priority package update for curl</title><issued date="2018-12-06 00:29" /><updated date="2018-12-07 00:55" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14891 CVE-2018-14618: 14892 1622707: 14893 CVE-2018-14618 curl: NTLM password overflow via integer overflow 14894 curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.) 14895 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618" id="CVE-2018-14618" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="curl" release="16.85.amzn1" version="7.53.1"><filename>Packages/curl-7.53.1-16.85.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="16.85.amzn1" version="7.53.1"><filename>Packages/libcurl-devel-7.53.1-16.85.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="16.85.amzn1" version="7.53.1"><filename>Packages/libcurl-7.53.1-16.85.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="16.85.amzn1" version="7.53.1"><filename>Packages/curl-debuginfo-7.53.1-16.85.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="16.85.amzn1" version="7.53.1"><filename>Packages/libcurl-devel-7.53.1-16.85.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="16.85.amzn1" version="7.53.1"><filename>Packages/curl-debuginfo-7.53.1-16.85.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="16.85.amzn1" version="7.53.1"><filename>Packages/libcurl-7.53.1-16.85.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="16.85.amzn1" version="7.53.1"><filename>Packages/curl-7.53.1-16.85.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1113</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1113: important priority package update for ruby23 ruby24</title><issued date="2018-12-06 00:31" /><updated date="2018-12-14 19:27" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14896 CVE-2018-16396: 14897 An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats. 14898 1643089: 14899 CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives 14900 14901 CVE-2018-16395: 14902 1643086: 14903 CVE-2018-16395 ruby: OpenSSL::X509::Name equality check does not work correctly 14904 An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations. 14905 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16396" id="CVE-2018-16396" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16395" id="CVE-2018-16395" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="ruby23-doc" release="1.20.amzn1" version="2.3.8"><filename>Packages/ruby23-doc-2.3.8-1.20.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem23-did_you_mean" release="1.20.amzn1" version="1.0.0"><filename>Packages/rubygem23-did_you_mean-1.0.0-1.20.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23-devel" release="1.20.amzn1" version="2.3.8"><filename>Packages/ruby23-devel-2.3.8-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23-libs" release="1.20.amzn1" version="2.3.8"><filename>Packages/ruby23-libs-2.3.8-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-bigdecimal" release="1.20.amzn1" version="1.2.8"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-io-console" release="1.20.amzn1" version="0.4.5"><filename>Packages/rubygem23-io-console-0.4.5-1.20.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems23" release="1.20.amzn1" version="2.5.2.3"><filename>Packages/rubygems23-2.5.2.3-1.20.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby23-irb" release="1.20.amzn1" version="2.3.8"><filename>Packages/ruby23-irb-2.3.8-1.20.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-psych" release="1.20.amzn1" version="2.1.0.1"><filename>Packages/rubygem23-psych-2.1.0.1-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem23-json" release="1.20.amzn1" version="1.8.3.1"><filename>Packages/rubygem23-json-1.8.3.1-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23-debuginfo" release="1.20.amzn1" version="2.3.8"><filename>Packages/ruby23-debuginfo-2.3.8-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby23" release="1.20.amzn1" version="2.3.8"><filename>Packages/ruby23-2.3.8-1.20.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems23-devel" release="1.20.amzn1" version="2.5.2.3"><filename>Packages/rubygems23-devel-2.5.2.3-1.20.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-devel" release="1.20.amzn1" version="2.3.8"><filename>Packages/ruby23-devel-2.3.8-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-libs" release="1.20.amzn1" version="2.3.8"><filename>Packages/ruby23-libs-2.3.8-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-io-console" release="1.20.amzn1" version="0.4.5"><filename>Packages/rubygem23-io-console-0.4.5-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23" release="1.20.amzn1" version="2.3.8"><filename>Packages/ruby23-2.3.8-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-json" release="1.20.amzn1" version="1.8.3.1"><filename>Packages/rubygem23-json-1.8.3.1-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-psych" release="1.20.amzn1" version="2.1.0.1"><filename>Packages/rubygem23-psych-2.1.0.1-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem23-bigdecimal" release="1.20.amzn1" version="1.2.8"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby23-debuginfo" release="1.20.amzn1" version="2.3.8"><filename>Packages/ruby23-debuginfo-2.3.8-1.20.amzn1.i686.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems24-devel" release="1.30.7.amzn1" version="2.6.14.3"><filename>Packages/rubygems24-devel-2.6.14.3-1.30.7.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24-libs" release="1.30.7.amzn1" version="2.4.5"><filename>Packages/ruby24-libs-2.4.5-1.30.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-xmlrpc" release="1.30.7.amzn1" version="0.2.1"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24-debuginfo" release="1.30.7.amzn1" version="2.4.5"><filename>Packages/ruby24-debuginfo-2.4.5-1.30.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24-devel" release="1.30.7.amzn1" version="2.4.5"><filename>Packages/ruby24-devel-2.4.5-1.30.7.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem24-did_you_mean" release="1.30.7.amzn1" version="1.1.0"><filename>Packages/rubygem24-did_you_mean-1.1.0-1.30.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems24" release="1.30.7.amzn1" version="2.6.14.3"><filename>Packages/rubygems24-2.6.14.3-1.30.7.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-io-console" release="1.30.7.amzn1" version="0.4.6"><filename>Packages/rubygem24-io-console-0.4.6-1.30.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-bigdecimal" release="1.30.7.amzn1" version="1.3.2"><filename>Packages/rubygem24-bigdecimal-1.3.2-1.30.7.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby24-irb" release="1.30.7.amzn1" version="2.4.5"><filename>Packages/ruby24-irb-2.4.5-1.30.7.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby24-doc" release="1.30.7.amzn1" version="2.4.5"><filename>Packages/ruby24-doc-2.4.5-1.30.7.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-psych" release="1.30.7.amzn1" version="2.2.2"><filename>Packages/rubygem24-psych-2.2.2-1.30.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-json" release="1.30.7.amzn1" version="2.0.4"><filename>Packages/rubygem24-json-2.0.4-1.30.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24" release="1.30.7.amzn1" version="2.4.5"><filename>Packages/ruby24-2.4.5-1.30.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-libs" release="1.30.7.amzn1" version="2.4.5"><filename>Packages/ruby24-libs-2.4.5-1.30.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-json" release="1.30.7.amzn1" version="2.0.4"><filename>Packages/rubygem24-json-2.0.4-1.30.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24" release="1.30.7.amzn1" version="2.4.5"><filename>Packages/ruby24-2.4.5-1.30.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-devel" release="1.30.7.amzn1" version="2.4.5"><filename>Packages/ruby24-devel-2.4.5-1.30.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-xmlrpc" release="1.30.7.amzn1" version="0.2.1"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-bigdecimal" release="1.30.7.amzn1" version="1.3.2"><filename>Packages/rubygem24-bigdecimal-1.3.2-1.30.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-debuginfo" release="1.30.7.amzn1" version="2.4.5"><filename>Packages/ruby24-debuginfo-2.4.5-1.30.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-psych" release="1.30.7.amzn1" version="2.2.2"><filename>Packages/rubygem24-psych-2.2.2-1.30.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-io-console" release="1.30.7.amzn1" version="0.4.6"><filename>Packages/rubygem24-io-console-0.4.6-1.30.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1114</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1114: medium priority package update for mysql57</title><issued date="2018-12-06 00:36" /><updated date="2018-12-07 01:08" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 14906 CVE-2018-3284: 14907 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 14908 1640310: 14909 CVE-2018-3284 mysql: InnoDB unspecified vulnerability (CPU Oct 2018) 14910 14911 CVE-2018-3283: 14912 1640333: 14913 CVE-2018-3283 mysql: Server: Logging unspecified vulnerability (CPU Oct 2018) 14914 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Logging). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). 14915 14916 CVE-2018-3282: 14917 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Storage Engines). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14918 1640322: 14919 CVE-2018-3282 mysql: Server: Storage Engines unspecified vulnerability (CPU Oct 2018) 14920 14921 CVE-2018-3278: 14922 1640320: 14923 CVE-2018-3278 mysql: Server: RBR unspecified vulnerability (CPU Oct 2018) 14924 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: RBR). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14925 14926 CVE-2018-3277: 14927 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14928 1640325: 14929 CVE-2018-3277 mysql: InnoDB unspecified vulnerability (CPU Oct 2018) 14930 14931 CVE-2018-3276: 14932 1640307: 14933 CVE-2018-3276 mysql: Server: Memcached unspecified vulnerability (CPU Oct 2018) 14934 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14935 14936 CVE-2018-3251: 14937 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 14938 1640335: 14939 CVE-2018-3251 mysql: InnoDB unspecified vulnerability (CPU Oct 2018) 14940 14941 CVE-2018-3247: 14942 1640317: 14943 CVE-2018-3247 mysql: Server: Merge unspecified vulnerability (CPU Oct 2018) 14944 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Merge). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). 14945 14946 CVE-2018-3200: 14947 1640308: 14948 CVE-2018-3200 mysql: InnoDB unspecified vulnerability (CPU Oct 2018) 14949 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14950 14951 CVE-2018-3187: 14952 1640324: 14953 CVE-2018-3187 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2018) 14954 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). 14955 14956 CVE-2018-3185: 14957 1640337: 14958 CVE-2018-3185 mysql: InnoDB unspecified vulnerability (CPU Oct 2018) 14959 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). 14960 14961 CVE-2018-3174: 14962 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H). 14963 1640321: 14964 CVE-2018-3174 mysql: Init script calling kill with root privileges using pid from pidfile owned by mysql user (CPU Oct 2018) 14965 14966 CVE-2018-3173: 14967 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14968 1640312: 14969 CVE-2018-3173 mysql: InnoDB unspecified vulnerability (CPU Oct 2018) 14970 14971 CVE-2018-3171: 14972 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Partition). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H). 14973 1640334: 14974 CVE-2018-3171 mysql: Server: Partition unspecified vulnerability (CPU Oct 2018) 14975 14976 CVE-2018-3162: 14977 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14978 1640316: 14979 CVE-2018-3162 mysql: InnoDB unspecified vulnerability (CPU Oct 2018) 14980 14981 CVE-2018-3161: 14982 1640319: 14983 CVE-2018-3161 mysql: Server: Partition unspecified vulnerability (CPU Oct 2018) 14984 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Partition). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 14985 14986 CVE-2018-3156: 14987 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 14988 1640318: 14989 CVE-2018-3156 mysql: InnoDB unspecified vulnerability (CPU Oct 2018) 14990 14991 CVE-2018-3155: 14992 1640340: 14993 CVE-2018-3155 mysql: Server: Parser unspecified vulnerability (CPU Oct 2018) 14994 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). 14995 14996 CVE-2018-3144: 14997 1640326: 14998 CVE-2018-3144 mysql: Server: Security: Audit unspecified vulnerability (CPU Oct 2018) 14999 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Audit). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 15000 15001 CVE-2018-3143: 15002 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 15003 1640332: 15004 CVE-2018-3143 mysql: InnoDB unspecified vulnerability (CPU Oct 2018) 15005 15006 CVE-2018-3133: 15007 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 15008 1640331: 15009 CVE-2018-3133 mysql: Server: Parser unspecified vulnerability (CPU Oct 2018) 15010 15011 CVE-2016-9843: 15012 The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation. 15013 1402351: 15014 CVE-2016-9843 zlib: Big-endian out-of-bounds pointer 15015 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3284" id="CVE-2018-3284" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3283" id="CVE-2018-3283" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3282" id="CVE-2018-3282" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3185" id="CVE-2018-3185" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843" id="CVE-2016-9843" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3187" id="CVE-2018-3187" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3162" id="CVE-2018-3162" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3156" id="CVE-2018-3156" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3155" id="CVE-2018-3155" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3143" id="CVE-2018-3143" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3144" id="CVE-2018-3144" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3200" id="CVE-2018-3200" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3171" id="CVE-2018-3171" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3173" id="CVE-2018-3173" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3161" id="CVE-2018-3161" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3174" id="CVE-2018-3174" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3278" id="CVE-2018-3278" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3276" id="CVE-2018-3276" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3277" id="CVE-2018-3277" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3247" id="CVE-2018-3247" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3133" id="CVE-2018-3133" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3251" id="CVE-2018-3251" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql57-devel" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-devel-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-errmsg" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-errmsg-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-libs" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-libs-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-common" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-common-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-test" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-test-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-embedded" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-embedded-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-server" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-server-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-debuginfo" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-debuginfo-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-embedded-devel" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-embedded-devel-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-devel" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-devel-5.7.24-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-errmsg" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-errmsg-5.7.24-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-server" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-server-5.7.24-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-libs" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-libs-5.7.24-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-embedded-devel" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-embedded-devel-5.7.24-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-debuginfo" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-debuginfo-5.7.24-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-5.7.24-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-test" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-test-5.7.24-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-common" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-common-5.7.24-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-embedded" release="1.10.amzn1" version="5.7.24"><filename>Packages/mysql57-embedded-5.7.24-1.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1115</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1115: medium priority package update for mysql56</title><issued date="2018-12-06 00:38" /><updated date="2018-12-07 01:13" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15016 CVE-2018-3282: 15017 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Storage Engines). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15018 1640322: 15019 CVE-2018-3282 mysql: Server: Storage Engines unspecified vulnerability (CPU Oct 2018) 15020 15021 CVE-2018-3278: 15022 1640320: 15023 CVE-2018-3278 mysql: Server: RBR unspecified vulnerability (CPU Oct 2018) 15024 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: RBR). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15025 15026 CVE-2018-3276: 15027 1640307: 15028 CVE-2018-3276 mysql: Server: Memcached unspecified vulnerability (CPU Oct 2018) 15029 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15030 15031 CVE-2018-3251: 15032 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 15033 1640335: 15034 CVE-2018-3251 mysql: InnoDB unspecified vulnerability (CPU Oct 2018) 15035 15036 CVE-2018-3247: 15037 1640317: 15038 CVE-2018-3247 mysql: Server: Merge unspecified vulnerability (CPU Oct 2018) 15039 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Merge). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). 15040 15041 CVE-2018-3174: 15042 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H). 15043 1640321: 15044 CVE-2018-3174 mysql: Init script calling kill with root privileges using pid from pidfile owned by mysql user (CPU Oct 2018) 15045 15046 CVE-2018-3156: 15047 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 15048 1640318: 15049 CVE-2018-3156 mysql: InnoDB unspecified vulnerability (CPU Oct 2018) 15050 15051 CVE-2018-3143: 15052 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 15053 1640332: 15054 CVE-2018-3143 mysql: InnoDB unspecified vulnerability (CPU Oct 2018) 15055 15056 CVE-2018-3133: 15057 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 15058 1640331: 15059 CVE-2018-3133 mysql: Server: Parser unspecified vulnerability (CPU Oct 2018) 15060 15061 CVE-2016-9843: 15062 The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation. 15063 1402351: 15064 CVE-2016-9843 zlib: Big-endian out-of-bounds pointer 15065 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3156" id="CVE-2018-3156" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3143" id="CVE-2018-3143" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3251" id="CVE-2018-3251" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3282" id="CVE-2018-3282" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3278" id="CVE-2018-3278" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3276" id="CVE-2018-3276" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843" id="CVE-2016-9843" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3247" id="CVE-2018-3247" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3133" id="CVE-2018-3133" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3174" id="CVE-2018-3174" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql56-embedded-devel" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-embedded-devel-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-bench" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-bench-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-common" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-common-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-embedded-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-devel" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-devel-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-server" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-server-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-libs" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-libs-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-test" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-test-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-debuginfo" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-debuginfo-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-errmsg" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-errmsg-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-debuginfo" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-debuginfo-5.6.42-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-test" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-test-5.6.42-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-devel" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-devel-5.6.42-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-errmsg" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-errmsg-5.6.42-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-bench" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-bench-5.6.42-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-common" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-common-5.6.42-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-embedded-5.6.42-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-5.6.42-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-server" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-server-5.6.42-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded-devel" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-embedded-devel-5.6.42-1.31.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-libs" release="1.31.amzn1" version="5.6.42"><filename>Packages/mysql56-libs-5.6.42-1.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1116</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1116: medium priority package update for mysql55</title><issued date="2018-12-06 00:40" /><updated date="2018-12-07 01:14" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15066 CVE-2018-3282: 15067 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Storage Engines). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15068 1640322: 15069 CVE-2018-3282 mysql: Server: Storage Engines unspecified vulnerability (CPU Oct 2018) 15070 15071 CVE-2018-3174: 15072 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H). 15073 1640321: 15074 CVE-2018-3174 mysql: Init script calling kill with root privileges using pid from pidfile owned by mysql user (CPU Oct 2018) 15075 15076 CVE-2018-3133: 15077 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 15078 1640331: 15079 CVE-2018-3133 mysql: Server: Parser unspecified vulnerability (CPU Oct 2018) 15080 15081 CVE-2016-9843: 15082 The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation. 15083 1402351: 15084 CVE-2016-9843 zlib: Big-endian out-of-bounds pointer 15085 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843" id="CVE-2016-9843" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3174" id="CVE-2018-3174" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3133" id="CVE-2018-3133" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3282" id="CVE-2018-3282" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql55" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-bench" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-bench-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-devel" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-devel-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded-devel" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-embedded-devel-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-embedded" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-embedded-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-test" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-test-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-debuginfo" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-debuginfo-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql-config" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql-config-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-server" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-server-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql55-libs" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-libs-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-embedded-5.5.62-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-devel" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-devel-5.5.62-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-bench" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-bench-5.5.62-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql-config" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql-config-5.5.62-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-debuginfo" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-debuginfo-5.5.62-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-server" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-server-5.5.62-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-test" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-test-5.5.62-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-libs" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-libs-5.5.62-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-5.5.62-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql55-embedded-devel" release="1.23.amzn1" version="5.5.62"><filename>Packages/mysql55-embedded-devel-5.5.62-1.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1117</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1117: important priority package update for postgresql93 postgresql94</title><issued date="2018-12-06 16:55" /><updated date="2018-12-07 01:14" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15086 CVE-2018-10915: 15087 1609891: 15088 CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses 15089 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with &quot;host&quot; or &quot;hostaddr&quot; connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. 15090 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915" id="CVE-2018-10915" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql94-server" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-server-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-docs" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-docs-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-devel" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-devel-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-test" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-test-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython26" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-plpython26-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-contrib" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-contrib-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plperl" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-plperl-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-plpython27" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-plpython27-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-debuginfo" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-debuginfo-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql94-libs" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-libs-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-test" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-test-9.4.20-1.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-9.4.20-1.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython26" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-plpython26-9.4.20-1.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-server" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-server-9.4.20-1.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-devel" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-devel-9.4.20-1.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-libs" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-libs-9.4.20-1.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plperl" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-plperl-9.4.20-1.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-docs" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-docs-9.4.20-1.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-contrib" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-contrib-9.4.20-1.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-debuginfo" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-debuginfo-9.4.20-1.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql94-plpython27" release="1.76.amzn1" version="9.4.20"><filename>Packages/postgresql94-plpython27-9.4.20-1.76.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-server" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-server-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-contrib" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-contrib-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plperl" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-plperl-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython26" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-plpython26-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-debuginfo" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-debuginfo-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-devel" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-devel-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-pltcl" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-pltcl-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-plpython27" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-plpython27-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-libs" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-libs-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-docs" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-docs-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql93-test" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-test-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-libs" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-libs-9.3.25-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-9.3.25-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-test" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-test-9.3.25-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-docs" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-docs-9.3.25-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-devel" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-devel-9.3.25-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-debuginfo" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-debuginfo-9.3.25-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-pltcl" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-pltcl-9.3.25-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-server" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-server-9.3.25-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython27" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-plpython27-9.3.25-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-contrib" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-contrib-9.3.25-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plpython26" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-plpython26-9.3.25-1.72.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql93-plperl" release="1.72.amzn1" version="9.3.25"><filename>Packages/postgresql93-plperl-9.3.25-1.72.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1118</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1118: important priority package update for postgresql95</title><issued date="2018-12-06 16:57" /><updated date="2018-12-07 01:15" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15091 CVE-2018-10925: 15092 1612619: 15093 CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements 15094 It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with &quot;INSERT ... ON CONFLICT DO UPDATE&quot;. An attacker with &quot;CREATE TABLE&quot; privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain &quot;INSERT&quot; and limited &quot;UPDATE&quot; privileges to a particular table, they could exploit this to update other columns in the same table. 15095 15096 CVE-2018-10915: 15097 1609891: 15098 CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses 15099 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with &quot;host&quot; or &quot;hostaddr&quot; connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. 15100 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10925" id="CVE-2018-10925" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915" id="CVE-2018-10915" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql95-static" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-static-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plpython27" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-plpython27-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-devel" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-devel-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plperl" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-plperl-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-server" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-server-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-docs" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-docs-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-debuginfo" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-debuginfo-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-contrib" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-contrib-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-libs" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-libs-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-plpython26" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-plpython26-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95-test" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-test-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql95" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-debuginfo" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-debuginfo-9.5.15-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-docs" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-docs-9.5.15-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plpython27" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-plpython27-9.5.15-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-9.5.15-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-test" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-test-9.5.15-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-server" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-server-9.5.15-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-contrib" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-contrib-9.5.15-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-devel" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-devel-9.5.15-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plperl" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-plperl-9.5.15-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-static" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-static-9.5.15-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-plpython26" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-plpython26-9.5.15-1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql95-libs" release="1.80.amzn1" version="9.5.15"><filename>Packages/postgresql95-libs-9.5.15-1.80.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1119</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1119: important priority package update for postgresql96</title><issued date="2018-12-06 16:58" /><updated date="2018-12-07 01:16" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15101 CVE-2018-1115: 15102 1573276: 15103 CVE-2018-1115 postgresql: Too-permissive access control list on function pg_logfile_rotate() 15104 It was found that pg_catalog.pg_logfile_rotate(), from the adminpack extension, did not follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could use this flaw to force log rotation. 15105 15106 CVE-2018-10925: 15107 1612619: 15108 CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements 15109 It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with &quot;INSERT ... ON CONFLICT DO UPDATE&quot;. An attacker with &quot;CREATE TABLE&quot; privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain &quot;INSERT&quot; and limited &quot;UPDATE&quot; privileges to a particular table, they could exploit this to update other columns in the same table. 15110 15111 CVE-2018-10915: 15112 1609891: 15113 CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses 15114 A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with &quot;host&quot; or &quot;hostaddr&quot; connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. 15115 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10925" id="CVE-2018-10925" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915" id="CVE-2018-10915" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1115" id="CVE-2018-1115" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="postgresql96-contrib" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-contrib-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-debuginfo" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-debuginfo-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-static" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-static-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-test" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-test-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-docs" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-docs-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-libs" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-libs-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-plperl" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-plperl-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-devel" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-devel-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-plpython26" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-plpython26-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-plpython27" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-plpython27-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96-server" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-server-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="postgresql96" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-devel" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-devel-9.6.11-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-test" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-test-9.6.11-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-static" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-static-9.6.11-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plpython26" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-plpython26-9.6.11-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-debuginfo" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-debuginfo-9.6.11-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-server" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-server-9.6.11-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-libs" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-libs-9.6.11-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plpython27" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-plpython27-9.6.11-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-plperl" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-plperl-9.6.11-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-9.6.11-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-docs" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-docs-9.6.11-1.82.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="postgresql96-contrib" release="1.82.amzn1" version="9.6.11"><filename>Packages/postgresql96-contrib-9.6.11-1.82.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1123</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1123: medium priority package update for fuse</title><issued date="2019-04-17 18:45" /><updated date="2019-04-19 16:27" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15116 CVE-2018-10906: 15117 A vulnerability was discovered in fuse. When SELinux is active, fusermount is vulnerable to a restriction bypass. This allows non-root users to mount a FUSE file system with the &#039;allow_other&#039; mount option regardless of whether &#039;user_allow_other&#039; is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects. 15118 1602996: 15119 CVE-2018-10906 fuse: bypass of the "user_allow_other" restriction when SELinux is active 15120 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10906" id="CVE-2018-10906" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="fuse-devel" release="1.18.amzn1" version="2.9.4"><filename>Packages/fuse-devel-2.9.4-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="fuse-libs" release="1.18.amzn1" version="2.9.4"><filename>Packages/fuse-libs-2.9.4-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="fuse-debuginfo" release="1.18.amzn1" version="2.9.4"><filename>Packages/fuse-debuginfo-2.9.4-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="fuse" release="1.18.amzn1" version="2.9.4"><filename>Packages/fuse-2.9.4-1.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="fuse-libs" release="1.18.amzn1" version="2.9.4"><filename>Packages/fuse-libs-2.9.4-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="fuse-debuginfo" release="1.18.amzn1" version="2.9.4"><filename>Packages/fuse-debuginfo-2.9.4-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="fuse-devel" release="1.18.amzn1" version="2.9.4"><filename>Packages/fuse-devel-2.9.4-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="fuse" release="1.18.amzn1" version="2.9.4"><filename>Packages/fuse-2.9.4-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1125</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1125: medium priority package update for nginx</title><issued date="2018-12-13 17:27" /><updated date="2018-12-14 01:03" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15121 CVE-2018-16844: 15122 1644510: 15123 CVE-2018-16844 nginx: Excessive CPU usage via flaw in HTTP/2 implementation 15124 nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the &#039;http2&#039; option of the &#039;listen&#039; directive is used in a configuration file. 15125 15126 CVE-2018-16843: 15127 1644511: 15128 CVE-2018-16843 nginx: Excessive memory consumption via flaw in HTTP/2 implementation 15129 nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the &#039;http2&#039; option of the &#039;listen&#039; directive is used in a configuration file. 15130 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16843" id="CVE-2018-16843" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16844" id="CVE-2018-16844" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="nginx-all-modules" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-all-modules-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-mod-http-image-filter" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-mod-http-image-filter-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-mod-http-perl" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-mod-http-perl-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-debuginfo" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-debuginfo-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-mod-http-geoip" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-mod-http-geoip-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-mod-mail" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-mod-mail-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-mod-stream" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-mod-stream-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="nginx-mod-http-xslt-filter" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-mod-http-xslt-filter-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="nginx-mod-stream" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-mod-stream-1.14.1-2.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-mod-http-geoip" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-mod-http-geoip-1.14.1-2.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-mod-http-xslt-filter" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-mod-http-xslt-filter-1.14.1-2.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-debuginfo" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-debuginfo-1.14.1-2.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-mod-http-perl" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-mod-http-perl-1.14.1-2.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-mod-mail" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-mod-mail-1.14.1-2.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-mod-http-image-filter" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-mod-http-image-filter-1.14.1-2.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx-all-modules" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-all-modules-1.14.1-2.34.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="nginx" release="2.34.amzn1" version="1.14.1"><filename>Packages/nginx-1.14.1-2.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1126</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1126: medium priority package update for samba</title><issued date="2019-01-22 17:55" /><updated date="2019-01-25 02:42" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15131 CVE-2018-1139: 15132 A flaw was found in the way samba allowed the use of weak NTLMv1 authentication even when NTLMv1 was explicitly disabled. A man-in-the-middle attacker could use this flaw to read the credential and other details passed between the samba server and client. 15133 1589651: 15134 CVE-2018-1139 samba: Weak authentication protocol regression 15135 15136 CVE-2018-10858: 15137 1612805: 15138 CVE-2018-10858 samba: Insufficient input validation in libsmbclient 15139 A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server could use this flaw to cause arbitrary code execution on a samba client. 15140 15141 CVE-2018-1050: 15142 A null pointer dereference flaw was found in Samba RPC external printer service. An attacker could use this flaw to cause the printer spooler service to crash. 15143 1538771: 15144 CVE-2018-1050 samba: NULL pointer dereference in printer server process 15145 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1050" id="CVE-2018-1050" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1139" id="CVE-2018-1139" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10858" id="CVE-2018-10858" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="samba-winbind-krb5-locator" release="4.amzn1" version="4.8.3"><filename>Packages/samba-winbind-krb5-locator-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test-libs" release="4.amzn1" version="4.8.3"><filename>Packages/samba-test-libs-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-clients" release="4.amzn1" version="4.8.3"><filename>Packages/samba-winbind-clients-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind" release="4.amzn1" version="4.8.3"><filename>Packages/samba-winbind-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient" release="4.amzn1" version="4.8.3"><filename>Packages/libsmbclient-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-python-test" release="4.amzn1" version="4.8.3"><filename>Packages/samba-python-test-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-python" release="4.amzn1" version="4.8.3"><filename>Packages/samba-python-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-devel" release="4.amzn1" version="4.8.3"><filename>Packages/samba-devel-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwbclient-devel" release="4.amzn1" version="4.8.3"><filename>Packages/libwbclient-devel-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-debuginfo" release="4.amzn1" version="4.8.3"><filename>Packages/samba-debuginfo-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-krb5-printing" release="4.amzn1" version="4.8.3"><filename>Packages/samba-krb5-printing-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwbclient" release="4.amzn1" version="4.8.3"><filename>Packages/libwbclient-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-libs" release="4.amzn1" version="4.8.3"><filename>Packages/samba-common-libs-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb-tests" release="4.amzn1" version="4.8.3"><filename>Packages/ctdb-tests-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-common" release="4.amzn1" version="4.8.3"><filename>Packages/samba-common-4.8.3-4.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client-libs" release="4.amzn1" version="4.8.3"><filename>Packages/samba-client-libs-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="samba-pidl" release="4.amzn1" version="4.8.3"><filename>Packages/samba-pidl-4.8.3-4.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-client" release="4.amzn1" version="4.8.3"><filename>Packages/samba-client-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsmbclient-devel" release="4.amzn1" version="4.8.3"><filename>Packages/libsmbclient-devel-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ctdb" release="4.amzn1" version="4.8.3"><filename>Packages/ctdb-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-test" release="4.amzn1" version="4.8.3"><filename>Packages/samba-test-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba" release="4.amzn1" version="4.8.3"><filename>Packages/samba-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-winbind-modules" release="4.amzn1" version="4.8.3"><filename>Packages/samba-winbind-modules-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-libs" release="4.amzn1" version="4.8.3"><filename>Packages/samba-libs-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="samba-common-tools" release="4.amzn1" version="4.8.3"><filename>Packages/samba-common-tools-4.8.3-4.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="samba-python-test" release="4.amzn1" version="4.8.3"><filename>Packages/samba-python-test-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient" release="4.amzn1" version="4.8.3"><filename>Packages/libsmbclient-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-libs" release="4.amzn1" version="4.8.3"><filename>Packages/samba-libs-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-devel" release="4.amzn1" version="4.8.3"><filename>Packages/samba-devel-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test-libs" release="4.amzn1" version="4.8.3"><filename>Packages/samba-test-libs-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-krb5-locator" release="4.amzn1" version="4.8.3"><filename>Packages/samba-winbind-krb5-locator-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-clients" release="4.amzn1" version="4.8.3"><filename>Packages/samba-winbind-clients-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-tools" release="4.amzn1" version="4.8.3"><filename>Packages/samba-common-tools-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb" release="4.amzn1" version="4.8.3"><filename>Packages/ctdb-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind-modules" release="4.amzn1" version="4.8.3"><filename>Packages/samba-winbind-modules-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsmbclient-devel" release="4.amzn1" version="4.8.3"><filename>Packages/libsmbclient-devel-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-krb5-printing" release="4.amzn1" version="4.8.3"><filename>Packages/samba-krb5-printing-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-debuginfo" release="4.amzn1" version="4.8.3"><filename>Packages/samba-debuginfo-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba" release="4.amzn1" version="4.8.3"><filename>Packages/samba-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-python" release="4.amzn1" version="4.8.3"><filename>Packages/samba-python-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ctdb-tests" release="4.amzn1" version="4.8.3"><filename>Packages/ctdb-tests-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-test" release="4.amzn1" version="4.8.3"><filename>Packages/samba-test-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient-devel" release="4.amzn1" version="4.8.3"><filename>Packages/libwbclient-devel-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client-libs" release="4.amzn1" version="4.8.3"><filename>Packages/samba-client-libs-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-winbind" release="4.amzn1" version="4.8.3"><filename>Packages/samba-winbind-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-common-libs" release="4.amzn1" version="4.8.3"><filename>Packages/samba-common-libs-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwbclient" release="4.amzn1" version="4.8.3"><filename>Packages/libwbclient-4.8.3-4.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="samba-client" release="4.amzn1" version="4.8.3"><filename>Packages/samba-client-4.8.3-4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1127</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1127: low priority package update for sssd</title><issued date="2019-01-22 18:00" /><updated date="2019-01-25 02:40" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15146 CVE-2018-10852: 15147 1588810: 15148 CVE-2018-10852 sssd: information leak from the sssd-sudo responder 15149 The UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD utilizes too broad of a set of permissions. Any user who can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user. 15150 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10852" id="CVE-2018-10852" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="sssd" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_certmap" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_certmap-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-proxy" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-proxy-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-ad" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-ad-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_simpleifp-devel" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_simpleifp-devel-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-libwbclient" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-libwbclient-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-sss" release="13.amzn1" version="1.16.2"><filename>Packages/python27-sss-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-sss-murmur" release="13.amzn1" version="1.16.2"><filename>Packages/python27-sss-murmur-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_simpleifp" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_simpleifp-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-client" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-client-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_autofs" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_autofs-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-krb5-common" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-krb5-common-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-ipa" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-ipa-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-debuginfo" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-debuginfo-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-libwbclient-devel" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-libwbclient-devel-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-common" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-common-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-ldap" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-ldap-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-krb5" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-krb5-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_idmap" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_idmap-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_certmap-devel" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_certmap-devel-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-common-pac" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-common-pac-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_idmap-devel" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_idmap-devel-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libipa_hbac" release="13.amzn1" version="1.16.2"><filename>Packages/python27-libipa_hbac-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="python27-sssdconfig" release="13.amzn1" version="1.16.2"><filename>Packages/python27-sssdconfig-1.16.2-13.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="libipa_hbac-devel" release="13.amzn1" version="1.16.2"><filename>Packages/libipa_hbac-devel-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_sudo" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_sudo-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-dbus" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-dbus-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libsss_nss_idmap" release="13.amzn1" version="1.16.2"><filename>Packages/python27-libsss_nss_idmap-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_nss_idmap" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_nss_idmap-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-tools" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-tools-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libipa_hbac" release="13.amzn1" version="1.16.2"><filename>Packages/libipa_hbac-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libsss_nss_idmap-devel" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_nss_idmap-devel-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="sssd-winbind-idmap" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-winbind-idmap-1.16.2-13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python27-libipa_hbac" release="13.amzn1" version="1.16.2"><filename>Packages/python27-libipa_hbac-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_sudo" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_sudo-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-client" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-client-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-winbind-idmap" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-winbind-idmap-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-dbus" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-dbus-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libipa_hbac" release="13.amzn1" version="1.16.2"><filename>Packages/libipa_hbac-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-krb5" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-krb5-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-tools" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-tools-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-common" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-common-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-proxy" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-proxy-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_idmap-devel" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_idmap-devel-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_nss_idmap" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_nss_idmap-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libsss_nss_idmap" release="13.amzn1" version="1.16.2"><filename>Packages/python27-libsss_nss_idmap-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-krb5-common" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-krb5-common-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-sss-murmur" release="13.amzn1" version="1.16.2"><filename>Packages/python27-sss-murmur-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_autofs" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_autofs-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_certmap-devel" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_certmap-devel-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-ipa" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-ipa-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-libwbclient" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-libwbclient-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_certmap" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_certmap-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-sss" release="13.amzn1" version="1.16.2"><filename>Packages/python27-sss-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-ad" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-ad-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-libwbclient-devel" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-libwbclient-devel-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_simpleifp-devel" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_simpleifp-devel-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_simpleifp" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_simpleifp-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_nss_idmap-devel" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_nss_idmap-devel-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libsss_idmap" release="13.amzn1" version="1.16.2"><filename>Packages/libsss_idmap-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libipa_hbac-devel" release="13.amzn1" version="1.16.2"><filename>Packages/libipa_hbac-devel-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-common-pac" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-common-pac-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-ldap" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-ldap-1.16.2-13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="sssd-debuginfo" release="13.amzn1" version="1.16.2"><filename>Packages/sssd-debuginfo-1.16.2-13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1129</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1129: low priority package update for krb5</title><issued date="2019-01-23 18:58" /><updated date="2019-01-25 02:39" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15151 CVE-2018-5730: 15152 1551082: 15153 CVE-2018-5730 krb5: DN container check bypass by supplying special crafted data 15154 MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a &quot;linkdn&quot; and &quot;containerdn&quot; database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN. 15155 15156 CVE-2018-5729: 15157 1551083: 15158 CVE-2018-5729 krb5: null dereference in kadmind or DN container check bypass by supplying special crafted data 15159 MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module. 15160 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5730" id="CVE-2018-5730" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5729" id="CVE-2018-5729" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="krb5-server-ldap" release="34.44.amzn1" version="1.15.1"><filename>Packages/krb5-server-ldap-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-devel" release="34.44.amzn1" version="1.15.1"><filename>Packages/krb5-devel-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-debuginfo" release="34.44.amzn1" version="1.15.1"><filename>Packages/krb5-debuginfo-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-workstation" release="34.44.amzn1" version="1.15.1"><filename>Packages/krb5-workstation-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libkadm5" release="34.44.amzn1" version="1.15.1"><filename>Packages/libkadm5-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-libs" release="34.44.amzn1" version="1.15.1"><filename>Packages/krb5-libs-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-server" release="34.44.amzn1" version="1.15.1"><filename>Packages/krb5-server-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="krb5-pkinit-openssl" release="34.44.amzn1" version="1.15.1"><filename>Packages/krb5-pkinit-openssl-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="krb5-devel" release="34.44.amzn1" version="1.15.1"><filename>Packages/krb5-devel-1.15.1-34.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-workstation" release="34.44.amzn1" version="1.15.1"><filename>Packages/krb5-workstation-1.15.1-34.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-pkinit-openssl" release="34.44.amzn1" version="1.15.1"><filename>Packages/krb5-pkinit-openssl-1.15.1-34.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server" release="34.44.amzn1" version="1.15.1"><filename>Packages/krb5-server-1.15.1-34.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-server-ldap" release="34.44.amzn1" version="1.15.1"><filename>Packages/krb5-server-ldap-1.15.1-34.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libkadm5" release="34.44.amzn1" version="1.15.1"><filename>Packages/libkadm5-1.15.1-34.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-libs" release="34.44.amzn1" version="1.15.1"><filename>Packages/krb5-libs-1.15.1-34.44.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="krb5-debuginfo" release="34.44.amzn1" version="1.15.1"><filename>Packages/krb5-debuginfo-1.15.1-34.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1130</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1130: important priority package update for golang</title><issued date="2018-12-14 18:50" /><updated date="2018-12-14 22:32" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15161 CVE-2018-16875: 15162 The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected. 15163 1657565: 15164 CVE-2018-16875 golang: crypto/x509 allows for denial of service via crafted TLS client certificate 15165 15166 CVE-2018-16874: 15167 In Go before 1.10.6 and 1.11.x before 1.11.3, the &quot;go get&quot; command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both &#039;{&#039; and &#039;}&#039; characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution. 15168 1657564: 15169 CVE-2018-16874 golang: "go get" vulnerable to directory traversal via malicious package 15170 15171 CVE-2018-16873: 15172 1657563: 15173 CVE-2018-16873 golang: "go get" command vulnerable to RCE via import of malicious package 15174 In Go before 1.10.6 and 1.11.x before 1.11.3, the &quot;go get&quot; command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it&#039;s possible to arrange things so that a Git repository is cloned to a folder named &quot;.git&quot; by using a vanity import path that ends with &quot;/.git&quot;. If the Git repository root contains a &quot;HEAD&quot; file, a &quot;config&quot; file, an &quot;objects&quot; directory, a &quot;refs&quot; directory, with some work to ensure the proper ordering of operations, &quot;go get -u&quot; can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the &quot;config&quot; file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running &quot;go get -u&quot;. 15175 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16873" id="CVE-2018-16873" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16875" id="CVE-2018-16875" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16874" id="CVE-2018-16874" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="golang-misc" release="1.47.amzn1" version="1.10.6"><filename>Packages/golang-misc-1.10.6-1.47.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang-bin" release="1.47.amzn1" version="1.10.6"><filename>Packages/golang-bin-1.10.6-1.47.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-tests" release="1.47.amzn1" version="1.10.6"><filename>Packages/golang-tests-1.10.6-1.47.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang-race" release="1.47.amzn1" version="1.10.6"><filename>Packages/golang-race-1.10.6-1.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="golang" release="1.47.amzn1" version="1.10.6"><filename>Packages/golang-1.10.6-1.47.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-src" release="1.47.amzn1" version="1.10.6"><filename>Packages/golang-src-1.10.6-1.47.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-docs" release="1.47.amzn1" version="1.10.6"><filename>Packages/golang-docs-1.10.6-1.47.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="golang" release="1.47.amzn1" version="1.10.6"><filename>Packages/golang-1.10.6-1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="golang-bin" release="1.47.amzn1" version="1.10.6"><filename>Packages/golang-bin-1.10.6-1.47.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1132</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1132: medium priority package update for python34 python36</title><issued date="2018-12-20 00:01" /><updated date="2019-01-12 03:23" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15176 CVE-2018-14647: 15177 1631822: 15178 CVE-2018-14647 python: Missing salt initialization in _elementtree.c module 15179 Python&#039;s elementtree C accelerator failed to initialise Expat&#039;s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat&#039;s internal data structures, consuming large amounts CPU and RAM. 15180 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647" id="CVE-2018-14647" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python34-libs" release="1.40.amzn1" version="3.4.9"><filename>Packages/python34-libs-3.4.9-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34" release="1.40.amzn1" version="3.4.9"><filename>Packages/python34-3.4.9-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-debuginfo" release="1.40.amzn1" version="3.4.9"><filename>Packages/python34-debuginfo-3.4.9-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-tools" release="1.40.amzn1" version="3.4.9"><filename>Packages/python34-tools-3.4.9-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-devel" release="1.40.amzn1" version="3.4.9"><filename>Packages/python34-devel-3.4.9-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-test" release="1.40.amzn1" version="3.4.9"><filename>Packages/python34-test-3.4.9-1.40.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python34-devel" release="1.40.amzn1" version="3.4.9"><filename>Packages/python34-devel-3.4.9-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-tools" release="1.40.amzn1" version="3.4.9"><filename>Packages/python34-tools-3.4.9-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-test" release="1.40.amzn1" version="3.4.9"><filename>Packages/python34-test-3.4.9-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-debuginfo" release="1.40.amzn1" version="3.4.9"><filename>Packages/python34-debuginfo-3.4.9-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34" release="1.40.amzn1" version="3.4.9"><filename>Packages/python34-3.4.9-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-libs" release="1.40.amzn1" version="3.4.9"><filename>Packages/python34-libs-3.4.9-1.40.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python36" release="1.10.amzn1" version="3.6.7"><filename>Packages/python36-3.6.7-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-debug" release="1.10.amzn1" version="3.6.7"><filename>Packages/python36-debug-3.6.7-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-devel" release="1.10.amzn1" version="3.6.7"><filename>Packages/python36-devel-3.6.7-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-tools" release="1.10.amzn1" version="3.6.7"><filename>Packages/python36-tools-3.6.7-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-test" release="1.10.amzn1" version="3.6.7"><filename>Packages/python36-test-3.6.7-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-libs" release="1.10.amzn1" version="3.6.7"><filename>Packages/python36-libs-3.6.7-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-debuginfo" release="1.10.amzn1" version="3.6.7"><filename>Packages/python36-debuginfo-3.6.7-1.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python36-debug" release="1.10.amzn1" version="3.6.7"><filename>Packages/python36-debug-3.6.7-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-tools" release="1.10.amzn1" version="3.6.7"><filename>Packages/python36-tools-3.6.7-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-debuginfo" release="1.10.amzn1" version="3.6.7"><filename>Packages/python36-debuginfo-3.6.7-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-test" release="1.10.amzn1" version="3.6.7"><filename>Packages/python36-test-3.6.7-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-libs" release="1.10.amzn1" version="3.6.7"><filename>Packages/python36-libs-3.6.7-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36" release="1.10.amzn1" version="3.6.7"><filename>Packages/python36-3.6.7-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-devel" release="1.10.amzn1" version="3.6.7"><filename>Packages/python36-devel-3.6.7-1.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1133</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1133: medium priority package update for kernel</title><issued date="2018-12-20 00:02" /><updated date="2018-12-20 23:28" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15181 CVE-2018-19407: 15182 1652656: 15183 CVE-2018-19407 kernel: kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c 15184 A NULL pointer dereference security flaw was found in the Linux kernel in the vcpu_scan_ioapic() function in arch/x86/kvm/x86.c. This allows local users with certain privileges to cause a denial of service via a crafted system call to the KVM subsystem. 15185 15186 CVE-2018-18710: 15187 1645140: 15188 CVE-2018-18710 kernel: Information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c 15189 An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. 15190 15191 CVE-2018-16862: 15192 1649017: 15193 CVE-2018-16862 kernel: cleancache: Infoleak of deleted files after reuse of old inodes 15194 A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one. 15195 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19407" id="CVE-2018-19407" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18710" id="CVE-2018-18710" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16862" id="CVE-2018-16862" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-tools-debuginfo-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-devel-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-tools-devel-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="72.73.amzn1" version="4.14.88"><filename>Packages/perf-debuginfo-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-headers-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="72.73.amzn1" version="4.14.88"><filename>Packages/perf-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-debuginfo-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-tools-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="72.73.amzn1" version="4.14.88"><filename>Packages/perf-debuginfo-4.14.88-72.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-devel-4.14.88-72.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-tools-debuginfo-4.14.88-72.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-4.14.88-72.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-tools-4.14.88-72.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="72.73.amzn1" version="4.14.88"><filename>Packages/perf-4.14.88-72.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-tools-devel-4.14.88-72.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-debuginfo-4.14.88-72.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-headers-4.14.88-72.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="72.73.amzn1" version="4.14.88"><filename>Packages/kernel-debuginfo-common-i686-4.14.88-72.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1136</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1136: important priority package update for git</title><issued date="2018-12-20 00:03" /><updated date="2018-12-20 23:28" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15196 CVE-2018-19486: 15197 Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if &#039;.&#039; were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017. 15198 1653143: 15199 CVE-2018-19486 git: Improper handling of PATH allows for commands to be executed from the current directory 15200 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19486" id="CVE-2018-19486" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="git-all" release="1.60.amzn1" version="2.14.5"><filename>Packages/git-all-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-daemon" release="1.60.amzn1" version="2.14.5"><filename>Packages/git-daemon-2.14.5-1.60.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-cvs" release="1.60.amzn1" version="2.14.5"><filename>Packages/git-cvs-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git-SVN" release="1.60.amzn1" version="2.14.5"><filename>Packages/perl-Git-SVN-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-svn" release="1.60.amzn1" version="2.14.5"><filename>Packages/git-svn-2.14.5-1.60.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="gitweb" release="1.60.amzn1" version="2.14.5"><filename>Packages/gitweb-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-Git" release="1.60.amzn1" version="2.14.5"><filename>Packages/perl-Git-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git-debuginfo" release="1.60.amzn1" version="2.14.5"><filename>Packages/git-debuginfo-2.14.5-1.60.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-email" release="1.60.amzn1" version="2.14.5"><filename>Packages/git-email-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-hg" release="1.60.amzn1" version="2.14.5"><filename>Packages/git-hg-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="git-bzr" release="1.60.amzn1" version="2.14.5"><filename>Packages/git-bzr-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git-el" release="1.60.amzn1" version="2.14.5"><filename>Packages/emacs-git-el-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="git" release="1.60.amzn1" version="2.14.5"><filename>Packages/git-2.14.5-1.60.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="git-p4" release="1.60.amzn1" version="2.14.5"><filename>Packages/git-p4-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="emacs-git" release="1.60.amzn1" version="2.14.5"><filename>Packages/emacs-git-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="git-debuginfo" release="1.60.amzn1" version="2.14.5"><filename>Packages/git-debuginfo-2.14.5-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-daemon" release="1.60.amzn1" version="2.14.5"><filename>Packages/git-daemon-2.14.5-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git" release="1.60.amzn1" version="2.14.5"><filename>Packages/git-2.14.5-1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="git-svn" release="1.60.amzn1" version="2.14.5"><filename>Packages/git-svn-2.14.5-1.60.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2018-1137</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1137: important priority package update for ghostscript</title><issued date="2018-12-20 00:04" /><updated date="2018-12-20 23:29" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15201 CVE-2018-16509: 15202 1619748: 15203 CVE-2018-16509 ghostscript: /invalidaccess bypass after failed restore (699654) 15204 It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document. 15205 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16509" id="CVE-2018-16509" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="ghostscript-debuginfo" release="24.26.amzn1" version="8.70"><filename>Packages/ghostscript-debuginfo-8.70-24.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript-doc" release="24.26.amzn1" version="8.70"><filename>Packages/ghostscript-doc-8.70-24.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript" release="24.26.amzn1" version="8.70"><filename>Packages/ghostscript-8.70-24.26.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ghostscript-devel" release="24.26.amzn1" version="8.70"><filename>Packages/ghostscript-devel-8.70-24.26.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript-doc" release="24.26.amzn1" version="8.70"><filename>Packages/ghostscript-doc-8.70-24.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript" release="24.26.amzn1" version="8.70"><filename>Packages/ghostscript-8.70-24.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript-debuginfo" release="24.26.amzn1" version="8.70"><filename>Packages/ghostscript-debuginfo-8.70-24.26.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ghostscript-devel" release="24.26.amzn1" version="8.70"><filename>Packages/ghostscript-devel-8.70-24.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1145</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1145: medium priority package update for kernel</title><issued date="2019-01-09 22:47" /><updated date="2019-01-12 03:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15206 CVE-2018-20169: 15207 An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c. 15208 1660385: 15209 CVE-2018-20169 kernel: Mishandled size checks during the reading of an extra descriptor 15210 15211 CVE-2018-14625: 15212 A flaw was found where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly impersonate AF_VSOCK messages destined to other clients or leak kernel memory. 15213 1619846: 15214 CVE-2018-14625 kernel: use-after-free Read in vhost_transport_send_pkt 15215 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14625" id="CVE-2018-14625" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20169" id="CVE-2018-20169" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-devel" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-devel-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-tools-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="72.76.amzn1" version="4.14.88"><filename>Packages/perf-debuginfo-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-headers-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-tools-devel-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-tools-debuginfo-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="72.76.amzn1" version="4.14.88"><filename>Packages/perf-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-debuginfo-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-debuginfo-common-i686-4.14.88-72.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-tools-devel-4.14.88-72.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-headers-4.14.88-72.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-tools-debuginfo-4.14.88-72.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-devel-4.14.88-72.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-tools-4.14.88-72.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-debuginfo-4.14.88-72.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="72.76.amzn1" version="4.14.88"><filename>Packages/perf-4.14.88-72.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="72.76.amzn1" version="4.14.88"><filename>Packages/kernel-4.14.88-72.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="72.76.amzn1" version="4.14.88"><filename>Packages/perf-debuginfo-4.14.88-72.76.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1146</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1146: low priority package update for clamav</title><issued date="2019-01-09 22:56" /><updated date="2019-01-12 03:28" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15216 CVE-2018-15378: 15217 15218 15219 CVE-2018-14682: 15220 1610941: 15221 CVE-2018-14682 libmspack: off-by-one error in the TOLOWER() macro for CHM decompression 15222 An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM decompression. 15223 15224 CVE-2018-14681: 15225 1610896: 15226 CVE-2018-14681 libmspack: out-of-bounds write in kwajd_read_headers in mspack/kwajd.c 15227 An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite. 15228 15229 CVE-2018-14680: 15230 An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames. 15231 1610934: 15232 CVE-2018-14680 libmspack: off-by-one error in the CHM chunk number validity checks 15233 15234 CVE-2018-14679: 15235 1610890: 15236 CVE-2018-14679 libmspack: off-by-one error in the CHM PMGI/PMGL chunk number validity checks 15237 An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service (uninitialized data dereference and application crash). 15238 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14679" id="CVE-2018-14679" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14682" id="CVE-2018-14682" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15378" id="CVE-2018-15378" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14680" id="CVE-2018-14680" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14681" id="CVE-2018-14681" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="clamav-lib" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-lib-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-milter" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-milter-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-db" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-db-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-filesystem" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-filesystem-0.100.2-2.35.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-debuginfo" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-debuginfo-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamd" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamd-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-devel" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-devel-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-update" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-update-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-data" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-data-0.100.2-2.35.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="clamav-lib" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-lib-0.100.2-2.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-milter" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-milter-0.100.2-2.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-0.100.2-2.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-debuginfo" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-debuginfo-0.100.2-2.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-db" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-db-0.100.2-2.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-update" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-update-0.100.2-2.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamd" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamd-0.100.2-2.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-devel" release="2.35.amzn1" version="0.100.2"><filename>Packages/clamav-devel-0.100.2-2.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1147</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1147: medium priority package update for php56 php70 php71 php72</title><issued date="2019-01-09 22:58" /><updated date="2019-01-12 03:29" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15239 CVE-2018-19935: 15240 ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function. 15241 1660525: 15242 CVE-2018-19935 php: NULL pointer dereference in ext/imap/php_imap.c resulting in a denial of service 15243 15244 CVE-2018-19518: 15245 1654228: 15246 CVE-2018-19518 php: imap_open() allows running arbitrary shell commands via mailbox parameter 15247 University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a &quot;-oProxyCommand&quot; argument. 15248 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19518" id="CVE-2018-19518" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19935" id="CVE-2018-19935" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php70-gd" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-gd-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-embedded" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-embedded-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pgsql" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-pgsql-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-ldap" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-ldap-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-process" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-process-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-intl" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-intl-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-common" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-common-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-opcache" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-opcache-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-cli" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-cli-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-enchant" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-enchant-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-fpm" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-fpm-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-recode" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-recode-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-bcmath" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-bcmath-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mbstring" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-mbstring-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-soap" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-soap-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo-dblib" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-pdo-dblib-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-debuginfo" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-debuginfo-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mysqlnd" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-mysqlnd-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-snmp" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-snmp-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dbg" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-dbg-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pspell" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-pspell-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-dba" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-dba-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-odbc" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-odbc-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xmlrpc" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-xmlrpc-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-devel" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-devel-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pdo" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-pdo-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-xml" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-xml-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-zip" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-zip-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-imap" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-imap-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-gmp" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-gmp-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-tidy" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-tidy-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-json" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-json-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-mcrypt" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-mcrypt-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php70-soap" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-soap-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-json" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-json-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mbstring" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-mbstring-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-opcache" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-opcache-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-tidy" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-tidy-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xml" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-xml-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gd" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-gd-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-common" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-common-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-snmp" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-snmp-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-gmp" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-gmp-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-ldap" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-ldap-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mysqlnd" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-mysqlnd-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-mcrypt" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-mcrypt-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-pdo-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-embedded" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-embedded-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-process" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-process-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-intl" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-intl-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-bcmath" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-bcmath-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-recode" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-recode-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-xmlrpc" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-xmlrpc-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pdo-dblib" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-pdo-dblib-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-cli" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-cli-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pspell" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-pspell-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dba" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-dba-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-dbg" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-dbg-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-odbc" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-odbc-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-enchant" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-enchant-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-fpm" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-fpm-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pgsql" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-pgsql-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-devel" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-devel-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-zip" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-zip-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-imap" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-imap-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-debuginfo" release="1.32.amzn1" version="7.0.33"><filename>Packages/php70-debuginfo-7.0.33-1.32.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dbg" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-dbg-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mssql" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-mssql-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-tidy" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-tidy-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-intl" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-intl-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-dba" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-dba-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pdo" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-pdo-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-cli" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-cli-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-common" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-common-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-embedded" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-embedded-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-ldap" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-ldap-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pspell" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-pspell-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-fpm" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-fpm-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-debuginfo" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-debuginfo-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mysqlnd" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-mysqlnd-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gmp" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-gmp-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xml" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-xml-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pgsql" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-pgsql-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-bcmath" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-bcmath-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-gd" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-gd-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-opcache" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-opcache-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-devel" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-devel-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-xmlrpc" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-xmlrpc-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-recode" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-recode-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-process" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-process-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mbstring" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-mbstring-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-enchant" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-enchant-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-imap" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-imap-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-soap" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-soap-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-mcrypt" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-mcrypt-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-odbc" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-odbc-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-snmp" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-snmp-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-xml" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-xml-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pdo" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-pdo-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dbg" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-dbg-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-ldap" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-ldap-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mbstring" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-mbstring-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-dba" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-dba-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-cli" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-cli-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-process" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-process-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-common" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-common-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-odbc" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-odbc-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-xmlrpc" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-xmlrpc-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-devel" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-devel-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mysqlnd" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-mysqlnd-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-opcache" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-opcache-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-fpm" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-fpm-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-debuginfo" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-debuginfo-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-embedded" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-embedded-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gd" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-gd-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-imap" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-imap-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-enchant" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-enchant-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mssql" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-mssql-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-soap" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-soap-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-mcrypt" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-mcrypt-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-bcmath" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-bcmath-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-tidy" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-tidy-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-gmp" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-gmp-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-intl" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-intl-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-recode" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-recode-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pgsql" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-pgsql-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-snmp" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-snmp-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pspell" release="1.141.amzn1" version="5.6.39"><filename>Packages/php56-pspell-5.6.39-1.141.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-bcmath" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-bcmath-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-snmp" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-snmp-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pspell" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-pspell-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mbstring" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-mbstring-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo-dblib" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-pdo-dblib-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mysqlnd" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-mysqlnd-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-embedded" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-embedded-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-debuginfo" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-debuginfo-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-cli" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-cli-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-devel" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-devel-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dbg" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-dbg-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-common" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-common-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-odbc" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-odbc-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-soap" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-soap-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xmlrpc" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-xmlrpc-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xml" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-xml-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-tidy" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-tidy-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-json" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-json-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-imap" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-imap-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-intl" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-intl-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gmp" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-gmp-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-fpm" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-fpm-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-recode" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-recode-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-opcache" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-opcache-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mcrypt" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-mcrypt-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dba" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-dba-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pgsql" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-pgsql-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-pdo-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-process" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-process-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-enchant" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-enchant-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-ldap" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-ldap-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gd" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-gd-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php71-common" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-common-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-enchant" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-enchant-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-intl" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-intl-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo-dblib" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-pdo-dblib-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-debuginfo" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-debuginfo-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-tidy" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-tidy-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gmp" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-gmp-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-bcmath" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-bcmath-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-embedded" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-embedded-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-fpm" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-fpm-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gd" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-gd-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-cli" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-cli-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pgsql" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-pgsql-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-snmp" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-snmp-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-ldap" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-ldap-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xml" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-xml-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dbg" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-dbg-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-odbc" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-odbc-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-json" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-json-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xmlrpc" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-xmlrpc-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-imap" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-imap-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mysqlnd" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-mysqlnd-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-devel" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-devel-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mcrypt" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-mcrypt-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-recode" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-recode-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-process" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-process-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-opcache" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-opcache-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dba" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-dba-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-soap" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-soap-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-pdo-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pspell" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-pspell-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mbstring" release="1.35.amzn1" version="7.1.25"><filename>Packages/php71-mbstring-7.1.25-1.35.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-dba" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-dba-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-cli" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-cli-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-debuginfo" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-debuginfo-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-odbc" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-odbc-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-xml" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-xml-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-gd" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-gd-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-devel" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-devel-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-snmp" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-snmp-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pdo-dblib" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-pdo-dblib-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-mbstring" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-mbstring-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-soap" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-soap-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-dbg" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-dbg-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-mysqlnd" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-mysqlnd-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-recode" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-recode-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pdo" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-pdo-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-fpm" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-fpm-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-opcache" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-opcache-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-tidy" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-tidy-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-json" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-json-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-ldap" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-ldap-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pgsql" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-pgsql-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pspell" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-pspell-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-bcmath" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-bcmath-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-imap" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-imap-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-intl" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-intl-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-common" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-common-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-gmp" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-gmp-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-xmlrpc" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-xmlrpc-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-embedded" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-embedded-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-process" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-process-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-enchant" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-enchant-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php72-pspell" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-pspell-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-imap" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-imap-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-json" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-json-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-dbg" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-dbg-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-intl" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-intl-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-mysqlnd" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-mysqlnd-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-enchant" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-enchant-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-embedded" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-embedded-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-debuginfo" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-debuginfo-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pgsql" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-pgsql-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-common" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-common-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pdo-dblib" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-pdo-dblib-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-recode" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-recode-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-mbstring" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-mbstring-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-bcmath" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-bcmath-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-tidy" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-tidy-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-gd" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-gd-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-soap" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-soap-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-ldap" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-ldap-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-devel" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-devel-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-odbc" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-odbc-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-gmp" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-gmp-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-dba" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-dba-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-xml" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-xml-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-snmp" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-snmp-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-opcache" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-opcache-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-fpm" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-fpm-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pdo" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-pdo-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-cli" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-cli-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-xmlrpc" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-xmlrpc-7.2.13-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-process" release="1.7.amzn1" version="7.2.13"><filename>Packages/php72-process-7.2.13-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1148</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1148: low priority package update for curl</title><issued date="2019-01-21 23:46" /><updated date="2019-01-25 03:51" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15249 CVE-2018-16842: 15250 Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service. 15251 1644124: 15252 CVE-2018-16842 curl: Heap-based buffer over-read in the curl tool warning formatting 15253 15254 CVE-2018-16840: 15255 1642203: 15256 CVE-2018-16840 curl: Use-after-free when closing "easy" handle in Curl_close() 15257 A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an &#039;easy&#039; handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct. 15258 15259 CVE-2018-16839: 15260 Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service. 15261 1642201: 15262 CVE-2018-16839 curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message() 15263 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16842" id="CVE-2018-16842" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840" id="CVE-2018-16840" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16839" id="CVE-2018-16839" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libcurl" release="16.86.amzn1" version="7.53.1"><filename>Packages/libcurl-7.53.1-16.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="16.86.amzn1" version="7.53.1"><filename>Packages/libcurl-devel-7.53.1-16.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl" release="16.86.amzn1" version="7.53.1"><filename>Packages/curl-7.53.1-16.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="16.86.amzn1" version="7.53.1"><filename>Packages/curl-debuginfo-7.53.1-16.86.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="16.86.amzn1" version="7.53.1"><filename>Packages/libcurl-devel-7.53.1-16.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="16.86.amzn1" version="7.53.1"><filename>Packages/libcurl-7.53.1-16.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="16.86.amzn1" version="7.53.1"><filename>Packages/curl-7.53.1-16.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="16.86.amzn1" version="7.53.1"><filename>Packages/curl-debuginfo-7.53.1-16.86.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1149</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1149: important priority package update for kernel</title><issued date="2019-01-25 02:26" /><updated date="2019-01-25 02:34" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15264 CVE-2018-16884: 15265 1660375: 15266 CVE-2018-16884 kernel: nfs: use-after-free in svc_process_common() 15267 A flaw was found in the Linux kernel&#039;s NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. 15268 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16884" id="CVE-2018-16884" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-tools-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="73.73.amzn1" version="4.14.94"><filename>Packages/perf-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="73.73.amzn1" version="4.14.94"><filename>Packages/perf-debuginfo-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-headers-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-tools-debuginfo-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-devel-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-debuginfo-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-tools-devel-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="73.73.amzn1" version="4.14.94"><filename>Packages/perf-debuginfo-4.14.94-73.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-tools-debuginfo-4.14.94-73.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-tools-devel-4.14.94-73.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="73.73.amzn1" version="4.14.94"><filename>Packages/perf-4.14.94-73.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-debuginfo-common-i686-4.14.94-73.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-devel-4.14.94-73.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-tools-4.14.94-73.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-4.14.94-73.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-debuginfo-4.14.94-73.73.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="73.73.amzn1" version="4.14.94"><filename>Packages/kernel-headers-4.14.94-73.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1150</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1150: low priority package update for libXcursor</title><issued date="2019-02-07 04:22" /><updated date="2019-02-08 06:23" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15269 CVE-2015-9262: 15270 1611599: 15271 CVE-2015-9262 libxcursor: 1-byte heap-based overflow in _XcursorThemeInherits function in library.c 15272 _XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow. 15273 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9262" id="CVE-2015-9262" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libXcursor-debuginfo" release="2.1.10.amzn1" version="1.1.14"><filename>Packages/libXcursor-debuginfo-1.1.14-2.1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXcursor-devel" release="2.1.10.amzn1" version="1.1.14"><filename>Packages/libXcursor-devel-1.1.14-2.1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libXcursor" release="2.1.10.amzn1" version="1.1.14"><filename>Packages/libXcursor-1.1.14-2.1.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libXcursor-devel" release="2.1.10.amzn1" version="1.1.14"><filename>Packages/libXcursor-devel-1.1.14-2.1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXcursor" release="2.1.10.amzn1" version="1.1.14"><filename>Packages/libXcursor-1.1.14-2.1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libXcursor-debuginfo" release="2.1.10.amzn1" version="1.1.14"><filename>Packages/libXcursor-debuginfo-1.1.14-2.1.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1151</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1151: medium priority package update for curl</title><issued date="2019-02-07 04:24" /><updated date="2019-02-08 06:25" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15274 CVE-2018-20483: 15275 1662705: 15276 CVE-2018-20483 wget: Information exposure in set_file_metadata function in xattr.c 15277 set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file&#039;s origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl. 15278 15279 CVE-2018-0500: 15280 1597101: 15281 CVE-2018-0500 curl: Heap-based buffer overflow in Curl_smtp_escape_eob() when uploading data over SMTP 15282 A heap-based buffer overflow has been found in the Curl_smtp_escape_eob() function of curl. An attacker could exploit this by convincing a user to use curl to upload data over SMTP with a reduced buffer to cause a crash or corrupt memory. 15283 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483" id="CVE-2018-20483" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0500" id="CVE-2018-0500" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libcurl-devel" release="7.91.amzn1" version="7.61.1"><filename>Packages/libcurl-devel-7.61.1-7.91.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl" release="7.91.amzn1" version="7.61.1"><filename>Packages/libcurl-7.61.1-7.91.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="7.91.amzn1" version="7.61.1"><filename>Packages/curl-debuginfo-7.61.1-7.91.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl" release="7.91.amzn1" version="7.61.1"><filename>Packages/curl-7.61.1-7.91.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="7.91.amzn1" version="7.61.1"><filename>Packages/curl-7.61.1-7.91.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="7.91.amzn1" version="7.61.1"><filename>Packages/libcurl-devel-7.61.1-7.91.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="7.91.amzn1" version="7.61.1"><filename>Packages/libcurl-7.61.1-7.91.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="7.91.amzn1" version="7.61.1"><filename>Packages/curl-debuginfo-7.61.1-7.91.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1153</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1153: low priority package update for openssl</title><issued date="2019-03-21 18:40" /><updated date="2019-03-25 23:11" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15284 CVE-2018-0734: 15285 1644364: 15286 CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm 15287 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). 15288 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734" id="CVE-2018-0734" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl" release="16.148.amzn1" version="1.0.2k"><filename>Packages/openssl-1.0.2k-16.148.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="16.148.amzn1" version="1.0.2k"><filename>Packages/openssl-devel-1.0.2k-16.148.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="16.148.amzn1" version="1.0.2k"><filename>Packages/openssl-static-1.0.2k-16.148.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="16.148.amzn1" version="1.0.2k"><filename>Packages/openssl-debuginfo-1.0.2k-16.148.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="16.148.amzn1" version="1.0.2k"><filename>Packages/openssl-perl-1.0.2k-16.148.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="16.148.amzn1" version="1.0.2k"><filename>Packages/openssl-debuginfo-1.0.2k-16.148.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="16.148.amzn1" version="1.0.2k"><filename>Packages/openssl-static-1.0.2k-16.148.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="16.148.amzn1" version="1.0.2k"><filename>Packages/openssl-perl-1.0.2k-16.148.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="16.148.amzn1" version="1.0.2k"><filename>Packages/openssl-devel-1.0.2k-16.148.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="16.148.amzn1" version="1.0.2k"><filename>Packages/openssl-1.0.2k-16.148.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1156</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1156: important priority package update for docker</title><issued date="2019-02-08 22:28" /><updated date="2019-02-11 16:26" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15289 CVE-2019-5736: 15290 15291 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736" id="CVE-2019-5736" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="docker-debuginfo" release="7.25.amzn1" version="18.06.1ce"><filename>Packages/docker-debuginfo-18.06.1ce-7.25.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="docker" release="7.25.amzn1" version="18.06.1ce"><filename>Packages/docker-18.06.1ce-7.25.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1165</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1165: important priority package update for kernel</title><issued date="2019-02-26 18:55" /><updated date="2019-03-04 23:51" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15292 CVE-2019-7222: 15293 An information leakage issue was found in the way Linux kernel&#039;s KVM hypervisor handled page fault exceptions while emulating instructions like VMXON, VMCLEAR, VMPTRLD, and VMWRITE with memory address as an operand. It occurs if the operand is a mmio address, as the returned exception object holds uninitialized stack memory contents. A guest user/process could use this flaw to leak host&#039;s stack memory contents to a guest. 15294 1671930: 15295 CVE-2019-7222 Kernel: KVM: leak of uninitialized stack contents to guest 15296 15297 CVE-2019-7221: 15298 A use-after-free vulnerability was found in the way the Linux kernel&#039;s KVM hypervisor emulates a preemption timer for L2 guests when nested (=1) virtualization is enabled. This high resolution timer(hrtimer) runs when a L2 guest is active. After VM exit, the sync_vmcs12() timer object is stopped. The use-after-free occurs if the timer object is freed before calling sync_vmcs12() routine. A guest user/process could use this flaw to crash the host kernel resulting in a denial of service or, potentially, gain privileged access to a system. 15299 1671904: 15300 CVE-2019-7221 Kernel: KVM: nVMX: use-after-free of the hrtimer for emulation of the preemption timer 15301 15302 CVE-2019-6974: 15303 A use-after-free vulnerability was found in the way the Linux kernel&#039;s KVM hypervisor implements its device control API. While creating a device via kvm_ioctl_create_device(), the device holds a reference to a VM object, later this reference is transferred to the caller&#039;s file descriptor table. If such file descriptor was to be closed, reference count to the VM object could become zero, potentially leading to a use-after-free issue. A user/process could use this flaw to crash the guest VM resulting in a denial of service issue or, potentially, gain privileged access to a system. 15304 1671913: 15305 CVE-2019-6974 Kernel: KVM: potential use-after-free via kvm_ioctl_create_device() 15306 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7222" id="CVE-2019-7222" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6974" id="CVE-2019-6974" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7221" id="CVE-2019-7221" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="75.76.amzn1" version="4.14.101"><filename>Packages/perf-debuginfo-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-tools-debuginfo-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-tools-devel-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-headers-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-debuginfo-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="75.76.amzn1" version="4.14.101"><filename>Packages/perf-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-devel-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-tools-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-4.14.101-75.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-tools-devel-4.14.101-75.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-tools-debuginfo-4.14.101-75.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-debuginfo-4.14.101-75.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-headers-4.14.101-75.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="75.76.amzn1" version="4.14.101"><filename>Packages/perf-debuginfo-4.14.101-75.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-tools-4.14.101-75.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="75.76.amzn1" version="4.14.101"><filename>Packages/perf-4.14.101-75.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-debuginfo-common-i686-4.14.101-75.76.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="75.76.amzn1" version="4.14.101"><filename>Packages/kernel-devel-4.14.101-75.76.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1166</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1166: important priority package update for httpd24</title><issued date="2019-03-06 22:21" /><updated date="2019-03-25 23:20" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15307 CVE-2019-0190: 15308 1668488: 15309 CVE-2019-0190 httpd: mod_ssl: infinite loop triggered by client-initiated renegotiation when using OpenSSL 1.1.1 15310 A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts. 15311 15312 CVE-2018-17199: 15313 1668493: 15314 CVE-2018-17199 httpd: mod_session_cookie does not respect expiry time 15315 In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. 15316 15317 CVE-2018-17189: 15318 1668497: 15319 CVE-2018-17189 httpd: mod_http2: DoS via slow, unneeded request bodies 15320 In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections. 15321 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199" id="CVE-2018-17199" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17189" id="CVE-2018-17189" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190" id="CVE-2019-0190" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="httpd24-manual" release="1.86.amzn1" version="2.4.38"><filename>Packages/httpd24-manual-2.4.38-1.86.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="1.86.amzn1" version="2.4.38"><filename>Packages/httpd24-debuginfo-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="1.86.amzn1" version="2.4.38"><filename>Packages/mod24_proxy_html-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24" release="1.86.amzn1" version="2.4.38"><filename>Packages/httpd24-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_ssl" release="1.86.amzn1" version="2.4.38"><filename>Packages/mod24_ssl-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_md" release="1.86.amzn1" version="2.4.38"><filename>Packages/mod24_md-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="1.86.amzn1" version="2.4.38"><filename>Packages/mod24_session-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-devel" release="1.86.amzn1" version="2.4.38"><filename>Packages/httpd24-devel-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_ldap" release="1.86.amzn1" version="2.4.38"><filename>Packages/mod24_ldap-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-tools" release="1.86.amzn1" version="2.4.38"><filename>Packages/httpd24-tools-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod24_md" release="1.86.amzn1" version="2.4.38"><filename>Packages/mod24_md-2.4.38-1.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="1.86.amzn1" version="2.4.38"><filename>Packages/mod24_session-2.4.38-1.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="1.86.amzn1" version="2.4.38"><filename>Packages/httpd24-debuginfo-2.4.38-1.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="1.86.amzn1" version="2.4.38"><filename>Packages/mod24_ssl-2.4.38-1.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="1.86.amzn1" version="2.4.38"><filename>Packages/httpd24-2.4.38-1.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="1.86.amzn1" version="2.4.38"><filename>Packages/mod24_ldap-2.4.38-1.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="1.86.amzn1" version="2.4.38"><filename>Packages/httpd24-tools-2.4.38-1.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="1.86.amzn1" version="2.4.38"><filename>Packages/httpd24-devel-2.4.38-1.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="1.86.amzn1" version="2.4.38"><filename>Packages/mod24_proxy_html-2.4.38-1.86.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1167</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1167: important priority package update for kernel</title><issued date="2019-03-07 18:18" /><updated date="2019-03-25 23:18" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15322 CVE-2019-8912: 15323 1678685: 15324 CVE-2019-8912 kernel: af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr 15325 In the Linux kernel af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free (UAF) in sockfs_setattr. A local attacker can use this flaw to escalate privileges and take control of the system. 15326 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8912" id="CVE-2019-8912" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perf-debuginfo" release="78.84.amzn1" version="4.14.104"><filename>Packages/perf-debuginfo-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-headers-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-devel-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-tools-debuginfo-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="78.84.amzn1" version="4.14.104"><filename>Packages/perf-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-debuginfo-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-tools-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-tools-devel-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-debuginfo-common-i686-4.14.104-78.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-tools-devel-4.14.104-78.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-devel-4.14.104-78.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="78.84.amzn1" version="4.14.104"><filename>Packages/perf-4.14.104-78.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-4.14.104-78.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-headers-4.14.104-78.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="78.84.amzn1" version="4.14.104"><filename>Packages/perf-debuginfo-4.14.104-78.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-tools-debuginfo-4.14.104-78.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-debuginfo-4.14.104-78.84.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="78.84.amzn1" version="4.14.104"><filename>Packages/kernel-tools-4.14.104-78.84.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1169</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1169: medium priority package update for python27 python34 python35 python36</title><issued date="2019-03-21 19:25" /><updated date="2019-03-25 23:10" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15327 CVE-2019-5010: 15328 1666519: 15329 CVE-2019-5010 python: NULL pointer dereference using a specially crafted X509 certificate 15330 A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities. 15331 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010" id="CVE-2019-5010" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python27-debuginfo" release="1.125.amzn1" version="2.7.16"><filename>Packages/python27-debuginfo-2.7.16-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27" release="1.125.amzn1" version="2.7.16"><filename>Packages/python27-2.7.16-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libs" release="1.125.amzn1" version="2.7.16"><filename>Packages/python27-libs-2.7.16-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-tools" release="1.125.amzn1" version="2.7.16"><filename>Packages/python27-tools-2.7.16-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-devel" release="1.125.amzn1" version="2.7.16"><filename>Packages/python27-devel-2.7.16-1.125.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-test" release="1.125.amzn1" version="2.7.16"><filename>Packages/python27-test-2.7.16-1.125.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python27-tools" release="1.125.amzn1" version="2.7.16"><filename>Packages/python27-tools-2.7.16-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-test" release="1.125.amzn1" version="2.7.16"><filename>Packages/python27-test-2.7.16-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-devel" release="1.125.amzn1" version="2.7.16"><filename>Packages/python27-devel-2.7.16-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27" release="1.125.amzn1" version="2.7.16"><filename>Packages/python27-2.7.16-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-debuginfo" release="1.125.amzn1" version="2.7.16"><filename>Packages/python27-debuginfo-2.7.16-1.125.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libs" release="1.125.amzn1" version="2.7.16"><filename>Packages/python27-libs-2.7.16-1.125.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-debuginfo" release="1.41.amzn1" version="3.4.9"><filename>Packages/python34-debuginfo-3.4.9-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-test" release="1.41.amzn1" version="3.4.9"><filename>Packages/python34-test-3.4.9-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-devel" release="1.41.amzn1" version="3.4.9"><filename>Packages/python34-devel-3.4.9-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34" release="1.41.amzn1" version="3.4.9"><filename>Packages/python34-3.4.9-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-libs" release="1.41.amzn1" version="3.4.9"><filename>Packages/python34-libs-3.4.9-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-tools" release="1.41.amzn1" version="3.4.9"><filename>Packages/python34-tools-3.4.9-1.41.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python34-tools" release="1.41.amzn1" version="3.4.9"><filename>Packages/python34-tools-3.4.9-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34" release="1.41.amzn1" version="3.4.9"><filename>Packages/python34-3.4.9-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-debuginfo" release="1.41.amzn1" version="3.4.9"><filename>Packages/python34-debuginfo-3.4.9-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-test" release="1.41.amzn1" version="3.4.9"><filename>Packages/python34-test-3.4.9-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-libs" release="1.41.amzn1" version="3.4.9"><filename>Packages/python34-libs-3.4.9-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-devel" release="1.41.amzn1" version="3.4.9"><filename>Packages/python34-devel-3.4.9-1.41.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python35" release="1.14.amzn1" version="3.5.6"><filename>Packages/python35-3.5.6-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-libs" release="1.14.amzn1" version="3.5.6"><filename>Packages/python35-libs-3.5.6-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-tools" release="1.14.amzn1" version="3.5.6"><filename>Packages/python35-tools-3.5.6-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-test" release="1.14.amzn1" version="3.5.6"><filename>Packages/python35-test-3.5.6-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-devel" release="1.14.amzn1" version="3.5.6"><filename>Packages/python35-devel-3.5.6-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-debuginfo" release="1.14.amzn1" version="3.5.6"><filename>Packages/python35-debuginfo-3.5.6-1.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python35-test" release="1.14.amzn1" version="3.5.6"><filename>Packages/python35-test-3.5.6-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35" release="1.14.amzn1" version="3.5.6"><filename>Packages/python35-3.5.6-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-debuginfo" release="1.14.amzn1" version="3.5.6"><filename>Packages/python35-debuginfo-3.5.6-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-devel" release="1.14.amzn1" version="3.5.6"><filename>Packages/python35-devel-3.5.6-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-tools" release="1.14.amzn1" version="3.5.6"><filename>Packages/python35-tools-3.5.6-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-libs" release="1.14.amzn1" version="3.5.6"><filename>Packages/python35-libs-3.5.6-1.14.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python36" release="1.11.amzn1" version="3.6.8"><filename>Packages/python36-3.6.8-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-test" release="1.11.amzn1" version="3.6.8"><filename>Packages/python36-test-3.6.8-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-tools" release="1.11.amzn1" version="3.6.8"><filename>Packages/python36-tools-3.6.8-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-devel" release="1.11.amzn1" version="3.6.8"><filename>Packages/python36-devel-3.6.8-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-debug" release="1.11.amzn1" version="3.6.8"><filename>Packages/python36-debug-3.6.8-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-libs" release="1.11.amzn1" version="3.6.8"><filename>Packages/python36-libs-3.6.8-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-debuginfo" release="1.11.amzn1" version="3.6.8"><filename>Packages/python36-debuginfo-3.6.8-1.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python36-devel" release="1.11.amzn1" version="3.6.8"><filename>Packages/python36-devel-3.6.8-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-tools" release="1.11.amzn1" version="3.6.8"><filename>Packages/python36-tools-3.6.8-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-debug" release="1.11.amzn1" version="3.6.8"><filename>Packages/python36-debug-3.6.8-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-debuginfo" release="1.11.amzn1" version="3.6.8"><filename>Packages/python36-debuginfo-3.6.8-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-test" release="1.11.amzn1" version="3.6.8"><filename>Packages/python36-test-3.6.8-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-libs" release="1.11.amzn1" version="3.6.8"><filename>Packages/python36-libs-3.6.8-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36" release="1.11.amzn1" version="3.6.8"><filename>Packages/python36-3.6.8-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1172</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1172: medium priority package update for golang</title><issued date="2019-03-07 16:17" /><updated date="2019-03-25 23:17" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15332 CVE-2019-6486: 15333 1668972: 15334 CVE-2019-6486 golang: crypto/elliptic implementations of P-521 and P-384 elliptic curves allow for denial of service 15335 Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks. 15336 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486" id="CVE-2019-6486" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="golang-src" release="1.48.amzn1" version="1.10.6"><filename>Packages/golang-src-1.10.6-1.48.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-docs" release="1.48.amzn1" version="1.10.6"><filename>Packages/golang-docs-1.10.6-1.48.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang" release="1.48.amzn1" version="1.10.6"><filename>Packages/golang-1.10.6-1.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="golang-bin" release="1.48.amzn1" version="1.10.6"><filename>Packages/golang-bin-1.10.6-1.48.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="golang-race" release="1.48.amzn1" version="1.10.6"><filename>Packages/golang-race-1.10.6-1.48.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-tests" release="1.48.amzn1" version="1.10.6"><filename>Packages/golang-tests-1.10.6-1.48.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-misc" release="1.48.amzn1" version="1.10.6"><filename>Packages/golang-misc-1.10.6-1.48.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="golang-bin" release="1.48.amzn1" version="1.10.6"><filename>Packages/golang-bin-1.10.6-1.48.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="golang" release="1.48.amzn1" version="1.10.6"><filename>Packages/golang-1.10.6-1.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1174</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1174: low priority package update for libwmf</title><issued date="2019-03-21 18:35" /><updated date="2019-03-25 23:11" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15337 CVE-2019-6978: 15338 The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. NOTE: PHP is unaffected. 15339 1671390: 15340 CVE-2019-6978 gd: double free in the gdImage*Ptr in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c 15341 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6978" id="CVE-2019-6978" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libwmf-lite" release="41.13.amzn1" version="0.2.8.4"><filename>Packages/libwmf-lite-0.2.8.4-41.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwmf-debuginfo" release="41.13.amzn1" version="0.2.8.4"><filename>Packages/libwmf-debuginfo-0.2.8.4-41.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwmf-devel" release="41.13.amzn1" version="0.2.8.4"><filename>Packages/libwmf-devel-0.2.8.4-41.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libwmf" release="41.13.amzn1" version="0.2.8.4"><filename>Packages/libwmf-0.2.8.4-41.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libwmf-lite" release="41.13.amzn1" version="0.2.8.4"><filename>Packages/libwmf-lite-0.2.8.4-41.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwmf-devel" release="41.13.amzn1" version="0.2.8.4"><filename>Packages/libwmf-devel-0.2.8.4-41.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwmf" release="41.13.amzn1" version="0.2.8.4"><filename>Packages/libwmf-0.2.8.4-41.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libwmf-debuginfo" release="41.13.amzn1" version="0.2.8.4"><filename>Packages/libwmf-debuginfo-0.2.8.4-41.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1176</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1176: medium priority package update for squid</title><issued date="2019-03-18 17:59" /><updated date="2019-03-25 23:09" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15342 CVE-2018-19132: 15343 1645154: 15344 CVE-2018-19132 squid: Memory leak in SNMP query rejection code 15345 A memory leak was discovered in the way Squid handles SNMP denied queries. A remote attacker may use this flaw to exhaust the resources on the server machine. 15346 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19132" id="CVE-2018-19132" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="7" name="squid-debuginfo" release="12.38.amzn1" version="3.5.20"><filename>Packages/squid-debuginfo-3.5.20-12.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="7" name="squid" release="12.38.amzn1" version="3.5.20"><filename>Packages/squid-3.5.20-12.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="7" name="squid-migration-script" release="12.38.amzn1" version="3.5.20"><filename>Packages/squid-migration-script-3.5.20-12.38.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="7" name="squid" release="12.38.amzn1" version="3.5.20"><filename>Packages/squid-3.5.20-12.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="7" name="squid-migration-script" release="12.38.amzn1" version="3.5.20"><filename>Packages/squid-migration-script-3.5.20-12.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="7" name="squid-debuginfo" release="12.38.amzn1" version="3.5.20"><filename>Packages/squid-debuginfo-3.5.20-12.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1177</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1177: medium priority package update for java-1.7.0-openjdk</title><issued date="2019-03-18 19:02" /><updated date="2019-03-25 23:12" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15347 CVE-2019-2422: 15348 1665945: 15349 CVE-2019-2422 OpenJDK: memory disclosure in FileChannelImpl (Libraries, 8206290) 15350 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). 15351 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2422" id="CVE-2019-2422" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.17.1.79.amzn1" version="1.7.0.211"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.211-2.6.17.1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.17.1.79.amzn1" version="1.7.0.211"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.211-2.6.17.1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.17.1.79.amzn1" version="1.7.0.211"><filename>Packages/java-1.7.0-openjdk-1.7.0.211-2.6.17.1.79.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.17.1.79.amzn1" version="1.7.0.211"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.211-2.6.17.1.79.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.17.1.79.amzn1" version="1.7.0.211"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.211-2.6.17.1.79.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.17.1.79.amzn1" version="1.7.0.211"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.211-2.6.17.1.79.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.17.1.79.amzn1" version="1.7.0.211"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.211-2.6.17.1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.17.1.79.amzn1" version="1.7.0.211"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.211-2.6.17.1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.17.1.79.amzn1" version="1.7.0.211"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.211-2.6.17.1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.17.1.79.amzn1" version="1.7.0.211"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.211-2.6.17.1.79.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.17.1.79.amzn1" version="1.7.0.211"><filename>Packages/java-1.7.0-openjdk-1.7.0.211-2.6.17.1.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1178</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1178: medium priority package update for mysql56</title><issued date="2019-03-20 22:27" /><updated date="2019-03-25 23:08" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15352 CVE-2019-2537: 15353 1666763: 15354 CVE-2019-2537 mysql: Server: DDL unspecified vulnerability (CPU Jan 2019) 15355 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15356 15357 CVE-2019-2534: 15358 1666760: 15359 CVE-2019-2534 mysql: Server: Replication unspecified vulnerability (CPU Jan 2019) 15360 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N). 15361 15362 CVE-2019-2531: 15363 1666757: 15364 CVE-2019-2531 mysql: Server: Replication unspecified vulnerability (CPU Jan 2019) 15365 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15366 15367 CVE-2019-2529: 15368 1666755: 15369 CVE-2019-2529 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019) 15370 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 15371 15372 CVE-2019-2507: 15373 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15374 1666750: 15375 CVE-2019-2507 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019) 15376 15377 CVE-2019-2503: 15378 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Connection Handling). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Difficult to exploit vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.4 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H). 15379 1666749: 15380 CVE-2019-2503 mysql: Server: Connection Handling unspecified vulnerability (CPU Jan 2019) 15381 15382 CVE-2019-2482: 15383 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: PS). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 15384 1666744: 15385 CVE-2019-2482 mysql: Server: PS unspecified vulnerability (CPU Jan 2019) 15386 15387 CVE-2019-2481: 15388 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15389 1666743: 15390 CVE-2019-2481 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019) 15391 15392 CVE-2019-2455: 15393 1666742: 15394 CVE-2019-2455 mysql: Server: Parser unspecified vulnerability (CPU Jan 2019) 15395 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 15396 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2507" id="CVE-2019-2507" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2481" id="CVE-2019-2481" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2482" id="CVE-2019-2482" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2503" id="CVE-2019-2503" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2534" id="CVE-2019-2534" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2537" id="CVE-2019-2537" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2531" id="CVE-2019-2531" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2455" id="CVE-2019-2455" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2529" id="CVE-2019-2529" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql56-test" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-test-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-bench" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-bench-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-server" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-server-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-embedded-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-debuginfo" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-debuginfo-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-libs" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-libs-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-devel" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-devel-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-errmsg" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-errmsg-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-common" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-common-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56-embedded-devel" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-embedded-devel-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql56" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-bench" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-bench-5.6.43-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-libs" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-libs-5.6.43-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-errmsg" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-errmsg-5.6.43-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded-devel" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-embedded-devel-5.6.43-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-server" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-server-5.6.43-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-debuginfo" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-debuginfo-5.6.43-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-common" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-common-5.6.43-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-embedded" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-embedded-5.6.43-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-5.6.43-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-test" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-test-5.6.43-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql56-devel" release="1.32.amzn1" version="5.6.43"><filename>Packages/mysql56-devel-5.6.43-1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1179</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1179: important priority package update for kernel</title><issued date="2019-03-20 22:39" /><updated date="2019-03-25 23:05" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15397 CVE-2019-9213: 15398 1686136: 15399 CVE-2019-9213 kernel: lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms 15400 A flaw was found in mmap in the Linux kernel allowing the process to map a null page. This allows attackers to abuse this mechanism to turn null pointer dereferences into workable exploits. 15401 15402 CVE-2019-8980: 15403 1679972: 15404 CVE-2019-8980 kernel: memory leak in the kernel_read_file function in fs/exec.c allows to cause a denial of service 15405 A kernel memory leak was found in the kernel_read_file() function in the fs/exec.c file in the Linux kernel. An attacker could use this flaw to cause a memory leak and thus a denial of service (DoS). 15406 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9213" id="CVE-2019-9213" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8980" id="CVE-2019-8980" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-debuginfo-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-tools-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="79.86.amzn1" version="4.14.106"><filename>Packages/perf-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-headers-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-tools-debuginfo-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-tools-devel-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="79.86.amzn1" version="4.14.106"><filename>Packages/perf-debuginfo-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-devel-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-debuginfo-common-i686-4.14.106-79.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-headers-4.14.106-79.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-tools-debuginfo-4.14.106-79.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-4.14.106-79.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="79.86.amzn1" version="4.14.106"><filename>Packages/perf-4.14.106-79.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-devel-4.14.106-79.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-debuginfo-4.14.106-79.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-tools-devel-4.14.106-79.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="79.86.amzn1" version="4.14.106"><filename>Packages/kernel-tools-4.14.106-79.86.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="79.86.amzn1" version="4.14.106"><filename>Packages/perf-debuginfo-4.14.106-79.86.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1180</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1180: important priority package update for perl</title><issued date="2019-03-20 23:05" /><updated date="2019-03-25 23:04" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15407 CVE-2018-18311: 15408 1646730: 15409 CVE-2018-18311 perl: Integer overflow leading to buffer overflow in Perl_my_setenv() 15410 Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations. 15411 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18311" id="CVE-2018-18311" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="perl-core" release="294.43.amzn1" version="5.16.3"><filename>Packages/perl-core-5.16.3-294.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-debuginfo" release="294.43.amzn1" version="5.16.3"><filename>Packages/perl-debuginfo-5.16.3-294.43.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="perl-Object-Accessor" release="294.43.amzn1" version="0.42"><filename>Packages/perl-Object-Accessor-0.42-294.43.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="1" name="perl-Locale-Maketext-Simple" release="294.43.amzn1" version="0.21"><filename>Packages/perl-Locale-Maketext-Simple-0.21-294.43.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="1" name="perl-Pod-Escapes" release="294.43.amzn1" version="1.04"><filename>Packages/perl-Pod-Escapes-1.04-294.43.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="1" name="perl-Module-Loaded" release="294.43.amzn1" version="0.08"><filename>Packages/perl-Module-Loaded-0.08-294.43.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="1" name="perl-IO-Zlib" release="294.43.amzn1" version="1.10"><filename>Packages/perl-IO-Zlib-1.10-294.43.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-CPAN" release="294.43.amzn1" version="1.9800"><filename>Packages/perl-CPAN-1.9800-294.43.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-ExtUtils-Embed" release="294.43.amzn1" version="1.30"><filename>Packages/perl-ExtUtils-Embed-1.30-294.43.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-macros" release="294.43.amzn1" version="5.16.3"><filename>Packages/perl-macros-5.16.3-294.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl" release="294.43.amzn1" version="5.16.3"><filename>Packages/perl-5.16.3-294.43.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="perl-ExtUtils-CBuilder" release="294.43.amzn1" version="0.28.2.6"><filename>Packages/perl-ExtUtils-CBuilder-0.28.2.6-294.43.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="perl-ExtUtils-Install" release="294.43.amzn1" version="1.58"><filename>Packages/perl-ExtUtils-Install-1.58-294.43.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="perl-Time-Piece" release="294.43.amzn1" version="1.20.1"><filename>Packages/perl-Time-Piece-1.20.1-294.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-devel" release="294.43.amzn1" version="5.16.3"><filename>Packages/perl-devel-5.16.3-294.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-libs" release="294.43.amzn1" version="5.16.3"><filename>Packages/perl-libs-5.16.3-294.43.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="perl-Package-Constants" release="294.43.amzn1" version="0.02"><filename>Packages/perl-Package-Constants-0.02-294.43.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="4" name="perl-tests" release="294.43.amzn1" version="5.16.3"><filename>Packages/perl-tests-5.16.3-294.43.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="perl-Module-CoreList" release="294.43.amzn1" version="2.76.02"><filename>Packages/perl-Module-CoreList-2.76.02-294.43.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="4" name="perl-tests" release="294.43.amzn1" version="5.16.3"><filename>Packages/perl-tests-5.16.3-294.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-core" release="294.43.amzn1" version="5.16.3"><filename>Packages/perl-core-5.16.3-294.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perl-Time-Piece" release="294.43.amzn1" version="1.20.1"><filename>Packages/perl-Time-Piece-1.20.1-294.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl" release="294.43.amzn1" version="5.16.3"><filename>Packages/perl-5.16.3-294.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl-libs" release="294.43.amzn1" version="5.16.3"><filename>Packages/perl-libs-5.16.3-294.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl-macros" release="294.43.amzn1" version="5.16.3"><filename>Packages/perl-macros-5.16.3-294.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl-devel" release="294.43.amzn1" version="5.16.3"><filename>Packages/perl-devel-5.16.3-294.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="4" name="perl-debuginfo" release="294.43.amzn1" version="5.16.3"><filename>Packages/perl-debuginfo-5.16.3-294.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1181</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1181: medium priority package update for mysql57</title><issued date="2019-03-20 23:45" /><updated date="2019-03-25 23:03" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15412 CVE-2019-2537: 15413 1666763: 15414 CVE-2019-2537 mysql: Server: DDL unspecified vulnerability (CPU Jan 2019) 15415 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15416 15417 CVE-2019-2534: 15418 1666760: 15419 CVE-2019-2534 mysql: Server: Replication unspecified vulnerability (CPU Jan 2019) 15420 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N). 15421 15422 CVE-2019-2532: 15423 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15424 1666758: 15425 CVE-2019-2532 mysql: Server: Security: Privileges unspecified vulnerability (CPU Jan 2019) 15426 15427 CVE-2019-2531: 15428 1666757: 15429 CVE-2019-2531 mysql: Server: Replication unspecified vulnerability (CPU Jan 2019) 15430 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15431 15432 CVE-2019-2529: 15433 1666755: 15434 CVE-2019-2529 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019) 15435 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 15436 15437 CVE-2019-2528: 15438 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Partition). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15439 1666753: 15440 CVE-2019-2528 mysql: Server: Partition unspecified vulnerability (CPU Jan 2019) 15441 15442 CVE-2019-2510: 15443 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15444 1666751: 15445 CVE-2019-2510 mysql: InnoDB unspecified vulnerability (CPU Jan 2019) 15446 15447 CVE-2019-2507: 15448 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15449 1666750: 15450 CVE-2019-2507 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019) 15451 15452 CVE-2019-2503: 15453 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Connection Handling). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Difficult to exploit vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.4 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H). 15454 1666749: 15455 CVE-2019-2503 mysql: Server: Connection Handling unspecified vulnerability (CPU Jan 2019) 15456 15457 CVE-2019-2486: 15458 1666745: 15459 CVE-2019-2486 mysql: Server: Security: Privileges unspecified vulnerability (CPU Jan 2019) 15460 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15461 15462 CVE-2019-2482: 15463 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: PS). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 15464 1666744: 15465 CVE-2019-2482 mysql: Server: PS unspecified vulnerability (CPU Jan 2019) 15466 15467 CVE-2019-2481: 15468 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15469 1666743: 15470 CVE-2019-2481 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019) 15471 15472 CVE-2019-2455: 15473 1666742: 15474 CVE-2019-2455 mysql: Server: Parser unspecified vulnerability (CPU Jan 2019) 15475 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 15476 15477 CVE-2019-2434: 15478 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 15479 1666740: 15480 CVE-2019-2434 mysql: Server: Parser unspecified vulnerability (CPU Jan 2019) 15481 15482 CVE-2019-2420: 15483 Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). 15484 1666738: 15485 CVE-2019-2420 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019) 15486 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2486" id="CVE-2019-2486" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2434" id="CVE-2019-2434" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2507" id="CVE-2019-2507" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2481" id="CVE-2019-2481" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2482" id="CVE-2019-2482" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2534" id="CVE-2019-2534" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2537" id="CVE-2019-2537" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2510" id="CVE-2019-2510" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2531" id="CVE-2019-2531" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2455" id="CVE-2019-2455" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2532" id="CVE-2019-2532" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2420" id="CVE-2019-2420" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2503" id="CVE-2019-2503" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2528" id="CVE-2019-2528" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2529" id="CVE-2019-2529" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mysql57-common" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-common-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-debuginfo" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-debuginfo-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-embedded-devel" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-embedded-devel-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-server" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-server-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-libs" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-libs-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-test" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-test-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-errmsg" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-errmsg-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-devel" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-devel-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mysql57-embedded" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-embedded-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-test" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-test-5.7.25-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-debuginfo" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-debuginfo-5.7.25-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-devel" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-devel-5.7.25-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-errmsg" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-errmsg-5.7.25-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-server" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-server-5.7.25-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-embedded-devel" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-embedded-devel-5.7.25-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-common" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-common-5.7.25-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-libs" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-libs-5.7.25-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57-embedded" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-embedded-5.7.25-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mysql57" release="1.11.amzn1" version="5.7.25"><filename>Packages/mysql57-5.7.25-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1182</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1182: low priority package update for nvidia</title><issued date="2019-03-21 19:07" /><updated date="2019-03-25 22:47" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15487 CVE-2018-6260: 15488 15489 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6260" id="CVE-2018-6260" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="2" name="nvidia-dkms" release="2018.03.111.amzn1" version="410.104"><filename>Packages/nvidia-dkms-410.104-2018.03.111.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="nvidia" release="2018.03.111.amzn1" version="410.104"><filename>Packages/nvidia-410.104-2018.03.111.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1186</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1186: medium priority package update for file</title><issued date="2019-03-21 22:08" /><updated date="2019-03-25 22:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15490 CVE-2019-8907: 15491 1679138: 15492 CVE-2019-8907 file: do_core_note in readelf.c allows remote attackers to cause a denial of service 15493 do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact. 15494 15495 CVE-2019-8906: 15496 1679175: 15497 CVE-2019-8906 file: out-of-bounds read in do_core_note in readelf.c 15498 do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused. 15499 15500 CVE-2019-8905: 15501 1679181: 15502 CVE-2019-8905 file: stack-based buffer over-read in do_core_note in readelf.c 15503 do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360. 15504 15505 CVE-2019-8904: 15506 1679188: 15507 CVE-2019-8904 file: stack-based buffer over-read in do_bid_note in readelf.c 15508 do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf. 15509 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8906" id="CVE-2019-8906" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8907" id="CVE-2019-8907" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8904" id="CVE-2019-8904" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8905" id="CVE-2019-8905" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python27-magic" release="3.37.amzn1" version="5.34"><filename>Packages/python27-magic-5.34-3.37.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="file-static" release="3.37.amzn1" version="5.34"><filename>Packages/file-static-5.34-3.37.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="python26-magic" release="3.37.amzn1" version="5.34"><filename>Packages/python26-magic-5.34-3.37.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="file-devel" release="3.37.amzn1" version="5.34"><filename>Packages/file-devel-5.34-3.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file" release="3.37.amzn1" version="5.34"><filename>Packages/file-5.34-3.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-debuginfo" release="3.37.amzn1" version="5.34"><filename>Packages/file-debuginfo-5.34-3.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="file-libs" release="3.37.amzn1" version="5.34"><filename>Packages/file-libs-5.34-3.37.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="file" release="3.37.amzn1" version="5.34"><filename>Packages/file-5.34-3.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-devel" release="3.37.amzn1" version="5.34"><filename>Packages/file-devel-5.34-3.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-libs" release="3.37.amzn1" version="5.34"><filename>Packages/file-libs-5.34-3.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-debuginfo" release="3.37.amzn1" version="5.34"><filename>Packages/file-debuginfo-5.34-3.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="file-static" release="3.37.amzn1" version="5.34"><filename>Packages/file-static-5.34-3.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1187</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1187: medium priority package update for bind</title><issued date="2019-04-04 19:13" /><updated date="2019-04-09 16:10" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15510 CVE-2018-5741: 15511 To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3. 15512 1631131: 15513 CVE-2018-5741 bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies 15514 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5741" id="CVE-2018-5741" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-utils" release="0.68.rc1.59.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.68.rc1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.68.rc1.59.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.68.rc1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.68.rc1.59.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.68.rc1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.68.rc1.59.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.68.rc1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.68.rc1.59.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-chroot" release="0.68.rc1.59.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.59.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.68.rc1.59.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.59.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.68.rc1.59.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.68.rc1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.68.rc1.59.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.68.rc1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.68.rc1.59.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.68.rc1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.68.rc1.59.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.68.rc1.59.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.68.rc1.59.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.59.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.68.rc1.59.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.68.rc1.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1188</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1188: medium priority package update for openssl</title><issued date="2019-04-04 19:13" /><updated date="2019-04-09 16:10" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15515 CVE-2019-1559: 15516 1683804: 15517 CVE-2019-1559 openssl: 0-byte record padding oracle 15518 If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable &quot;non-stitched&quot; ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). 15519 15520 CVE-2018-5407: 15521 A microprocessor side-channel vulnerability was found on SMT (e.g, Hyper-Threading) architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information. 15522 1645695: 15523 CVE-2018-5407 openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) 15524 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559" id="CVE-2019-1559" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407" id="CVE-2018-5407" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="openssl" release="16.150.amzn1" version="1.0.2k"><filename>Packages/openssl-1.0.2k-16.150.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-static" release="16.150.amzn1" version="1.0.2k"><filename>Packages/openssl-static-1.0.2k-16.150.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-devel" release="16.150.amzn1" version="1.0.2k"><filename>Packages/openssl-devel-1.0.2k-16.150.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-debuginfo" release="16.150.amzn1" version="1.0.2k"><filename>Packages/openssl-debuginfo-1.0.2k-16.150.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="openssl-perl" release="16.150.amzn1" version="1.0.2k"><filename>Packages/openssl-perl-1.0.2k-16.150.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="openssl-debuginfo" release="16.150.amzn1" version="1.0.2k"><filename>Packages/openssl-debuginfo-1.0.2k-16.150.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl" release="16.150.amzn1" version="1.0.2k"><filename>Packages/openssl-1.0.2k-16.150.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-static" release="16.150.amzn1" version="1.0.2k"><filename>Packages/openssl-static-1.0.2k-16.150.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-devel" release="16.150.amzn1" version="1.0.2k"><filename>Packages/openssl-devel-1.0.2k-16.150.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="openssl-perl" release="16.150.amzn1" version="1.0.2k"><filename>Packages/openssl-perl-1.0.2k-16.150.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1189</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1189: important priority package update for httpd24</title><issued date="2019-04-05 20:05" /><updated date="2019-08-06 21:31" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15525 CVE-2019-0220: 15526 1695036: 15527 CVE-2019-0220 httpd: URL normalization inconsistency 15528 15529 CVE-2019-0217: 15530 1695020: 15531 CVE-2019-0217 httpd: mod_auth_digest: access control bypass due to race condition 15532 A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. 15533 15534 CVE-2019-0215: 15535 1695025: 15536 CVE-2019-0215 httpd: mod_ssl: access control bypass when using per-location client certification authentication 15537 In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions. 15538 15539 CVE-2019-0211: 15540 1694980: 15541 CVE-2019-0211 httpd: privilege escalation from modules scripts 15542 15543 CVE-2019-0197: 15544 1695042: 15545 CVE-2019-0197 httpd: mod_http2: possible crash on late upgrade 15546 15547 CVE-2019-0196: 15548 1695030: 15549 CVE-2019-0196 httpd: mod_http2: read-after-free on a string compare 15550 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0220" id="CVE-2019-0220" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0215" id="CVE-2019-0215" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0217" id="CVE-2019-0217" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0197" id="CVE-2019-0197" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0196" id="CVE-2019-0196" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0211" id="CVE-2019-0211" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="httpd24-manual" release="1.87.amzn1" version="2.4.39"><filename>Packages/httpd24-manual-2.4.39-1.87.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_session" release="1.87.amzn1" version="2.4.39"><filename>Packages/mod24_session-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_md" release="1.87.amzn1" version="2.4.39"><filename>Packages/mod24_md-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_ssl" release="1.87.amzn1" version="2.4.39"><filename>Packages/mod24_ssl-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-tools" release="1.87.amzn1" version="2.4.39"><filename>Packages/httpd24-tools-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-devel" release="1.87.amzn1" version="2.4.39"><filename>Packages/httpd24-devel-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24" release="1.87.amzn1" version="2.4.39"><filename>Packages/httpd24-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="mod24_proxy_html" release="1.87.amzn1" version="2.4.39"><filename>Packages/mod24_proxy_html-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_ldap" release="1.87.amzn1" version="2.4.39"><filename>Packages/mod24_ldap-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="httpd24-debuginfo" release="1.87.amzn1" version="2.4.39"><filename>Packages/httpd24-debuginfo-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-debuginfo" release="1.87.amzn1" version="2.4.39"><filename>Packages/httpd24-debuginfo-2.4.39-1.87.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_proxy_html" release="1.87.amzn1" version="2.4.39"><filename>Packages/mod24_proxy_html-2.4.39-1.87.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24" release="1.87.amzn1" version="2.4.39"><filename>Packages/httpd24-2.4.39-1.87.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-tools" release="1.87.amzn1" version="2.4.39"><filename>Packages/httpd24-tools-2.4.39-1.87.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="httpd24-devel" release="1.87.amzn1" version="2.4.39"><filename>Packages/httpd24-devel-2.4.39-1.87.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_session" release="1.87.amzn1" version="2.4.39"><filename>Packages/mod24_session-2.4.39-1.87.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_ldap" release="1.87.amzn1" version="2.4.39"><filename>Packages/mod24_ldap-2.4.39-1.87.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="mod24_ssl" release="1.87.amzn1" version="2.4.39"><filename>Packages/mod24_ssl-2.4.39-1.87.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_md" release="1.87.amzn1" version="2.4.39"><filename>Packages/mod24_md-2.4.39-1.87.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1194</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1194: important priority package update for wget</title><issued date="2019-04-17 18:51" /><updated date="2019-04-19 16:26" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15551 CVE-2019-5953: 15552 1695679: 15553 CVE-2019-5953 wget: Buffer overflow vulnerability 15554 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5953" id="CVE-2019-5953" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="wget-debuginfo" release="5.30.amzn1" version="1.18"><filename>Packages/wget-debuginfo-1.18-5.30.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="wget" release="5.30.amzn1" version="1.18"><filename>Packages/wget-1.18-5.30.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="wget" release="5.30.amzn1" version="1.18"><filename>Packages/wget-1.18-5.30.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="wget-debuginfo" release="5.30.amzn1" version="1.18"><filename>Packages/wget-debuginfo-1.18-5.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1200</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1200: important priority package update for mod24_auth_mellon</title><issued date="2019-05-02 17:18" /><updated date="2019-05-06 17:51" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15555 CVE-2019-3878: 15556 1691126: 15557 CVE-2019-3878 mod_auth_mellon: authentication bypass in ECP flow 15558 A vulnerability was found in mod_auth_mellon. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication. 15559 15560 CVE-2019-3877: 15561 1691125: 15562 CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes 15563 A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect URL validation logic in apr_uri_parse function. 15564 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3878" id="CVE-2019-3878" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3877" id="CVE-2019-3877" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="mod24_auth_mellon-diagnostics" release="2.8.amzn1" version="0.14.0"><filename>Packages/mod24_auth_mellon-diagnostics-0.14.0-2.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_auth_mellon-debuginfo" release="2.8.amzn1" version="0.14.0"><filename>Packages/mod24_auth_mellon-debuginfo-0.14.0-2.8.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="mod24_auth_mellon" release="2.8.amzn1" version="0.14.0"><filename>Packages/mod24_auth_mellon-0.14.0-2.8.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="mod24_auth_mellon-diagnostics" release="2.8.amzn1" version="0.14.0"><filename>Packages/mod24_auth_mellon-diagnostics-0.14.0-2.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_auth_mellon-debuginfo" release="2.8.amzn1" version="0.14.0"><filename>Packages/mod24_auth_mellon-debuginfo-0.14.0-2.8.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="mod24_auth_mellon" release="2.8.amzn1" version="0.14.0"><filename>Packages/mod24_auth_mellon-0.14.0-2.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1201</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1201: important priority package update for kernel</title><issued date="2019-05-02 17:22" /><updated date="2019-05-06 17:49" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15565 CVE-2019-7308: 15566 A bypass was found for the Spectre v1 hardening in the eBPF engine of the Linux kernel. The code in the kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks. 15567 1672355: 15568 CVE-2019-7308 kernel: eBPF: Spectre v1 mitigation bypass 15569 15570 CVE-2019-3460: 15571 1663179: 15572 CVE-2019-3460 kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP 15573 A flaw was found in the Linux kernel&#039;s implementation of logical link control and adaptation protocol (L2CAP), part of the Bluetooth stack in the l2cap_parse_conf_rsp and l2cap_parse_conf_req functions. An attacker with physical access within the range of standard Bluetooth transmission can create a specially crafted packet. The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack. 15574 15575 CVE-2019-3459: 15576 1663176: 15577 CVE-2019-3459 kernel: Heap address information leak while using L2CAP_GET_CONF_OPT 15578 A flaw was found in the Linux kernels implementation of Logical link control and adaptation protocol (L2CAP), part of the Bluetooth stack. An attacker with physical access within the range of standard Bluetooth transmission can create a specially crafted packet. The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack. 15579 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3459" id="CVE-2019-3459" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3460" id="CVE-2019-3460" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7308" id="CVE-2019-7308" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-devel-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-tools-debuginfo-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="82.97.amzn1" version="4.14.114"><filename>Packages/perf-debuginfo-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-debuginfo-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-tools-devel-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-headers-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-tools-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="82.97.amzn1" version="4.14.114"><filename>Packages/perf-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-4.14.114-82.97.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="82.97.amzn1" version="4.14.114"><filename>Packages/perf-debuginfo-4.14.114-82.97.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-debuginfo-common-i686-4.14.114-82.97.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-tools-devel-4.14.114-82.97.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-headers-4.14.114-82.97.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-devel-4.14.114-82.97.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="82.97.amzn1" version="4.14.114"><filename>Packages/perf-4.14.114-82.97.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-tools-4.14.114-82.97.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-tools-debuginfo-4.14.114-82.97.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="82.97.amzn1" version="4.14.114"><filename>Packages/kernel-debuginfo-4.14.114-82.97.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1202</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1202: important priority package update for python34</title><issued date="2019-05-02 17:31" /><updated date="2019-05-06 17:48" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15580 CVE-2019-9636: 15581 1688543: 15582 CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization 15583 Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. 15584 15585 CVE-2018-20406: 15586 1664509: 15587 CVE-2018-20406 python: Integer overflow in Modules/_pickle.c allows for memory exhaustion if serializing gigabytes of data 15588 Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a &quot;resize to twice the size&quot; attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. 15589 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20406" id="CVE-2018-20406" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636" id="CVE-2019-9636" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python34" release="1.43.amzn1" version="3.4.10"><filename>Packages/python34-3.4.10-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-debuginfo" release="1.43.amzn1" version="3.4.10"><filename>Packages/python34-debuginfo-3.4.10-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-libs" release="1.43.amzn1" version="3.4.10"><filename>Packages/python34-libs-3.4.10-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-devel" release="1.43.amzn1" version="3.4.10"><filename>Packages/python34-devel-3.4.10-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-tools" release="1.43.amzn1" version="3.4.10"><filename>Packages/python34-tools-3.4.10-1.43.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-test" release="1.43.amzn1" version="3.4.10"><filename>Packages/python34-test-3.4.10-1.43.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python34-devel" release="1.43.amzn1" version="3.4.10"><filename>Packages/python34-devel-3.4.10-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-debuginfo" release="1.43.amzn1" version="3.4.10"><filename>Packages/python34-debuginfo-3.4.10-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-libs" release="1.43.amzn1" version="3.4.10"><filename>Packages/python34-libs-3.4.10-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-tools" release="1.43.amzn1" version="3.4.10"><filename>Packages/python34-tools-3.4.10-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-test" release="1.43.amzn1" version="3.4.10"><filename>Packages/python34-test-3.4.10-1.43.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34" release="1.43.amzn1" version="3.4.10"><filename>Packages/python34-3.4.10-1.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1204</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1204: important priority package update for python36</title><issued date="2019-05-29 19:20" /><updated date="2019-08-06 21:28" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15590 CVE-2019-9947: 15591 1695572: 15592 CVE-2019-9947 python: improper neutralization of CRLF sequences in urllib module 15593 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. 15594 15595 CVE-2019-9740: 15596 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. 15597 1688169: 15598 CVE-2019-9740 python: improper neutralization of CRLF sequences in urllib module 15599 1688169: 15600 CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen() 15601 15602 CVE-2019-9636: 15603 1688543: 15604 CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization 15605 Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. 15606 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947" id="CVE-2019-9947" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740" id="CVE-2019-9740" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636" id="CVE-2019-9636" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python36-devel" release="1.13.amzn1" version="3.6.8"><filename>Packages/python36-devel-3.6.8-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-libs" release="1.13.amzn1" version="3.6.8"><filename>Packages/python36-libs-3.6.8-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36" release="1.13.amzn1" version="3.6.8"><filename>Packages/python36-3.6.8-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-tools" release="1.13.amzn1" version="3.6.8"><filename>Packages/python36-tools-3.6.8-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-debug" release="1.13.amzn1" version="3.6.8"><filename>Packages/python36-debug-3.6.8-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-test" release="1.13.amzn1" version="3.6.8"><filename>Packages/python36-test-3.6.8-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-debuginfo" release="1.13.amzn1" version="3.6.8"><filename>Packages/python36-debuginfo-3.6.8-1.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python36-debuginfo" release="1.13.amzn1" version="3.6.8"><filename>Packages/python36-debuginfo-3.6.8-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-debug" release="1.13.amzn1" version="3.6.8"><filename>Packages/python36-debug-3.6.8-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-devel" release="1.13.amzn1" version="3.6.8"><filename>Packages/python36-devel-3.6.8-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-tools" release="1.13.amzn1" version="3.6.8"><filename>Packages/python36-tools-3.6.8-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36" release="1.13.amzn1" version="3.6.8"><filename>Packages/python36-3.6.8-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-libs" release="1.13.amzn1" version="3.6.8"><filename>Packages/python36-libs-3.6.8-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-test" release="1.13.amzn1" version="3.6.8"><filename>Packages/python36-test-3.6.8-1.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1205</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1205: important priority package update for kernel</title><issued date="2019-05-07 22:54" /><updated date="2019-05-14 23:05" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15607 CVE-2019-11091: 15608 Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. 15609 1705312: 15610 CVE-2019-11091 hardware: Microarchitectural Data Sampling Uncacheable Memory (MDSUM) 15611 15612 CVE-2018-12130: 15613 1646784: 15614 CVE-2018-12130 hardware: Microarchitectural Fill Buffer Data Sampling (MFBDS) 15615 A flaw was found in the implementation of the &quot;fill buffer&quot;, a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache. If an attacker can generate a load operation that would create a page fault, the execution will continue speculatively with incorrect data from the fill buffer while the data is fetched from higher level caches. This response time can be measured to infer data in the fill buffer. 15616 15617 CVE-2018-12127: 15618 Microprocessors use a load port subcomponent to perform load operations from memory or IO. During a load operation, the load port receives data from the memory or IO subsystem and then provides the data to the CPU registers and operations in the CPUs pipelines. Stale load operations results are stored in the &#039;load port&#039; table until overwritten by newer operations. Certain load-port operations triggered by an attacker can be used to reveal data about previous stale requests leaking data back to the attacker via a timing side-channel. 15619 1667782: 15620 CVE-2018-12127 hardware: Micro-architectural Load Port Data Sampling - Information Leak (MLPDS) 15621 15622 CVE-2018-12126: 15623 Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the &#039;processor store buffer&#039;. As a result, an unprivileged attacker could use this flaw to read private data resident within the CPU&#039;s processor store buffer. 15624 1646781: 15625 CVE-2018-12126 hardware: Microarchitectural Store Buffer Data Sampling (MSBDS) 15626 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091" id="CVE-2019-11091" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130" id="CVE-2018-12130" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127" id="CVE-2018-12127" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126" id="CVE-2018-12126" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-debuginfo-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-devel-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-headers-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="83.126.amzn1" version="4.14.114"><filename>Packages/perf-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="83.126.amzn1" version="4.14.114"><filename>Packages/perf-debuginfo-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-tools-devel-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-tools-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-tools-debuginfo-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-tools-devel-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-headers-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-tools-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="83.126.amzn1" version="4.14.114"><filename>Packages/perf-debuginfo-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-tools-debuginfo-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-debuginfo-common-i686-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-devel-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-debuginfo-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="83.126.amzn1" version="4.14.114"><filename>Packages/perf-4.14.114-83.126.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1206</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1206: medium priority package update for ntp</title><issued date="2019-05-16 22:30" /><updated date="2019-05-20 19:01" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15627 CVE-2019-8936: 15628 1686605: 15629 CVE-2019-8936 ntp: Crafted null dereference attack in authenticated mode 6 packet 15630 NTP through 4.2.8p12 has a NULL Pointer Dereference. 15631 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8936" id="CVE-2019-8936" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="ntp-doc" release="1.41.amzn1" version="4.2.8p12"><filename>Packages/ntp-doc-4.2.8p12-1.41.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp" release="1.41.amzn1" version="4.2.8p12"><filename>Packages/ntp-4.2.8p12-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ntp-debuginfo" release="1.41.amzn1" version="4.2.8p12"><filename>Packages/ntp-debuginfo-4.2.8p12-1.41.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ntp-perl" release="1.41.amzn1" version="4.2.8p12"><filename>Packages/ntp-perl-4.2.8p12-1.41.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ntpdate" release="1.41.amzn1" version="4.2.8p12"><filename>Packages/ntpdate-4.2.8p12-1.41.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ntp-debuginfo" release="1.41.amzn1" version="4.2.8p12"><filename>Packages/ntp-debuginfo-4.2.8p12-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntp" release="1.41.amzn1" version="4.2.8p12"><filename>Packages/ntp-4.2.8p12-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ntpdate" release="1.41.amzn1" version="4.2.8p12"><filename>Packages/ntpdate-4.2.8p12-1.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1207</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1207: low priority package update for graphviz</title><issued date="2019-05-16 22:32" /><updated date="2019-05-20 18:59" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15632 CVE-2019-11023: 15633 The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39.20160612.1140 has a NULL pointer dereference, as demonstrated by graphml2gv. 15634 1699848: 15635 CVE-2019-11023 graphviz: null pointer dereference in function agroot() in cgraph\obj.c 15636 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11023" id="CVE-2019-11023" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="graphviz-lua" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-lua-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-ruby" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-ruby-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-graphs" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-graphs-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-gd" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-gd-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-devel" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-devel-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-tcl" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-tcl-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-doc" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-doc-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-guile" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-guile-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-python27" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-python27-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-java" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-java-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-debuginfo" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-debuginfo-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-python26" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-python26-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-R" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-R-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-perl" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-perl-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="graphviz-php54" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-php54-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-R" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-R-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-debuginfo" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-debuginfo-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-graphs" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-graphs-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-lua" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-lua-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-tcl" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-tcl-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-python26" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-python26-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-java" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-java-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-gd" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-gd-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-php54" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-php54-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-python27" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-python27-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-ruby" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-ruby-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-doc" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-doc-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-perl" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-perl-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-guile" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-guile-2.38.0-18.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="graphviz-devel" release="18.51.amzn1" version="2.38.0"><filename>Packages/graphviz-devel-2.38.0-18.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1208</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1208: important priority package update for tomcat8</title><issued date="2019-05-16 23:11" /><updated date="2019-05-20 18:59" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15637 CVE-2019-0232: 15638 When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange&#039;s blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/). 15639 1701056: 15640 CVE-2019-0232 tomcat: Remote Code Execution on Windows 15641 15642 CVE-2019-0199: 15643 1693325: 15644 CVE-2019-0199 tomcat: Apache Tomcat HTTP/2 DoS 15645 The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API&#039;s blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. 15646 15647 CVE-2018-11784: 15648 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to &#039;/foo/&#039; when the user requested &#039;/foo&#039;) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. 15649 1636512: 15650 CVE-2018-11784 tomcat: Open redirect in default servlet 15651 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11784" id="CVE-2018-11784" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199" id="CVE-2019-0199" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232" id="CVE-2019-0232" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat8" release="1.79.amzn1" version="8.5.40"><filename>Packages/tomcat8-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.79.amzn1" version="8.5.40"><filename>Packages/tomcat8-docs-webapp-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.79.amzn1" version="8.5.40"><filename>Packages/tomcat8-el-3.0-api-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.79.amzn1" version="8.5.40"><filename>Packages/tomcat8-admin-webapps-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.79.amzn1" version="8.5.40"><filename>Packages/tomcat8-jsp-2.3-api-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.79.amzn1" version="8.5.40"><filename>Packages/tomcat8-log4j-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.79.amzn1" version="8.5.40"><filename>Packages/tomcat8-servlet-3.1-api-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.79.amzn1" version="8.5.40"><filename>Packages/tomcat8-webapps-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.79.amzn1" version="8.5.40"><filename>Packages/tomcat8-lib-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.79.amzn1" version="8.5.40"><filename>Packages/tomcat8-javadoc-8.5.40-1.79.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1212</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1212: important priority package update for kernel</title><issued date="2019-05-20 23:27" /><updated date="2019-05-20 23:55" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15652 CVE-2019-11815: 15653 1708518: 15654 CVE-2019-11815 kernel: race condition in rds_tcp_kill_sock in net/rds/tcp.c leading to use-after-free 15655 A flaw was found in the Linux kernel&#039;s implementation of RDS over TCP. A system that has the rds_tcp kernel module loaded (either through autoload via local process running listen(), or manual loading) could possibly cause a use after free (UAF) in which an attacker who is able to manipulate socket state while a network namespace is being torn down. This can lead to possible memory corruption and privilege escalation. 15656 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11815" id="CVE-2019-11815" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-debuginfo-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-devel-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-headers-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="83.126.amzn1" version="4.14.114"><filename>Packages/perf-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="83.126.amzn1" version="4.14.114"><filename>Packages/perf-debuginfo-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-tools-devel-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-tools-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-tools-debuginfo-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-tools-devel-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-headers-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-tools-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="83.126.amzn1" version="4.14.114"><filename>Packages/perf-debuginfo-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-tools-debuginfo-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-debuginfo-common-i686-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-devel-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-debuginfo-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="83.126.amzn1" version="4.14.114"><filename>Packages/kernel-4.14.114-83.126.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="83.126.amzn1" version="4.14.114"><filename>Packages/perf-4.14.114-83.126.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1213</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1213: important priority package update for clamav</title><issued date="2019-05-16 23:16" /><updated date="2019-05-20 19:09" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15657 CVE-2019-1789: 15658 15659 15660 CVE-2019-1788: 15661 15662 15663 CVE-2019-1787: 15664 15665 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1787" id="CVE-2019-1787" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1789" id="CVE-2019-1789" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1788" id="CVE-2019-1788" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="clamav-lib" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-lib-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-devel" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-devel-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-db" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-db-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-debuginfo" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-debuginfo-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamd" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamd-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-data" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-data-0.101.2-1.38.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="clamav-filesystem" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-filesystem-0.101.2-1.38.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-milter" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-milter-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="clamav-update" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-update-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="clamav-lib" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-lib-0.101.2-1.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-update" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-update-0.101.2-1.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-debuginfo" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-debuginfo-0.101.2-1.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-0.101.2-1.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamd" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamd-0.101.2-1.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-db" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-db-0.101.2-1.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-devel" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-devel-0.101.2-1.38.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="clamav-milter" release="1.38.amzn1" version="0.101.2"><filename>Packages/clamav-milter-0.101.2-1.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1214</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1214: important priority package update for kernel</title><issued date="2019-05-29 19:35" /><updated date="2019-05-30 20:08" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15666 CVE-2019-9500: 15667 If the Wake-up on Wireless LAN functionality is configured in the brcmfmac driver, which only works with Broadcom FullMAC chipsets, a malicious event frame can be constructed to trigger a heap buffer overflow in the brcmf_wowl_nd_results() function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with another brcmfmac driver flaw (CVE-2019-9503), can be used remotely. This can result in a remote denial of service (DoS). Due to the nature of the flaw, a remote privilege escalation cannot be fully ruled out. 15668 1701224: 15669 CVE-2019-9500 kernel: brcmfmac heap buffer overflow in brcmf_wowl_nd_results 15670 15671 CVE-2019-5489: 15672 A new software page cache side channel attack scenario was discovered in operating systems that implement the very common &#039;page cache&#039; caching mechanism. A malicious user/process could use &#039;in memory&#039; page-cache knowledge to infer access timings to shared memory and gain knowledge which can be used to reduce effectiveness of cryptographic strength by monitoring algorithmic behavior, infer access patterns of memory to determine code paths taken, and exfiltrate data to a blinded attacker through page-granularity access times as a side-channel. 15673 1664110: 15674 CVE-2019-5489 Kernel: page cache side channel attacks 15675 15676 CVE-2019-3882: 15677 A flaw was found in the Linux kernel&#039;s vfio interface implementation that permits violation of the user&#039;s locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). 15678 1689426: 15679 CVE-2019-3882 kernel: denial of service vector through vfio DMA mappings 15680 15681 CVE-2019-11884: 15682 1709837: 15683 CVE-2019-11884 kernel: sensitive information disclosure from kernel stack memory via HIDPCONNADD command 15684 The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a &#039;\0&#039; character. 15685 15686 CVE-2019-10142: 15687 1711194: 15688 CVE-2019-10142 kernel: integer overflow in ioctl handling of fsl hypervisor 15689 A flaw was found in the Linux kernel&#039;s freescale hypervisor manager implementation. A parameter passed via to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the system or corrupt memory or, possibly, create other adverse security affects. 15690 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3882" id="CVE-2019-3882" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5489" id="CVE-2019-5489" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10142" id="CVE-2019-10142" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11884" id="CVE-2019-11884" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9500" id="CVE-2019-9500" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-tools-devel-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-tools-debuginfo-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-tools-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="85.96.amzn1" version="4.14.121"><filename>Packages/perf-debuginfo-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-devel-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-headers-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="85.96.amzn1" version="4.14.121"><filename>Packages/perf-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-debuginfo-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-devel-4.14.121-85.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="85.96.amzn1" version="4.14.121"><filename>Packages/perf-debuginfo-4.14.121-85.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-tools-debuginfo-4.14.121-85.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="85.96.amzn1" version="4.14.121"><filename>Packages/perf-4.14.121-85.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-headers-4.14.121-85.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-tools-4.14.121-85.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-debuginfo-4.14.121-85.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-tools-devel-4.14.121-85.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-debuginfo-common-i686-4.14.121-85.96.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="85.96.amzn1" version="4.14.121"><filename>Packages/kernel-4.14.121-85.96.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1221</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1221: critical priority package update for exim</title><issued date="2019-06-05 17:12" /><updated date="2019-06-05 23:22" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15691 CVE-2019-10149: 15692 A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution. 15693 1715237: 15694 CVE-2019-10149 exim: Remote command execution in deliver_message() function in /src/deliver.c 15695 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10149" id="CVE-2019-10149" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="exim-debuginfo" release="1.20.amzn1" version="4.91"><filename>Packages/exim-debuginfo-4.91-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-pgsql" release="1.20.amzn1" version="4.91"><filename>Packages/exim-pgsql-4.91-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim" release="1.20.amzn1" version="4.91"><filename>Packages/exim-4.91-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-greylist" release="1.20.amzn1" version="4.91"><filename>Packages/exim-greylist-4.91-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-mon" release="1.20.amzn1" version="4.91"><filename>Packages/exim-mon-4.91-1.20.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-mysql" release="1.20.amzn1" version="4.91"><filename>Packages/exim-mysql-4.91-1.20.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="exim-pgsql" release="1.20.amzn1" version="4.91"><filename>Packages/exim-pgsql-4.91-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-mysql" release="1.20.amzn1" version="4.91"><filename>Packages/exim-mysql-4.91-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-greylist" release="1.20.amzn1" version="4.91"><filename>Packages/exim-greylist-4.91-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-debuginfo" release="1.20.amzn1" version="4.91"><filename>Packages/exim-debuginfo-4.91-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-mon" release="1.20.amzn1" version="4.91"><filename>Packages/exim-mon-4.91-1.20.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim" release="1.20.amzn1" version="4.91"><filename>Packages/exim-4.91-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1222</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1222: critical priority package update for kernel</title><issued date="2019-06-13 21:37" /><updated date="2019-06-17 17:58" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15696 CVE-2019-11479: 15697 15698 15699 CVE-2019-11478: 15700 15701 15702 CVE-2019-11477: 15703 15704 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479" id="CVE-2019-11479" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478" id="CVE-2019-11478" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477" id="CVE-2019-11477" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-devel" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-devel-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-tools-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-tools-devel-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-debuginfo-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-headers-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-tools-debuginfo-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="86.109.amzn1" version="4.14.123"><filename>Packages/perf-debuginfo-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="86.109.amzn1" version="4.14.123"><filename>Packages/perf-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-debuginfo-4.14.123-86.109.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="86.109.amzn1" version="4.14.123"><filename>Packages/perf-debuginfo-4.14.123-86.109.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-tools-4.14.123-86.109.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-devel-4.14.123-86.109.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-tools-debuginfo-4.14.123-86.109.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-tools-devel-4.14.123-86.109.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-4.14.123-86.109.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-debuginfo-common-i686-4.14.123-86.109.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="86.109.amzn1" version="4.14.123"><filename>Packages/kernel-headers-4.14.123-86.109.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="86.109.amzn1" version="4.14.123"><filename>Packages/perf-4.14.123-86.109.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1223</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1223: important priority package update for python-jinja2</title><issued date="2019-06-11 22:37" /><updated date="2019-06-13 18:34" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15705 CVE-2016-10745: 15706 1698345: 15707 CVE-2016-10745 python-jinja2: Sandbox escape due to information disclosure via str.format 15708 In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. 15709 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10745" id="CVE-2016-10745" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python26-jinja2" release="3.16.amzn1" version="2.7.2"><filename>Packages/python26-jinja2-2.7.2-3.16.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="python27-jinja2" release="3.16.amzn1" version="2.7.2"><filename>Packages/python27-jinja2-2.7.2-3.16.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1224</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1224: low priority package update for python-urllib3</title><issued date="2019-06-11 22:41" /><updated date="2019-06-13 18:35" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15710 CVE-2018-20060: 15711 urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. 15712 1649153: 15713 CVE-2018-20060 python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure 15714 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060" id="CVE-2018-20060" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python27-urllib3" release="1.6.amzn1" version="1.24.1"><filename>Packages/python27-urllib3-1.24.1-1.6.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="python26-urllib3" release="1.6.amzn1" version="1.24.1"><filename>Packages/python26-urllib3-1.24.1-1.6.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1225</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1225: low priority package update for php71 php72 php73</title><issued date="2019-06-11 23:00" /><updated date="2019-06-13 18:37" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15715 CVE-2019-11036: 15716 When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and 7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash. 15717 1707299: 15718 CVE-2019-11036 php: buffer over-read in exif_process_IFD_TAG function leading to information disclosure 15719 15720 CVE-2019-11035: 15721 When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash. 15722 1702246: 15723 CVE-2019-11035 php: heap buffer overflow in function exif_iif_add_value 15724 15725 CVE-2019-11034: 15726 1702256: 15727 CVE-2019-11034 php: heap buffer overflow in function xif_process_IFD_TAG 15728 When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash. 15729 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11036" id="CVE-2019-11036" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11035" id="CVE-2019-11035" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11034" id="CVE-2019-11034" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php72-embedded" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-embedded-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-soap" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-soap-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-dbg" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-dbg-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pspell" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-pspell-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-xmlrpc" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-xmlrpc-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-recode" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-recode-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-devel" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-devel-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-ldap" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-ldap-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-imap" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-imap-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-odbc" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-odbc-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-intl" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-intl-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-dba" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-dba-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-opcache" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-opcache-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-cli" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-cli-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-common" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-common-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-gmp" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-gmp-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-mysqlnd" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-mysqlnd-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pdo" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-pdo-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-fpm" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-fpm-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-debuginfo" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-debuginfo-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-tidy" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-tidy-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-json" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-json-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-snmp" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-snmp-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-xml" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-xml-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-enchant" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-enchant-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pdo-dblib" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-pdo-dblib-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-process" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-process-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-bcmath" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-bcmath-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-mbstring" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-mbstring-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pgsql" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-pgsql-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-gd" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-gd-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php72-mbstring" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-mbstring-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-devel" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-devel-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-cli" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-cli-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-soap" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-soap-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pdo-dblib" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-pdo-dblib-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-snmp" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-snmp-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-xmlrpc" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-xmlrpc-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-ldap" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-ldap-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-imap" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-imap-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-json" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-json-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-process" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-process-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-tidy" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-tidy-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-embedded" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-embedded-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pspell" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-pspell-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-debuginfo" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-debuginfo-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-gd" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-gd-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-intl" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-intl-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pgsql" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-pgsql-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-xml" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-xml-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-enchant" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-enchant-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-bcmath" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-bcmath-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-dbg" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-dbg-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-fpm" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-fpm-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-common" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-common-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-gmp" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-gmp-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-mysqlnd" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-mysqlnd-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pdo" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-pdo-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-odbc" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-odbc-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-opcache" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-opcache-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-recode" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-recode-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-dba" release="1.13.amzn1" version="7.2.18"><filename>Packages/php72-dba-7.2.18-1.13.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mbstring" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-mbstring-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-enchant" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-enchant-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-imap" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-imap-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-ldap" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-ldap-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dbg" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-dbg-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-common" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-common-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-recode" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-recode-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-cli" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-cli-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mysqlnd" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-mysqlnd-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-embedded" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-embedded-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-odbc" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-odbc-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-tidy" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-tidy-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xml" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-xml-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-snmp" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-snmp-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gmp" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-gmp-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mcrypt" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-mcrypt-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-opcache" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-opcache-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo-dblib" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-pdo-dblib-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-process" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-process-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pgsql" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-pgsql-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-pdo-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-soap" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-soap-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-debuginfo" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-debuginfo-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dba" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-dba-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gd" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-gd-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-json" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-json-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pspell" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-pspell-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-intl" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-intl-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xmlrpc" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-xmlrpc-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-bcmath" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-bcmath-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-fpm" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-fpm-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-devel" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-devel-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php71-mbstring" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-mbstring-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-soap" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-soap-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dba" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-dba-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-json" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-json-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-opcache" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-opcache-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pspell" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-pspell-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-bcmath" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-bcmath-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-intl" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-intl-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-cli" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-cli-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-tidy" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-tidy-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gd" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-gd-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xml" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-xml-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-fpm" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-fpm-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-enchant" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-enchant-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gmp" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-gmp-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-common" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-common-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pgsql" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-pgsql-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo-dblib" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-pdo-dblib-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-devel" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-devel-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mcrypt" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-mcrypt-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-embedded" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-embedded-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-snmp" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-snmp-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-debuginfo" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-debuginfo-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-process" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-process-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-imap" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-imap-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mysqlnd" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-mysqlnd-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xmlrpc" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-xmlrpc-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-pdo-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-ldap" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-ldap-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-recode" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-recode-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dbg" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-dbg-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-odbc" release="1.39.amzn1" version="7.1.29"><filename>Packages/php71-odbc-7.1.29-1.39.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-xmlrpc" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-xmlrpc-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-intl" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-intl-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-mbstring" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-mbstring-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-json" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-json-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-common" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-common-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-tidy" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-tidy-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-devel" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-devel-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-embedded" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-embedded-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-ldap" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-ldap-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-dba" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-dba-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-soap" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-soap-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pspell" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-pspell-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-xml" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-xml-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-dbg" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-dbg-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-opcache" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-opcache-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pdo" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-pdo-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-process" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-process-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-cli" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-cli-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-odbc" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-odbc-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-gd" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-gd-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pdo-dblib" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-pdo-dblib-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-debuginfo" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-debuginfo-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-enchant" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-enchant-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pgsql" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-pgsql-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-mysqlnd" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-mysqlnd-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-snmp" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-snmp-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-fpm" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-fpm-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-bcmath" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-bcmath-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-gmp" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-gmp-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-recode" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-recode-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-imap" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-imap-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php73-imap" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-imap-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-process" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-process-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-json" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-json-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-dba" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-dba-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-mysqlnd" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-mysqlnd-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-enchant" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-enchant-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-odbc" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-odbc-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-xmlrpc" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-xmlrpc-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-fpm" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-fpm-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pdo" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-pdo-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-gd" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-gd-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pspell" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-pspell-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-cli" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-cli-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-bcmath" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-bcmath-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-embedded" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-embedded-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pgsql" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-pgsql-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-debuginfo" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-debuginfo-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-dbg" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-dbg-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-devel" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-devel-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-snmp" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-snmp-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-xml" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-xml-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-recode" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-recode-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-gmp" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-gmp-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-intl" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-intl-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-soap" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-soap-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pdo-dblib" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-pdo-dblib-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-ldap" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-ldap-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-tidy" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-tidy-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-mbstring" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-mbstring-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-opcache" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-opcache-7.3.5-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-common" release="1.15.amzn1" version="7.3.5"><filename>Packages/php73-common-7.3.5-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1230</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1230: medium priority package update for python27</title><issued date="2019-06-25 21:32" /><updated date="2019-06-28 21:17" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15730 CVE-2019-9947: 15731 1695572: 15732 CVE-2019-9947 python: improper neutralization of CRLF sequences in urllib module 15733 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. 15734 15735 CVE-2019-9740: 15736 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. 15737 1688169: 15738 CVE-2019-9740 python: improper neutralization of CRLF sequences in urllib module 15739 15740 CVE-2019-9636: 15741 1688543: 15742 CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization 15743 Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. 15744 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947" id="CVE-2019-9947" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740" id="CVE-2019-9740" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636" id="CVE-2019-9636" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python27-test" release="1.127.amzn1" version="2.7.16"><filename>Packages/python27-test-2.7.16-1.127.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-tools" release="1.127.amzn1" version="2.7.16"><filename>Packages/python27-tools-2.7.16-1.127.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libs" release="1.127.amzn1" version="2.7.16"><filename>Packages/python27-libs-2.7.16-1.127.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-devel" release="1.127.amzn1" version="2.7.16"><filename>Packages/python27-devel-2.7.16-1.127.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-debuginfo" release="1.127.amzn1" version="2.7.16"><filename>Packages/python27-debuginfo-2.7.16-1.127.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27" release="1.127.amzn1" version="2.7.16"><filename>Packages/python27-2.7.16-1.127.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python27-devel" release="1.127.amzn1" version="2.7.16"><filename>Packages/python27-devel-2.7.16-1.127.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libs" release="1.127.amzn1" version="2.7.16"><filename>Packages/python27-libs-2.7.16-1.127.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-debuginfo" release="1.127.amzn1" version="2.7.16"><filename>Packages/python27-debuginfo-2.7.16-1.127.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-tools" release="1.127.amzn1" version="2.7.16"><filename>Packages/python27-tools-2.7.16-1.127.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-test" release="1.127.amzn1" version="2.7.16"><filename>Packages/python27-test-2.7.16-1.127.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27" release="1.127.amzn1" version="2.7.16"><filename>Packages/python27-2.7.16-1.127.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1232</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1232: important priority package update for kernel</title><issued date="2019-07-17 23:18" /><updated date="2019-09-13 22:46" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15745 CVE-2019-3900: 15746 1698757: 15747 CVE-2019-3900 Kernel: vhost_net: infinite loop while receiving packets leads to DoS 15748 An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx(). The infinite loop could occur if one end sends packets faster than the other end can process them. A guest user, maybe a remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario. 15749 15750 CVE-2019-11599: 15751 A flaw was found in the Linux kernel where the coredump implementation does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs. This allows local users to obtain sensitive information, cause a denial of service (DoS), or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. 15752 1705937: 15753 CVE-2019-11599 kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping 15754 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11599" id="CVE-2019-11599" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3900" id="CVE-2019-3900" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-headers" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-headers-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-devel-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="88.105.amzn1" version="4.14.133"><filename>Packages/perf-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="88.105.amzn1" version="4.14.133"><filename>Packages/perf-debuginfo-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-debuginfo-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-tools-devel-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-tools-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-tools-debuginfo-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="88.105.amzn1" version="4.14.133"><filename>Packages/perf-4.14.133-88.105.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-debuginfo-4.14.133-88.105.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-tools-debuginfo-4.14.133-88.105.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-tools-4.14.133-88.105.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="88.105.amzn1" version="4.14.133"><filename>Packages/perf-debuginfo-4.14.133-88.105.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-headers-4.14.133-88.105.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-debuginfo-common-i686-4.14.133-88.105.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-4.14.133-88.105.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-devel-4.14.133-88.105.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="88.105.amzn1" version="4.14.133"><filename>Packages/kernel-tools-devel-4.14.133-88.105.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1233</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1233: low priority package update for curl</title><issued date="2019-07-17 23:19" /><updated date="2019-07-25 18:33" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15755 CVE-2019-5436: 15756 A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. 15757 1710620: 15758 CVE-2019-5436 curl: TFTP receive heap buffer overflow in tftp_receive_packet() function 15759 15760 CVE-2019-5435: 15761 An integer overflow in curl&#039;s URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1. 15762 1710609: 15763 CVE-2019-5435 curl: Integer overflows in curl_url_set() function 15764 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435" id="CVE-2019-5435" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436" id="CVE-2019-5436" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libcurl" release="11.91.amzn1" version="7.61.1"><filename>Packages/libcurl-7.61.1-11.91.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl-debuginfo" release="11.91.amzn1" version="7.61.1"><filename>Packages/curl-debuginfo-7.61.1-11.91.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libcurl-devel" release="11.91.amzn1" version="7.61.1"><filename>Packages/libcurl-devel-7.61.1-11.91.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="curl" release="11.91.amzn1" version="7.61.1"><filename>Packages/curl-7.61.1-11.91.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="curl-debuginfo" release="11.91.amzn1" version="7.61.1"><filename>Packages/curl-debuginfo-7.61.1-11.91.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="curl" release="11.91.amzn1" version="7.61.1"><filename>Packages/curl-7.61.1-11.91.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl-devel" release="11.91.amzn1" version="7.61.1"><filename>Packages/libcurl-devel-7.61.1-11.91.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libcurl" release="11.91.amzn1" version="7.61.1"><filename>Packages/libcurl-7.61.1-11.91.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1234</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1234: important priority package update for tomcat8</title><issued date="2019-07-17 23:21" /><updated date="2019-07-25 18:35" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15765 CVE-2019-0221: 15766 The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. 15767 1713275: 15768 CVE-2019-0221 tomcat: XSS in SSI printenv 15769 15770 CVE-2019-0199: 15771 1693325: 15772 CVE-2019-0199 tomcat: Apache Tomcat HTTP/2 DoS 15773 The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API&#039;s blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. 15774 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0221" id="CVE-2019-0221" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199" id="CVE-2019-0199" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat8-servlet-3.1-api" release="1.80.amzn1" version="8.5.42"><filename>Packages/tomcat8-servlet-3.1-api-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-lib" release="1.80.amzn1" version="8.5.42"><filename>Packages/tomcat8-lib-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-jsp-2.3-api" release="1.80.amzn1" version="8.5.42"><filename>Packages/tomcat8-jsp-2.3-api-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-docs-webapp" release="1.80.amzn1" version="8.5.42"><filename>Packages/tomcat8-docs-webapp-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-el-3.0-api" release="1.80.amzn1" version="8.5.42"><filename>Packages/tomcat8-el-3.0-api-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-javadoc" release="1.80.amzn1" version="8.5.42"><filename>Packages/tomcat8-javadoc-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-admin-webapps" release="1.80.amzn1" version="8.5.42"><filename>Packages/tomcat8-admin-webapps-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8" release="1.80.amzn1" version="8.5.42"><filename>Packages/tomcat8-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-webapps" release="1.80.amzn1" version="8.5.42"><filename>Packages/tomcat8-webapps-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat8-log4j" release="1.80.amzn1" version="8.5.42"><filename>Packages/tomcat8-log4j-8.5.42-1.80.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1235</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1235: low priority package update for tomcat7</title><issued date="2019-07-17 23:23" /><updated date="2019-07-25 18:35" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15775 CVE-2019-0221: 15776 The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. 15777 1713275: 15778 CVE-2019-0221 tomcat: XSS in SSI printenv 15779 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0221" id="CVE-2019-0221" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="tomcat7-admin-webapps" release="1.35.amzn1" version="7.0.94"><filename>Packages/tomcat7-admin-webapps-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-jsp-2.2-api" release="1.35.amzn1" version="7.0.94"><filename>Packages/tomcat7-jsp-2.2-api-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7" release="1.35.amzn1" version="7.0.94"><filename>Packages/tomcat7-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-docs-webapp" release="1.35.amzn1" version="7.0.94"><filename>Packages/tomcat7-docs-webapp-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-javadoc" release="1.35.amzn1" version="7.0.94"><filename>Packages/tomcat7-javadoc-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-el-2.2-api" release="1.35.amzn1" version="7.0.94"><filename>Packages/tomcat7-el-2.2-api-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-log4j" release="1.35.amzn1" version="7.0.94"><filename>Packages/tomcat7-log4j-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-servlet-3.0-api" release="1.35.amzn1" version="7.0.94"><filename>Packages/tomcat7-servlet-3.0-api-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-lib" release="1.35.amzn1" version="7.0.94"><filename>Packages/tomcat7-lib-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="tomcat7-webapps" release="1.35.amzn1" version="7.0.94"><filename>Packages/tomcat7-webapps-7.0.94-1.35.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1236</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1236: medium priority package update for python-urllib3</title><issued date="2019-07-17 23:24" /><updated date="2019-07-25 18:36" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15780 CVE-2019-11236: 15781 1700824: 15782 CVE-2019-11236 python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service. 15783 In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. 15784 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236" id="CVE-2019-11236" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="python27-urllib3" release="1.8.amzn1" version="1.24.3"><filename>Packages/python27-urllib3-1.24.3-1.8.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1237</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1237: medium priority package update for php54-pecl-imagick php55-pecl-imagick php56-pecl-imagick php70-pecl-imagick php71-pecl-imagick php72-pecl-imagick</title><issued date="2019-07-17 23:26" /><updated date="2019-07-25 18:37" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15785 CVE-2019-11037: 15786 1708570: 15787 CVE-2019-11037 php-imagick: out-of-bounds write to memory in ImagickKernel::fromMatrix() leading to possible crash and DoS 15788 In PHP imagick extension in versions between 3.3.0 and 3.4.4, writing to an array of values in ImagickKernel::fromMatrix() function did not check that the address will be within the allocated array. This could lead to out of bounds write to memory if the function is called with the data controlled by untrusted party. 15789 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11037" id="CVE-2019-11037" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php54-pecl-imagick" release="1.10.amzn1" version="3.4.4"><filename>Packages/php54-pecl-imagick-3.4.4-1.10.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php54-pecl-imagick-debuginfo" release="1.10.amzn1" version="3.4.4"><filename>Packages/php54-pecl-imagick-debuginfo-3.4.4-1.10.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php54-pecl-imagick-debuginfo" release="1.10.amzn1" version="3.4.4"><filename>Packages/php54-pecl-imagick-debuginfo-3.4.4-1.10.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php54-pecl-imagick" release="1.10.amzn1" version="3.4.4"><filename>Packages/php54-pecl-imagick-3.4.4-1.10.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pecl-imagick" release="1.15.amzn1" version="3.4.4"><filename>Packages/php56-pecl-imagick-3.4.4-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php56-pecl-imagick-debuginfo" release="1.15.amzn1" version="3.4.4"><filename>Packages/php56-pecl-imagick-debuginfo-3.4.4-1.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php56-pecl-imagick" release="1.15.amzn1" version="3.4.4"><filename>Packages/php56-pecl-imagick-3.4.4-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php56-pecl-imagick-debuginfo" release="1.15.amzn1" version="3.4.4"><filename>Packages/php56-pecl-imagick-debuginfo-3.4.4-1.15.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pecl-imagick" release="1.14.amzn1" version="3.4.4"><filename>Packages/php55-pecl-imagick-3.4.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php55-pecl-imagick-debuginfo" release="1.14.amzn1" version="3.4.4"><filename>Packages/php55-pecl-imagick-debuginfo-3.4.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php55-pecl-imagick" release="1.14.amzn1" version="3.4.4"><filename>Packages/php55-pecl-imagick-3.4.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php55-pecl-imagick-debuginfo" release="1.14.amzn1" version="3.4.4"><filename>Packages/php55-pecl-imagick-debuginfo-3.4.4-1.14.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pecl-imagick-devel" release="1.7.amzn1" version="3.4.4"><filename>Packages/php71-pecl-imagick-devel-3.4.4-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pecl-imagick" release="1.7.amzn1" version="3.4.4"><filename>Packages/php71-pecl-imagick-3.4.4-1.7.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pecl-imagick-debuginfo" release="1.7.amzn1" version="3.4.4"><filename>Packages/php71-pecl-imagick-debuginfo-3.4.4-1.7.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php71-pecl-imagick-debuginfo" release="1.7.amzn1" version="3.4.4"><filename>Packages/php71-pecl-imagick-debuginfo-3.4.4-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pecl-imagick" release="1.7.amzn1" version="3.4.4"><filename>Packages/php71-pecl-imagick-3.4.4-1.7.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pecl-imagick-devel" release="1.7.amzn1" version="3.4.4"><filename>Packages/php71-pecl-imagick-devel-3.4.4-1.7.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pecl-imagick-debuginfo" release="1.6.amzn1" version="3.4.4"><filename>Packages/php70-pecl-imagick-debuginfo-3.4.4-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pecl-imagick-devel" release="1.6.amzn1" version="3.4.4"><filename>Packages/php70-pecl-imagick-devel-3.4.4-1.6.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php70-pecl-imagick" release="1.6.amzn1" version="3.4.4"><filename>Packages/php70-pecl-imagick-3.4.4-1.6.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php70-pecl-imagick-debuginfo" release="1.6.amzn1" version="3.4.4"><filename>Packages/php70-pecl-imagick-debuginfo-3.4.4-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pecl-imagick" release="1.6.amzn1" version="3.4.4"><filename>Packages/php70-pecl-imagick-3.4.4-1.6.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php70-pecl-imagick-devel" release="1.6.amzn1" version="3.4.4"><filename>Packages/php70-pecl-imagick-devel-3.4.4-1.6.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pecl-imagick-devel" release="1.9.amzn1" version="3.4.4"><filename>Packages/php72-pecl-imagick-devel-3.4.4-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pecl-imagick-debuginfo" release="1.9.amzn1" version="3.4.4"><filename>Packages/php72-pecl-imagick-debuginfo-3.4.4-1.9.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pecl-imagick" release="1.9.amzn1" version="3.4.4"><filename>Packages/php72-pecl-imagick-3.4.4-1.9.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php72-pecl-imagick" release="1.9.amzn1" version="3.4.4"><filename>Packages/php72-pecl-imagick-3.4.4-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pecl-imagick-debuginfo" release="1.9.amzn1" version="3.4.4"><filename>Packages/php72-pecl-imagick-debuginfo-3.4.4-1.9.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pecl-imagick-devel" release="1.9.amzn1" version="3.4.4"><filename>Packages/php72-pecl-imagick-devel-3.4.4-1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1238</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1238: medium priority package update for golang</title><issued date="2019-07-17 23:28" /><updated date="2019-07-25 18:38" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15790 CVE-2019-9741: 15791 An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command. 15792 1688230: 15793 CVE-2019-9741 golang: CRLF injection in net/http 15794 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741" id="CVE-2019-9741" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="golang-bin" release="1.50.amzn1" version="1.12.5"><filename>Packages/golang-bin-1.12.5-1.50.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-docs" release="1.50.amzn1" version="1.12.5"><filename>Packages/golang-docs-1.12.5-1.50.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang" release="1.50.amzn1" version="1.12.5"><filename>Packages/golang-1.12.5-1.50.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-src" release="1.50.amzn1" version="1.12.5"><filename>Packages/golang-src-1.12.5-1.50.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-tests" release="1.50.amzn1" version="1.12.5"><filename>Packages/golang-tests-1.12.5-1.50.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang-race" release="1.50.amzn1" version="1.12.5"><filename>Packages/golang-race-1.12.5-1.50.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-misc" release="1.50.amzn1" version="1.12.5"><filename>Packages/golang-misc-1.12.5-1.50.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="golang-bin" release="1.50.amzn1" version="1.12.5"><filename>Packages/golang-bin-1.12.5-1.50.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="golang" release="1.50.amzn1" version="1.12.5"><filename>Packages/golang-1.12.5-1.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1239</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1239: important priority package update for vim</title><issued date="2019-07-17 23:30" /><updated date="2019-08-26 22:17" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15795 CVE-2019-12735: 15796 1718308: 15797 CVE-2019-12735 vim/neovim: ':source!' command allows arbitrary command execution via modelines 15798 It was found that the `:source!` command was not restricted by the sandbox mode. If modeline was explicitly enabled, opening a specially crafted text file in vim could result in arbitrary command execution. 15799 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735" id="CVE-2019-12735" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="2" name="vim-debuginfo" release="1.46.amzn1" version="8.0.0503"><filename>Packages/vim-debuginfo-8.0.0503-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="vim-minimal" release="1.46.amzn1" version="8.0.0503"><filename>Packages/vim-minimal-8.0.0503-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="vim-common" release="1.46.amzn1" version="8.0.0503"><filename>Packages/vim-common-8.0.0503-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="vim-filesystem" release="1.46.amzn1" version="8.0.0503"><filename>Packages/vim-filesystem-8.0.0503-1.46.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="2" name="vim-enhanced" release="1.46.amzn1" version="8.0.0503"><filename>Packages/vim-enhanced-8.0.0503-1.46.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="2" name="vim-filesystem" release="1.46.amzn1" version="8.0.0503"><filename>Packages/vim-filesystem-8.0.0503-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="vim-enhanced" release="1.46.amzn1" version="8.0.0503"><filename>Packages/vim-enhanced-8.0.0503-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="vim-common" release="1.46.amzn1" version="8.0.0503"><filename>Packages/vim-common-8.0.0503-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="vim-minimal" release="1.46.amzn1" version="8.0.0503"><filename>Packages/vim-minimal-8.0.0503-1.46.amzn1.i686.rpm</filename></package><package arch="i686" epoch="2" name="vim-debuginfo" release="1.46.amzn1" version="8.0.0503"><filename>Packages/vim-debuginfo-8.0.0503-1.46.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1240</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1240: medium priority package update for php71 php72 php73</title><issued date="2019-07-17 23:33" /><updated date="2019-07-25 18:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15800 CVE-2019-11040: 15801 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. 15802 1724154: 15803 CVE-2019-11040 php: information disclosue in function exif_read_data() leads to denial of service 15804 15805 CVE-2019-11039: 15806 Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash. 15807 1724152: 15808 CVE-2019-11039 php: out-of-bounds read due to integer overflow in function iconv_mime_decode_headers() 15809 15810 CVE-2019-11038: 15811 1724149: 15812 CVE-2019-11038 gd: information disclosure in function gdImageCreateFromXbm() 15813 When using gdImageCreateFromXbm() function of PHP gd extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code. 15814 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11039" id="CVE-2019-11039" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11038" id="CVE-2019-11038" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11040" id="CVE-2019-11040" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php73-dbg" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-dbg-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-recode" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-recode-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-mysqlnd" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-mysqlnd-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-devel" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-devel-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-xmlrpc" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-xmlrpc-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pgsql" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-pgsql-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-xml" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-xml-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-opcache" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-opcache-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-dba" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-dba-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-gmp" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-gmp-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-cli" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-cli-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-json" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-json-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pdo-dblib" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-pdo-dblib-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-mbstring" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-mbstring-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-fpm" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-fpm-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-common" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-common-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-intl" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-intl-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-imap" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-imap-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-soap" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-soap-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-debuginfo" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-debuginfo-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-odbc" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-odbc-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-embedded" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-embedded-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-ldap" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-ldap-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-bcmath" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-bcmath-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-snmp" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-snmp-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-tidy" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-tidy-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-gd" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-gd-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pspell" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-pspell-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pdo" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-pdo-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-process" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-process-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-enchant" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-enchant-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php73-fpm" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-fpm-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-gd" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-gd-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-bcmath" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-bcmath-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-mysqlnd" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-mysqlnd-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-common" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-common-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-cli" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-cli-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-tidy" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-tidy-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-odbc" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-odbc-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-json" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-json-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-xmlrpc" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-xmlrpc-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pgsql" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-pgsql-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-intl" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-intl-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-mbstring" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-mbstring-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pdo" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-pdo-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-imap" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-imap-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-debuginfo" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-debuginfo-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-gmp" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-gmp-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-dbg" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-dbg-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-embedded" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-embedded-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-opcache" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-opcache-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-dba" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-dba-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-xml" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-xml-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-process" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-process-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-devel" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-devel-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-enchant" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-enchant-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-soap" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-soap-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pspell" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-pspell-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-ldap" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-ldap-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pdo-dblib" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-pdo-dblib-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-recode" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-recode-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-snmp" release="1.17.amzn1" version="7.3.6"><filename>Packages/php73-snmp-7.3.6-1.17.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dba" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-dba-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xml" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-xml-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-imap" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-imap-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-ldap" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-ldap-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-bcmath" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-bcmath-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mbstring" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-mbstring-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gd" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-gd-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-fpm" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-fpm-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-pdo-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-soap" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-soap-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-process" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-process-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xmlrpc" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-xmlrpc-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-devel" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-devel-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pspell" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-pspell-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mcrypt" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-mcrypt-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-opcache" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-opcache-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gmp" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-gmp-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-recode" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-recode-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo-dblib" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-pdo-dblib-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-embedded" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-embedded-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-snmp" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-snmp-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-intl" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-intl-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-json" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-json-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mysqlnd" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-mysqlnd-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-cli" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-cli-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-debuginfo" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-debuginfo-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pgsql" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-pgsql-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-enchant" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-enchant-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-common" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-common-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-tidy" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-tidy-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dbg" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-dbg-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-odbc" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-odbc-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php71-devel" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-devel-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-pdo-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pspell" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-pspell-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-embedded" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-embedded-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-json" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-json-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-tidy" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-tidy-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-debuginfo" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-debuginfo-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pgsql" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-pgsql-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-ldap" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-ldap-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-snmp" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-snmp-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gmp" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-gmp-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-bcmath" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-bcmath-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mcrypt" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-mcrypt-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-common" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-common-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mbstring" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-mbstring-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-opcache" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-opcache-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-fpm" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-fpm-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xmlrpc" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-xmlrpc-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo-dblib" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-pdo-dblib-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-recode" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-recode-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dbg" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-dbg-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mysqlnd" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-mysqlnd-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-odbc" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-odbc-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-cli" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-cli-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xml" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-xml-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-imap" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-imap-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-process" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-process-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gd" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-gd-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-intl" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-intl-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dba" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-dba-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-enchant" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-enchant-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-soap" release="1.40.amzn1" version="7.1.30"><filename>Packages/php71-soap-7.1.30-1.40.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-bcmath" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-bcmath-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-soap" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-soap-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-odbc" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-odbc-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-mbstring" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-mbstring-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-tidy" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-tidy-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-embedded" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-embedded-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pspell" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-pspell-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-gmp" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-gmp-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-imap" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-imap-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-debuginfo" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-debuginfo-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-dba" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-dba-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-mysqlnd" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-mysqlnd-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-ldap" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-ldap-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-process" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-process-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-xmlrpc" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-xmlrpc-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-common" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-common-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-dbg" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-dbg-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pdo" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-pdo-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-enchant" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-enchant-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-cli" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-cli-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-devel" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-devel-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-snmp" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-snmp-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-json" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-json-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-xml" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-xml-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-intl" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-intl-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-opcache" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-opcache-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pgsql" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-pgsql-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-recode" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-recode-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-gd" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-gd-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-fpm" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-fpm-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pdo-dblib" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-pdo-dblib-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php72-dbg" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-dbg-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-xmlrpc" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-xmlrpc-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-process" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-process-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-imap" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-imap-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-mysqlnd" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-mysqlnd-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-bcmath" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-bcmath-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pdo" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-pdo-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-devel" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-devel-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-fpm" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-fpm-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-ldap" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-ldap-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-cli" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-cli-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pgsql" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-pgsql-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pdo-dblib" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-pdo-dblib-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-snmp" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-snmp-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-mbstring" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-mbstring-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-json" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-json-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-intl" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-intl-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-debuginfo" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-debuginfo-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-opcache" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-opcache-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pspell" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-pspell-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-recode" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-recode-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-common" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-common-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-gd" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-gd-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-embedded" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-embedded-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-enchant" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-enchant-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-xml" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-xml-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-dba" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-dba-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-gmp" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-gmp-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-odbc" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-odbc-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-tidy" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-tidy-7.2.19-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-soap" release="1.14.amzn1" version="7.2.19"><filename>Packages/php72-soap-7.2.19-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1241</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1241: medium priority package update for libxslt</title><issued date="2019-07-17 23:37" /><updated date="2019-07-25 18:41" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15815 CVE-2019-11068: 15816 libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. 15817 1709697: 15818 CVE-2019-11068 libxslt: xsltCheckRead and xsltCheckWrite routines security bypass by crafted URL 15819 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068" id="CVE-2019-11068" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libxslt-debuginfo" release="5.13.amzn1" version="1.1.28"><filename>Packages/libxslt-debuginfo-1.1.28-5.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxslt-python26" release="5.13.amzn1" version="1.1.28"><filename>Packages/libxslt-python26-1.1.28-5.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxslt" release="5.13.amzn1" version="1.1.28"><filename>Packages/libxslt-1.1.28-5.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxslt-python27" release="5.13.amzn1" version="1.1.28"><filename>Packages/libxslt-python27-1.1.28-5.13.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libxslt-devel" release="5.13.amzn1" version="1.1.28"><filename>Packages/libxslt-devel-1.1.28-5.13.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libxslt-devel" release="5.13.amzn1" version="1.1.28"><filename>Packages/libxslt-devel-1.1.28-5.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxslt-python27" release="5.13.amzn1" version="1.1.28"><filename>Packages/libxslt-python27-1.1.28-5.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxslt-python26" release="5.13.amzn1" version="1.1.28"><filename>Packages/libxslt-python26-1.1.28-5.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxslt" release="5.13.amzn1" version="1.1.28"><filename>Packages/libxslt-1.1.28-5.13.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libxslt-debuginfo" release="5.13.amzn1" version="1.1.28"><filename>Packages/libxslt-debuginfo-1.1.28-5.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1242</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1242: medium priority package update for python34</title><issued date="2019-07-17 23:50" /><updated date="2019-07-25 18:43" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15820 CVE-2019-9947: 15821 1695572: 15822 CVE-2019-9947 python: improper neutralization of CRLF sequences in urllib module 15823 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. 15824 1695572: 15825 CVE-2019-9947 python: CRLF injection via the path part of the url passed to urlopen() 15826 15827 CVE-2019-9740: 15828 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. 15829 1688169: 15830 CVE-2019-9740 python: improper neutralization of CRLF sequences in urllib module 15831 1688169: 15832 CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen() 15833 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947" id="CVE-2019-9947" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740" id="CVE-2019-9740" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python34-libs" release="1.45.amzn1" version="3.4.10"><filename>Packages/python34-libs-3.4.10-1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-test" release="1.45.amzn1" version="3.4.10"><filename>Packages/python34-test-3.4.10-1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34" release="1.45.amzn1" version="3.4.10"><filename>Packages/python34-3.4.10-1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-tools" release="1.45.amzn1" version="3.4.10"><filename>Packages/python34-tools-3.4.10-1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-devel" release="1.45.amzn1" version="3.4.10"><filename>Packages/python34-devel-3.4.10-1.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-debuginfo" release="1.45.amzn1" version="3.4.10"><filename>Packages/python34-debuginfo-3.4.10-1.45.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python34" release="1.45.amzn1" version="3.4.10"><filename>Packages/python34-3.4.10-1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-devel" release="1.45.amzn1" version="3.4.10"><filename>Packages/python34-devel-3.4.10-1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-test" release="1.45.amzn1" version="3.4.10"><filename>Packages/python34-test-3.4.10-1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-libs" release="1.45.amzn1" version="3.4.10"><filename>Packages/python34-libs-3.4.10-1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-tools" release="1.45.amzn1" version="3.4.10"><filename>Packages/python34-tools-3.4.10-1.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-debuginfo" release="1.45.amzn1" version="3.4.10"><filename>Packages/python34-debuginfo-3.4.10-1.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1243</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1243: medium priority package update for python35</title><issued date="2019-07-17 23:51" /><updated date="2019-07-25 18:45" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15834 CVE-2019-9947: 15835 1695572: 15836 CVE-2019-9947 python: improper neutralization of CRLF sequences in urllib module 15837 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. 15838 1695572: 15839 CVE-2019-9947 python: CRLF injection via the path part of the url passed to urlopen() 15840 15841 CVE-2019-9740: 15842 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. 15843 1688169: 15844 CVE-2019-9740 python: improper neutralization of CRLF sequences in urllib module 15845 1688169: 15846 CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen() 15847 15848 CVE-2019-9636: 15849 1688543: 15850 CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization 15851 Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. 15852 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947" id="CVE-2019-9947" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740" id="CVE-2019-9740" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636" id="CVE-2019-9636" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python35-test" release="1.22.amzn1" version="3.5.7"><filename>Packages/python35-test-3.5.7-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-debuginfo" release="1.22.amzn1" version="3.5.7"><filename>Packages/python35-debuginfo-3.5.7-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35" release="1.22.amzn1" version="3.5.7"><filename>Packages/python35-3.5.7-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-libs" release="1.22.amzn1" version="3.5.7"><filename>Packages/python35-libs-3.5.7-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-tools" release="1.22.amzn1" version="3.5.7"><filename>Packages/python35-tools-3.5.7-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-devel" release="1.22.amzn1" version="3.5.7"><filename>Packages/python35-devel-3.5.7-1.22.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python35" release="1.22.amzn1" version="3.5.7"><filename>Packages/python35-3.5.7-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-libs" release="1.22.amzn1" version="3.5.7"><filename>Packages/python35-libs-3.5.7-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-devel" release="1.22.amzn1" version="3.5.7"><filename>Packages/python35-devel-3.5.7-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-test" release="1.22.amzn1" version="3.5.7"><filename>Packages/python35-test-3.5.7-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-tools" release="1.22.amzn1" version="3.5.7"><filename>Packages/python35-tools-3.5.7-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-debuginfo" release="1.22.amzn1" version="3.5.7"><filename>Packages/python35-debuginfo-3.5.7-1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1244</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1244: important priority package update for bind</title><issued date="2019-07-17 23:52" /><updated date="2019-07-25 18:46" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15853 CVE-2018-5743: 15854 1702541: 15855 CVE-2018-5743 bind: Limiting simultaneous TCP clients is ineffective 15856 A flaw was found in the way bind implemented tunable which limited simultaneous TCP client connections. A remote attacker could use this flaw to exhaust the pool of file descriptors available to named, potentially affecting network connections and the management of files such as log files or zone journal files. In cases where the named process is not limited by OS-enforced per-process limits, this could additionally potentially lead to exhaustion of all available free file descriptors on that system. 15857 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743" id="CVE-2018-5743" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="32" name="bind-chroot" release="0.68.rc1.60.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-debuginfo" release="0.68.rc1.60.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-sdb" release="0.68.rc1.60.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind" release="0.68.rc1.60.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.68.rc1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-devel" release="0.68.rc1.60.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.68.rc1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-utils" release="0.68.rc1.60.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.68.rc1.60.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="32" name="bind-libs" release="0.68.rc1.60.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.68.rc1.60.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="32" name="bind" release="0.68.rc1.60.amzn1" version="9.8.2"><filename>Packages/bind-9.8.2-0.68.rc1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-utils" release="0.68.rc1.60.amzn1" version="9.8.2"><filename>Packages/bind-utils-9.8.2-0.68.rc1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-libs" release="0.68.rc1.60.amzn1" version="9.8.2"><filename>Packages/bind-libs-9.8.2-0.68.rc1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-chroot" release="0.68.rc1.60.amzn1" version="9.8.2"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-devel" release="0.68.rc1.60.amzn1" version="9.8.2"><filename>Packages/bind-devel-9.8.2-0.68.rc1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-sdb" release="0.68.rc1.60.amzn1" version="9.8.2"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.60.amzn1.i686.rpm</filename></package><package arch="i686" epoch="32" name="bind-debuginfo" release="0.68.rc1.60.amzn1" version="9.8.2"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.60.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1245</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1245: medium priority package update for docker</title><issued date="2019-07-17 23:53" /><updated date="2019-07-25 18:46" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15858 CVE-2018-15664: 15859 1714722: 15860 CVE-2018-15664 docker: symlink-exchange race attacks in docker cp 15861 A flaw was discovered in the API endpoint behind the &#039;docker cp&#039; command. The endpoint is vulnerable to a Time Of Check to Time Of Use (TOCTOU) vulnerability in the way it handles symbolic links inside a container. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container. 15862 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15664" id="CVE-2018-15664" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="docker" release="10.32.amzn1" version="18.06.1ce"><filename>Packages/docker-18.06.1ce-10.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="docker-debuginfo" release="10.32.amzn1" version="18.06.1ce"><filename>Packages/docker-debuginfo-18.06.1ce-10.32.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1246</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1246: medium priority package update for dbus</title><issued date="2019-07-17 23:54" /><updated date="2019-07-25 18:48" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15863 CVE-2019-12749: 15864 1719344: 15865 CVE-2019-12749 dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass 15866 dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. 15867 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12749" id="CVE-2019-12749" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="dbus-libs" release="14.29.amzn1" version="1.6.12"><filename>Packages/dbus-libs-1.6.12-14.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="dbus-devel" release="14.29.amzn1" version="1.6.12"><filename>Packages/dbus-devel-1.6.12-14.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="dbus-debuginfo" release="14.29.amzn1" version="1.6.12"><filename>Packages/dbus-debuginfo-1.6.12-14.29.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="dbus" release="14.29.amzn1" version="1.6.12"><filename>Packages/dbus-1.6.12-14.29.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="dbus-doc" release="14.29.amzn1" version="1.6.12"><filename>Packages/dbus-doc-1.6.12-14.29.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="1" name="dbus-devel" release="14.29.amzn1" version="1.6.12"><filename>Packages/dbus-devel-1.6.12-14.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="dbus-debuginfo" release="14.29.amzn1" version="1.6.12"><filename>Packages/dbus-debuginfo-1.6.12-14.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="dbus-libs" release="14.29.amzn1" version="1.6.12"><filename>Packages/dbus-libs-1.6.12-14.29.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="dbus" release="14.29.amzn1" version="1.6.12"><filename>Packages/dbus-1.6.12-14.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1252</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1252: important priority package update for exim</title><issued date="2019-07-25 18:40" /><updated date="2019-07-25 18:49" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15868 CVE-2019-13917: 15869 15870 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13917" id="CVE-2019-13917" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="exim-mysql" release="1.23.amzn1" version="4.92"><filename>Packages/exim-mysql-4.92-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-mon" release="1.23.amzn1" version="4.92"><filename>Packages/exim-mon-4.92-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-pgsql" release="1.23.amzn1" version="4.92"><filename>Packages/exim-pgsql-4.92-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim" release="1.23.amzn1" version="4.92"><filename>Packages/exim-4.92-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-greylist" release="1.23.amzn1" version="4.92"><filename>Packages/exim-greylist-4.92-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-debuginfo" release="1.23.amzn1" version="4.92"><filename>Packages/exim-debuginfo-4.92-1.23.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="exim-mon" release="1.23.amzn1" version="4.92"><filename>Packages/exim-mon-4.92-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-debuginfo" release="1.23.amzn1" version="4.92"><filename>Packages/exim-debuginfo-4.92-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-greylist" release="1.23.amzn1" version="4.92"><filename>Packages/exim-greylist-4.92-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-pgsql" release="1.23.amzn1" version="4.92"><filename>Packages/exim-pgsql-4.92-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim" release="1.23.amzn1" version="4.92"><filename>Packages/exim-4.92-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-mysql" release="1.23.amzn1" version="4.92"><filename>Packages/exim-mysql-4.92-1.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1253</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1253: medium priority package update for kernel</title><issued date="2019-08-05 17:40" /><updated date="2019-08-12 18:10" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15871 CVE-2019-1125: 15872 A Spectre gadget was found in the Linux kernel&#039;s implementation of system interrupts. An attacker with local access could use this information to reveal private data through a Spectre like side channel. 15873 1724389: 15874 CVE-2019-1125 kernel: hw: Spectre SWAPGS gadget vulnerability 15875 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1125" id="CVE-2019-1125" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-debuginfo-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-devel-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="88.112.amzn1" version="4.14.133"><filename>Packages/perf-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-tools-debuginfo-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-tools-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-tools-devel-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-headers-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="88.112.amzn1" version="4.14.133"><filename>Packages/perf-debuginfo-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-headers-4.14.133-88.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-tools-debuginfo-4.14.133-88.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-tools-devel-4.14.133-88.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-debuginfo-4.14.133-88.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="88.112.amzn1" version="4.14.133"><filename>Packages/perf-4.14.133-88.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="88.112.amzn1" version="4.14.133"><filename>Packages/perf-debuginfo-4.14.133-88.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-4.14.133-88.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-devel-4.14.133-88.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-tools-4.14.133-88.112.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="88.112.amzn1" version="4.14.133"><filename>Packages/kernel-debuginfo-common-i686-4.14.133-88.112.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1254</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1254: important priority package update for libssh2</title><issued date="2019-08-12 18:05" /><updated date="2019-08-12 18:11" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15876 CVE-2019-3863: 15877 A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error. 15878 1687313: 15879 CVE-2019-3863 libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes 15880 15881 CVE-2019-3857: 15882 An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. 15883 1687305: 15884 CVE-2019-3857 libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write 15885 15886 CVE-2019-3856: 15887 An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. 15888 1687304: 15889 CVE-2019-3856 libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write 15890 15891 CVE-2019-3855: 15892 1687303: 15893 CVE-2019-3855 libssh2: Integer overflow in transport read resulting in out of bounds write 15894 An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. 15895 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855" id="CVE-2019-3855" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857" id="CVE-2019-3857" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856" id="CVE-2019-3856" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863" id="CVE-2019-3863" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libssh2-devel" release="3.12.amzn1" version="1.4.2"><filename>Packages/libssh2-devel-1.4.2-3.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libssh2-docs" release="3.12.amzn1" version="1.4.2"><filename>Packages/libssh2-docs-1.4.2-3.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libssh2" release="3.12.amzn1" version="1.4.2"><filename>Packages/libssh2-1.4.2-3.12.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libssh2-debuginfo" release="3.12.amzn1" version="1.4.2"><filename>Packages/libssh2-debuginfo-1.4.2-3.12.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="libssh2" release="3.12.amzn1" version="1.4.2"><filename>Packages/libssh2-1.4.2-3.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libssh2-debuginfo" release="3.12.amzn1" version="1.4.2"><filename>Packages/libssh2-debuginfo-1.4.2-3.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libssh2-devel" release="3.12.amzn1" version="1.4.2"><filename>Packages/libssh2-devel-1.4.2-3.12.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libssh2-docs" release="3.12.amzn1" version="1.4.2"><filename>Packages/libssh2-docs-1.4.2-3.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1255</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1255: important priority package update for ruby20 ruby21 ruby24</title><issued date="2019-08-07 22:58" /><updated date="2019-08-12 18:13" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15896 CVE-2019-8325: 15897 1692522: 15898 CVE-2019-8325 rubygems: Escape sequence injection vulnerability in errors 15899 An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) 15900 15901 CVE-2019-8324: 15902 An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check. 15903 1692520: 15904 CVE-2019-8324 rubygems: Installing a malicious gem may lead to arbitrary code execution 15905 15906 CVE-2019-8323: 15907 1692519: 15908 CVE-2019-8323 rubygems: Escape sequence injection vulnerability in API response handling 15909 An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. 15910 15911 CVE-2019-8322: 15912 1692516: 15913 CVE-2019-8322 rubygems: Escape sequence injection vulnerability in gem owner 15914 An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. 15915 15916 CVE-2019-8321: 15917 1692514: 15918 CVE-2019-8321 rubygems: Escape sequence injection vulnerability in verbose 15919 An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible. 15920 15921 CVE-2019-8320: 15922 1692512: 15923 CVE-2019-8320 rubygems: Delete directory using symlink when decompressing tar 15924 A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user&#039;s machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system. 15925 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324" id="CVE-2019-8324" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325" id="CVE-2019-8325" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322" id="CVE-2019-8322" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323" id="CVE-2019-8323" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320" id="CVE-2019-8320" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321" id="CVE-2019-8321" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="ruby20-irb" release="1.32.amzn1" version="2.0.0.648"><filename>Packages/ruby20-irb-2.0.0.648-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby20-doc" release="1.32.amzn1" version="2.0.0.648"><filename>Packages/ruby20-doc-2.0.0.648-1.32.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems20-devel" release="1.32.amzn1" version="2.0.14.1"><filename>Packages/rubygems20-devel-2.0.14.1-1.32.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-devel" release="1.32.amzn1" version="2.0.0.648"><filename>Packages/ruby20-devel-2.0.0.648-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-bigdecimal" release="1.32.amzn1" version="1.2.0"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-debuginfo" release="1.32.amzn1" version="2.0.0.648"><filename>Packages/ruby20-debuginfo-2.0.0.648-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-io-console" release="1.32.amzn1" version="0.4.2"><filename>Packages/rubygem20-io-console-0.4.2-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20" release="1.32.amzn1" version="2.0.0.648"><filename>Packages/ruby20-2.0.0.648-1.32.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem20-psych" release="1.32.amzn1" version="2.0.0"><filename>Packages/rubygem20-psych-2.0.0-1.32.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems20" release="1.32.amzn1" version="2.0.14.1"><filename>Packages/rubygems20-2.0.14.1-1.32.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby20-libs" release="1.32.amzn1" version="2.0.0.648"><filename>Packages/ruby20-libs-2.0.0.648-1.32.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-libs" release="1.32.amzn1" version="2.0.0.648"><filename>Packages/ruby20-libs-2.0.0.648-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-debuginfo" release="1.32.amzn1" version="2.0.0.648"><filename>Packages/ruby20-debuginfo-2.0.0.648-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-bigdecimal" release="1.32.amzn1" version="1.2.0"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20-devel" release="1.32.amzn1" version="2.0.0.648"><filename>Packages/ruby20-devel-2.0.0.648-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-psych" release="1.32.amzn1" version="2.0.0"><filename>Packages/rubygem20-psych-2.0.0-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem20-io-console" release="1.32.amzn1" version="0.4.2"><filename>Packages/rubygem20-io-console-0.4.2-1.32.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby20" release="1.32.amzn1" version="2.0.0.648"><filename>Packages/ruby20-2.0.0.648-1.32.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-psych" release="1.22.amzn1" version="2.0.5"><filename>Packages/rubygem21-psych-2.0.5-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-devel" release="1.22.amzn1" version="2.1.9"><filename>Packages/ruby21-devel-2.1.9-1.22.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby21-irb" release="1.22.amzn1" version="2.1.9"><filename>Packages/ruby21-irb-2.1.9-1.22.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-libs" release="1.22.amzn1" version="2.1.9"><filename>Packages/ruby21-libs-2.1.9-1.22.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems21-devel" release="1.22.amzn1" version="2.2.5"><filename>Packages/rubygems21-devel-2.2.5-1.22.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21-debuginfo" release="1.22.amzn1" version="2.1.9"><filename>Packages/ruby21-debuginfo-2.1.9-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-bigdecimal" release="1.22.amzn1" version="1.2.4"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby21" release="1.22.amzn1" version="2.1.9"><filename>Packages/ruby21-2.1.9-1.22.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem21-io-console" release="1.22.amzn1" version="0.4.3"><filename>Packages/rubygem21-io-console-0.4.3-1.22.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby21-doc" release="1.22.amzn1" version="2.1.9"><filename>Packages/ruby21-doc-2.1.9-1.22.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems21" release="1.22.amzn1" version="2.2.5"><filename>Packages/rubygems21-2.2.5-1.22.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ruby21" release="1.22.amzn1" version="2.1.9"><filename>Packages/ruby21-2.1.9-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-bigdecimal" release="1.22.amzn1" version="1.2.4"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-debuginfo" release="1.22.amzn1" version="2.1.9"><filename>Packages/ruby21-debuginfo-2.1.9-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-io-console" release="1.22.amzn1" version="0.4.3"><filename>Packages/rubygem21-io-console-0.4.3-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-devel" release="1.22.amzn1" version="2.1.9"><filename>Packages/ruby21-devel-2.1.9-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem21-psych" release="1.22.amzn1" version="2.0.5"><filename>Packages/rubygem21-psych-2.0.5-1.22.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby21-libs" release="1.22.amzn1" version="2.1.9"><filename>Packages/ruby21-libs-2.1.9-1.22.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-json" release="1.30.11.amzn1" version="2.0.4"><filename>Packages/rubygem24-json-2.0.4-1.30.11.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems24" release="1.30.11.amzn1" version="2.6.14.3"><filename>Packages/rubygems24-2.6.14.3-1.30.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="rubygem24-did_you_mean" release="1.30.11.amzn1" version="1.1.0"><filename>Packages/rubygem24-did_you_mean-1.1.0-1.30.11.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24-devel" release="1.30.11.amzn1" version="2.4.5"><filename>Packages/ruby24-devel-2.4.5-1.30.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24-debuginfo" release="1.30.11.amzn1" version="2.4.5"><filename>Packages/ruby24-debuginfo-2.4.5-1.30.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-bigdecimal" release="1.30.11.amzn1" version="1.3.2"><filename>Packages/rubygem24-bigdecimal-1.3.2-1.30.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-io-console" release="1.30.11.amzn1" version="0.4.6"><filename>Packages/rubygem24-io-console-0.4.6-1.30.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24" release="1.30.11.amzn1" version="2.4.5"><filename>Packages/ruby24-2.4.5-1.30.11.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="rubygems24-devel" release="1.30.11.amzn1" version="2.6.14.3"><filename>Packages/rubygems24-devel-2.6.14.3-1.30.11.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="ruby24-libs" release="1.30.11.amzn1" version="2.4.5"><filename>Packages/ruby24-libs-2.4.5-1.30.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-xmlrpc" release="1.30.11.amzn1" version="0.2.1"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="rubygem24-psych" release="1.30.11.amzn1" version="2.2.2"><filename>Packages/rubygem24-psych-2.2.2-1.30.11.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="ruby24-doc" release="1.30.11.amzn1" version="2.4.5"><filename>Packages/ruby24-doc-2.4.5-1.30.11.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="ruby24-irb" release="1.30.11.amzn1" version="2.4.5"><filename>Packages/ruby24-irb-2.4.5-1.30.11.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="0" name="ruby24" release="1.30.11.amzn1" version="2.4.5"><filename>Packages/ruby24-2.4.5-1.30.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-json" release="1.30.11.amzn1" version="2.0.4"><filename>Packages/rubygem24-json-2.0.4-1.30.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-bigdecimal" release="1.30.11.amzn1" version="1.3.2"><filename>Packages/rubygem24-bigdecimal-1.3.2-1.30.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-debuginfo" release="1.30.11.amzn1" version="2.4.5"><filename>Packages/ruby24-debuginfo-2.4.5-1.30.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-io-console" release="1.30.11.amzn1" version="0.4.6"><filename>Packages/rubygem24-io-console-0.4.6-1.30.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-psych" release="1.30.11.amzn1" version="2.2.2"><filename>Packages/rubygem24-psych-2.2.2-1.30.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-libs" release="1.30.11.amzn1" version="2.4.5"><filename>Packages/ruby24-libs-2.4.5-1.30.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="rubygem24-xmlrpc" release="1.30.11.amzn1" version="0.2.1"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="ruby24-devel" release="1.30.11.amzn1" version="2.4.5"><filename>Packages/ruby24-devel-2.4.5-1.30.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1256</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1256: medium priority package update for glib2</title><issued date="2019-08-07 23:00" /><updated date="2019-08-12 18:19" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15926 CVE-2019-12450: 15927 file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. 15928 1719141: 15929 CVE-2019-12450 glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress 15930 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12450" id="CVE-2019-12450" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="glib2-debuginfo" release="5.21.amzn1" version="2.36.3"><filename>Packages/glib2-debuginfo-2.36.3-5.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glib2" release="5.21.amzn1" version="2.36.3"><filename>Packages/glib2-2.36.3-5.21.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="glib2-fam" release="5.21.amzn1" version="2.36.3"><filename>Packages/glib2-fam-2.36.3-5.21.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="glib2-doc" release="5.21.amzn1" version="2.36.3"><filename>Packages/glib2-doc-2.36.3-5.21.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="glib2-devel" release="5.21.amzn1" version="2.36.3"><filename>Packages/glib2-devel-2.36.3-5.21.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="glib2" release="5.21.amzn1" version="2.36.3"><filename>Packages/glib2-2.36.3-5.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glib2-fam" release="5.21.amzn1" version="2.36.3"><filename>Packages/glib2-fam-2.36.3-5.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glib2-debuginfo" release="5.21.amzn1" version="2.36.3"><filename>Packages/glib2-debuginfo-2.36.3-5.21.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="glib2-devel" release="5.21.amzn1" version="2.36.3"><filename>Packages/glib2-devel-2.36.3-5.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1257</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1257: low priority package update for GraphicsMagick</title><issued date="2019-08-07 23:01" /><updated date="2019-08-12 18:21" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15931 CVE-PENDING: 15932 pending 15933 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-PENDING" id="CVE-PENDING" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="GraphicsMagick-doc" release="1.16.amzn1" version="1.3.32"><filename>Packages/GraphicsMagick-doc-1.3.32-1.16.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-perl" release="1.16.amzn1" version="1.3.32"><filename>Packages/GraphicsMagick-perl-1.3.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick" release="1.16.amzn1" version="1.3.32"><filename>Packages/GraphicsMagick-1.3.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++" release="1.16.amzn1" version="1.3.32"><filename>Packages/GraphicsMagick-c++-1.3.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-c++-devel" release="1.16.amzn1" version="1.3.32"><filename>Packages/GraphicsMagick-c++-devel-1.3.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-debuginfo" release="1.16.amzn1" version="1.3.32"><filename>Packages/GraphicsMagick-debuginfo-1.3.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="GraphicsMagick-devel" release="1.16.amzn1" version="1.3.32"><filename>Packages/GraphicsMagick-devel-1.3.32-1.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick" release="1.16.amzn1" version="1.3.32"><filename>Packages/GraphicsMagick-1.3.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-devel" release="1.16.amzn1" version="1.3.32"><filename>Packages/GraphicsMagick-devel-1.3.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++" release="1.16.amzn1" version="1.3.32"><filename>Packages/GraphicsMagick-c++-1.3.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-debuginfo" release="1.16.amzn1" version="1.3.32"><filename>Packages/GraphicsMagick-debuginfo-1.3.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-perl" release="1.16.amzn1" version="1.3.32"><filename>Packages/GraphicsMagick-perl-1.3.32-1.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="GraphicsMagick-c++-devel" release="1.16.amzn1" version="1.3.32"><filename>Packages/GraphicsMagick-c++-devel-1.3.32-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1258</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1258: important priority package update for python27</title><issued date="2019-08-07 23:02" /><updated date="2019-08-12 18:22" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15934 CVE-2019-9948: 15935 1695570: 15936 CVE-2019-9948 python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms 15937 urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen(&#039;local_file:///etc/passwd&#039;) call. 15938 15939 CVE-2019-10160: 15940 A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. 15941 1718388: 15942 CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc 15943 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160" id="CVE-2019-10160" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948" id="CVE-2019-9948" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python27" release="1.129.amzn1" version="2.7.16"><filename>Packages/python27-2.7.16-1.129.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-libs" release="1.129.amzn1" version="2.7.16"><filename>Packages/python27-libs-2.7.16-1.129.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-test" release="1.129.amzn1" version="2.7.16"><filename>Packages/python27-test-2.7.16-1.129.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-devel" release="1.129.amzn1" version="2.7.16"><filename>Packages/python27-devel-2.7.16-1.129.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-tools" release="1.129.amzn1" version="2.7.16"><filename>Packages/python27-tools-2.7.16-1.129.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python27-debuginfo" release="1.129.amzn1" version="2.7.16"><filename>Packages/python27-debuginfo-2.7.16-1.129.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python27" release="1.129.amzn1" version="2.7.16"><filename>Packages/python27-2.7.16-1.129.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-devel" release="1.129.amzn1" version="2.7.16"><filename>Packages/python27-devel-2.7.16-1.129.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-debuginfo" release="1.129.amzn1" version="2.7.16"><filename>Packages/python27-debuginfo-2.7.16-1.129.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-tools" release="1.129.amzn1" version="2.7.16"><filename>Packages/python27-tools-2.7.16-1.129.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-libs" release="1.129.amzn1" version="2.7.16"><filename>Packages/python27-libs-2.7.16-1.129.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python27-test" release="1.129.amzn1" version="2.7.16"><filename>Packages/python27-test-2.7.16-1.129.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1259</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1259: important priority package update for python34 python35 python36</title><issued date="2019-08-07 23:03" /><updated date="2019-08-12 18:22" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15944 CVE-2019-10160: 15945 A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application. 15946 1718388: 15947 CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc 15948 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160" id="CVE-2019-10160" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="python34-devel" release="1.47.amzn1" version="3.4.10"><filename>Packages/python34-devel-3.4.10-1.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-test" release="1.47.amzn1" version="3.4.10"><filename>Packages/python34-test-3.4.10-1.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-debuginfo" release="1.47.amzn1" version="3.4.10"><filename>Packages/python34-debuginfo-3.4.10-1.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-tools" release="1.47.amzn1" version="3.4.10"><filename>Packages/python34-tools-3.4.10-1.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34-libs" release="1.47.amzn1" version="3.4.10"><filename>Packages/python34-libs-3.4.10-1.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python34" release="1.47.amzn1" version="3.4.10"><filename>Packages/python34-3.4.10-1.47.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python34-tools" release="1.47.amzn1" version="3.4.10"><filename>Packages/python34-tools-3.4.10-1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-devel" release="1.47.amzn1" version="3.4.10"><filename>Packages/python34-devel-3.4.10-1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-test" release="1.47.amzn1" version="3.4.10"><filename>Packages/python34-test-3.4.10-1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-libs" release="1.47.amzn1" version="3.4.10"><filename>Packages/python34-libs-3.4.10-1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34-debuginfo" release="1.47.amzn1" version="3.4.10"><filename>Packages/python34-debuginfo-3.4.10-1.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python34" release="1.47.amzn1" version="3.4.10"><filename>Packages/python34-3.4.10-1.47.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-libs" release="1.23.amzn1" version="3.5.7"><filename>Packages/python35-libs-3.5.7-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35" release="1.23.amzn1" version="3.5.7"><filename>Packages/python35-3.5.7-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-test" release="1.23.amzn1" version="3.5.7"><filename>Packages/python35-test-3.5.7-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-tools" release="1.23.amzn1" version="3.5.7"><filename>Packages/python35-tools-3.5.7-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-debuginfo" release="1.23.amzn1" version="3.5.7"><filename>Packages/python35-debuginfo-3.5.7-1.23.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python35-devel" release="1.23.amzn1" version="3.5.7"><filename>Packages/python35-devel-3.5.7-1.23.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python35-debuginfo" release="1.23.amzn1" version="3.5.7"><filename>Packages/python35-debuginfo-3.5.7-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-test" release="1.23.amzn1" version="3.5.7"><filename>Packages/python35-test-3.5.7-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-tools" release="1.23.amzn1" version="3.5.7"><filename>Packages/python35-tools-3.5.7-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35" release="1.23.amzn1" version="3.5.7"><filename>Packages/python35-3.5.7-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-devel" release="1.23.amzn1" version="3.5.7"><filename>Packages/python35-devel-3.5.7-1.23.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python35-libs" release="1.23.amzn1" version="3.5.7"><filename>Packages/python35-libs-3.5.7-1.23.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-tools" release="1.14.amzn1" version="3.6.8"><filename>Packages/python36-tools-3.6.8-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-test" release="1.14.amzn1" version="3.6.8"><filename>Packages/python36-test-3.6.8-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-debug" release="1.14.amzn1" version="3.6.8"><filename>Packages/python36-debug-3.6.8-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-debuginfo" release="1.14.amzn1" version="3.6.8"><filename>Packages/python36-debuginfo-3.6.8-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36" release="1.14.amzn1" version="3.6.8"><filename>Packages/python36-3.6.8-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-devel" release="1.14.amzn1" version="3.6.8"><filename>Packages/python36-devel-3.6.8-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="python36-libs" release="1.14.amzn1" version="3.6.8"><filename>Packages/python36-libs-3.6.8-1.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="python36-devel" release="1.14.amzn1" version="3.6.8"><filename>Packages/python36-devel-3.6.8-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-tools" release="1.14.amzn1" version="3.6.8"><filename>Packages/python36-tools-3.6.8-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-debuginfo" release="1.14.amzn1" version="3.6.8"><filename>Packages/python36-debuginfo-3.6.8-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-debug" release="1.14.amzn1" version="3.6.8"><filename>Packages/python36-debug-3.6.8-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-libs" release="1.14.amzn1" version="3.6.8"><filename>Packages/python36-libs-3.6.8-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36" release="1.14.amzn1" version="3.6.8"><filename>Packages/python36-3.6.8-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="python36-test" release="1.14.amzn1" version="3.6.8"><filename>Packages/python36-test-3.6.8-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1260</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1260: important priority package update for qemu-kvm</title><issued date="2019-08-07 23:12" /><updated date="2019-08-12 18:23" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15949 CVE-2019-11091: 15950 Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. 15951 1705312: 15952 CVE-2019-11091 hardware: Microarchitectural Data Sampling Uncacheable Memory (MDSUM) 15953 15954 CVE-2018-12130: 15955 1646784: 15956 CVE-2018-12130 hardware: Microarchitectural Fill Buffer Data Sampling (MFBDS) 15957 A flaw was found in the implementation of the &quot;fill buffer&quot;, a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache. If an attacker can generate a load operation that would create a page fault, the execution will continue speculatively with incorrect data from the fill buffer while the data is fetched from higher level caches. This response time can be measured to infer data in the fill buffer. 15958 15959 CVE-2018-12127: 15960 Microprocessors use a load port subcomponent to perform load operations from memory or IO. During a load operation, the load port receives data from the memory or IO subsystem and then provides the data to the CPU registers and operations in the CPUs pipelines. Stale load operations results are stored in the &#039;load port&#039; table until overwritten by newer operations. Certain load-port operations triggered by an attacker can be used to reveal data about previous stale requests leaking data back to the attacker via a timing side-channel. 15961 1667782: 15962 CVE-2018-12127 hardware: Micro-architectural Load Port Data Sampling - Information Leak (MLPDS) 15963 15964 CVE-2018-12126: 15965 Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the &#039;processor store buffer&#039;. As a result, an unprivileged attacker could use this flaw to read private data resident within the CPU&#039;s processor store buffer. 15966 1646781: 15967 CVE-2018-12126 hardware: Microarchitectural Store Buffer Data Sampling (MSBDS) 15968 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091" id="CVE-2019-11091" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130" id="CVE-2018-12130" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127" id="CVE-2018-12127" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126" id="CVE-2018-12126" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="10" name="qemu-kvm" release="156.16.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-1.5.3-156.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-img" release="156.16.amzn1" version="1.5.3"><filename>Packages/qemu-img-1.5.3-156.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm-debuginfo" release="156.16.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-debuginfo-1.5.3-156.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm-common" release="156.16.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-common-1.5.3-156.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="10" name="qemu-kvm-tools" release="156.16.amzn1" version="1.5.3"><filename>Packages/qemu-kvm-tools-1.5.3-156.16.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1261</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1261: medium priority package update for 389-ds-base</title><issued date="2019-08-07 23:13" /><updated date="2019-08-12 18:23" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15969 CVE-2019-3883: 15970 It was found that encrypted connections did not honor the &#039;ioblocktimeout&#039; parameter to end blocking requests. As a result, an unauthenticated attacker could repeatedly start a sufficient number of encrypted connections to block all workers, resulting in a denial of service. 15971 1693612: 15972 CVE-2019-3883 389-ds-base: DoS via hanging secured connections 15973 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3883" id="CVE-2019-3883" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="389-ds-base-snmp" release="25.1.62.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-snmp-1.3.8.4-25.1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-devel" release="25.1.62.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-devel-1.3.8.4-25.1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base" release="25.1.62.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-1.3.8.4-25.1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-libs" release="25.1.62.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-libs-1.3.8.4-25.1.62.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="389-ds-base-debuginfo" release="25.1.62.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-debuginfo-1.3.8.4-25.1.62.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-devel" release="25.1.62.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-devel-1.3.8.4-25.1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-libs" release="25.1.62.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-libs-1.3.8.4-25.1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-debuginfo" release="25.1.62.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-debuginfo-1.3.8.4-25.1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base" release="25.1.62.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-1.3.8.4-25.1.62.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="389-ds-base-snmp" release="25.1.62.amzn1" version="1.3.8.4"><filename>Packages/389-ds-base-snmp-1.3.8.4-25.1.62.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1265</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1265: medium priority package update for lighttpd</title><issued date="2019-08-07 23:16" /><updated date="2019-08-12 18:24" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15974 CVE-2018-19052: 15975 15976 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19052" id="CVE-2018-19052" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="lighttpd" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-mod_geoip" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-mod_geoip-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-mod_authn_pam" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-mod_authn_pam-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-mod_authn_gssapi" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-mod_authn_gssapi-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-mod_mysql_vhost" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-debuginfo" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-debuginfo-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-fastcgi" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-fastcgi-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="lighttpd-mod_authn_mysql" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-mod_authn_mysql-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-fastcgi" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-fastcgi-1.4.53-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-debuginfo" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-debuginfo-1.4.53-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_authn_pam" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-mod_authn_pam-1.4.53-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-1.4.53-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_mysql_vhost" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.53-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_geoip" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-mod_geoip-1.4.53-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_authn_gssapi" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-mod_authn_gssapi-1.4.53-1.36.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="lighttpd-mod_authn_mysql" release="1.36.amzn1" version="1.4.53"><filename>Packages/lighttpd-mod_authn_mysql-1.4.53-1.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1266</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1266: important priority package update for java-1.8.0-openjdk</title><issued date="2019-08-07 23:35" /><updated date="2019-08-12 18:25" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15977 CVE-2019-2698: 15978 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). 15979 1700447: 15980 CVE-2019-2698 OpenJDK: Font layout engine out of bounds access setCurrGlyphID() (2D, 8219022) 15981 15982 CVE-2019-2684: 15983 1700564: 15984 CVE-2019-2684 OpenJDK: Incorrect skeleton selection in RMI registry server-side dispatch handling (RMI, 8218453) 15985 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). 15986 15987 CVE-2019-2602: 15988 1700440: 15989 CVE-2019-2602 OpenJDK: Slow conversion of BigDecimal to long (Libraries, 8211936) 15990 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 15991 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2698" id="CVE-2019-2698" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2684" id="CVE-2019-2684" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2602" id="CVE-2019-2602" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="0.45.amzn1" version="1.8.0.212.b04"><filename>Packages/java-1.8.0-openjdk-1.8.0.212.b04-0.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="0.45.amzn1" version="1.8.0.212.b04"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.212.b04-0.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="0.45.amzn1" version="1.8.0.212.b04"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.212.b04-0.45.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="0.45.amzn1" version="1.8.0.212.b04"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.212.b04-0.45.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="0.45.amzn1" version="1.8.0.212.b04"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.212.b04-0.45.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc-zip" release="0.45.amzn1" version="1.8.0.212.b04"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.212.b04-0.45.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="0.45.amzn1" version="1.8.0.212.b04"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.212.b04-0.45.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.45.amzn1" version="1.8.0.212.b04"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.212.b04-0.45.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="0.45.amzn1" version="1.8.0.212.b04"><filename>Packages/java-1.8.0-openjdk-1.8.0.212.b04-0.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.45.amzn1" version="1.8.0.212.b04"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.212.b04-0.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="0.45.amzn1" version="1.8.0.212.b04"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.212.b04-0.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="0.45.amzn1" version="1.8.0.212.b04"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.212.b04-0.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="0.45.amzn1" version="1.8.0.212.b04"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.212.b04-0.45.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="0.45.amzn1" version="1.8.0.212.b04"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.212.b04-0.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1268</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1268: medium priority package update for java-1.7.0-openjdk</title><issued date="2019-08-23 16:53" /><updated date="2019-08-26 22:19" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 15992 CVE-2019-2842: 15993 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). 15994 1730110: 15995 CVE-2019-2842 OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) 15996 15997 CVE-2019-2816: 15998 1730099: 15999 CVE-2019-2816 OpenJDK: Missing URL format validation (Networking, 8221518) 16000 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). 16001 16002 CVE-2019-2786: 16003 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N). 16004 1730255: 16005 CVE-2019-2786 OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) 16006 16007 CVE-2019-2769: 16008 1730056: 16009 CVE-2019-2769 OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) 16010 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 16011 16012 CVE-2019-2762: 16013 1730415: 16014 CVE-2019-2762 OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) 16015 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 16016 16017 CVE-2019-2745: 16018 1730411: 16019 CVE-2019-2745 OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) 16020 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). 16021 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2786" id="CVE-2019-2786" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2769" id="CVE-2019-2769" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2842" id="CVE-2019-2842" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2762" id="CVE-2019-2762" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2745" id="CVE-2019-2745" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2816" id="CVE-2019-2816" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.19.1.80.amzn1" version="1.7.0.231"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.19.1.80.amzn1" version="1.7.0.231"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.19.1.80.amzn1" version="1.7.0.231"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk" release="2.6.19.1.80.amzn1" version="1.7.0.231"><filename>Packages/java-1.7.0-openjdk-1.7.0.231-2.6.19.1.80.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.19.1.80.amzn1" version="1.7.0.231"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.80.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.7.0-openjdk-javadoc" release="2.6.19.1.80.amzn1" version="1.7.0.231"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.231-2.6.19.1.80.amzn1.noarch.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-debuginfo" release="2.6.19.1.80.amzn1" version="1.7.0.231"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk" release="2.6.19.1.80.amzn1" version="1.7.0.231"><filename>Packages/java-1.7.0-openjdk-1.7.0.231-2.6.19.1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-devel" release="2.6.19.1.80.amzn1" version="1.7.0.231"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-demo" release="2.6.19.1.80.amzn1" version="1.7.0.231"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.80.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.7.0-openjdk-src" release="2.6.19.1.80.amzn1" version="1.7.0.231"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.80.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1269</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1269: medium priority package update for java-1.8.0-openjdk</title><issued date="2019-08-23 16:55" /><updated date="2019-08-26 22:20" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 16022 CVE-2019-2842: 16023 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). 16024 1730110: 16025 CVE-2019-2842 OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511) 16026 16027 CVE-2019-2816: 16028 1730099: 16029 CVE-2019-2816 OpenJDK: Missing URL format validation (Networking, 8221518) 16030 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). 16031 16032 CVE-2019-2786: 16033 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N). 16034 1730255: 16035 CVE-2019-2786 OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) 16036 16037 CVE-2019-2769: 16038 1730056: 16039 CVE-2019-2769 OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) 16040 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 16041 16042 CVE-2019-2762: 16043 1730415: 16044 CVE-2019-2762 OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) 16045 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). 16046 16047 CVE-2019-2745: 16048 1730411: 16049 CVE-2019-2745 OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) 16050 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). 16051 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2786" id="CVE-2019-2786" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2769" id="CVE-2019-2769" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2842" id="CVE-2019-2842" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2762" id="CVE-2019-2762" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2745" id="CVE-2019-2745" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2816" id="CVE-2019-2816" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk" release="0.47.amzn1" version="1.8.0.222.b10"><filename>Packages/java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-devel" release="0.47.amzn1" version="1.8.0.222.b10"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.47.amzn1" version="1.8.0.222.b10"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-demo" release="0.47.amzn1" version="1.8.0.222.b10"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc" release="0.47.amzn1" version="1.8.0.222.b10"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.47.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-headless" release="0.47.amzn1" version="1.8.0.222.b10"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="1" name="java-1.8.0-openjdk-javadoc-zip" release="0.47.amzn1" version="1.8.0.222.b10"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.47.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="1" name="java-1.8.0-openjdk-src" release="0.47.amzn1" version="1.8.0.222.b10"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk" release="0.47.amzn1" version="1.8.0.222.b10"><filename>Packages/java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-debuginfo" release="0.47.amzn1" version="1.8.0.222.b10"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-src" release="0.47.amzn1" version="1.8.0.222.b10"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-headless" release="0.47.amzn1" version="1.8.0.222.b10"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-devel" release="0.47.amzn1" version="1.8.0.222.b10"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.i686.rpm</filename></package><package arch="i686" epoch="1" name="java-1.8.0-openjdk-demo" release="0.47.amzn1" version="1.8.0.222.b10"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1270</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1270: important priority package update for golang</title><issued date="2019-08-23 16:58" /><updated date="2019-08-26 22:21" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 16052 CVE-2019-9514: 16053 Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. 16054 1735744: 16055 CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth 16056 16057 CVE-2019-9512: 16058 Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. 16059 1735645: 16060 CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth 16061 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514" id="CVE-2019-9514" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512" id="CVE-2019-9512" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="golang-race" release="1.51.amzn1" version="1.12.8"><filename>Packages/golang-race-1.12.8-1.51.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-src" release="1.51.amzn1" version="1.12.8"><filename>Packages/golang-src-1.12.8-1.51.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-tests" release="1.51.amzn1" version="1.12.8"><filename>Packages/golang-tests-1.12.8-1.51.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang-bin" release="1.51.amzn1" version="1.12.8"><filename>Packages/golang-bin-1.12.8-1.51.amzn1.x86_64.rpm</filename></package><package arch="noarch" epoch="0" name="golang-docs" release="1.51.amzn1" version="1.12.8"><filename>Packages/golang-docs-1.12.8-1.51.amzn1.noarch.rpm</filename></package><package arch="noarch" epoch="0" name="golang-misc" release="1.51.amzn1" version="1.12.8"><filename>Packages/golang-misc-1.12.8-1.51.amzn1.noarch.rpm</filename></package><package arch="x86_64" epoch="0" name="golang" release="1.51.amzn1" version="1.12.8"><filename>Packages/golang-1.12.8-1.51.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="golang" release="1.51.amzn1" version="1.12.8"><filename>Packages/golang-1.12.8-1.51.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="golang-bin" release="1.51.amzn1" version="1.12.8"><filename>Packages/golang-bin-1.12.8-1.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1271</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1271: medium priority package update for poppler</title><issued date="2019-08-23 17:01" /><updated date="2019-08-26 22:23" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 16062 CVE-2019-9631: 16063 Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter function. 16064 1686802: 16065 CVE-2019-9631 poppler: heap-based buffer over-read in function downsample_row_box_filter in CairoRescaleBox.cc 16066 16067 CVE-2019-9200: 16068 A heap-based buffer underwrite exists in ImageStream::getLine() located at Stream.cc in Poppler 0.74.0 that can (for example) be triggered by sending a crafted PDF file to the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. 16069 1683632: 16070 CVE-2019-9200 poppler: heap-based buffer overflow in function ImageStream::getLine() in Stream.cc 16071 16072 CVE-2019-7310: 16073 1672419: 16074 CVE-2019-7310 poppler: heap-based buffer over-read in XRef::getEntry in XRef.cc 16075 In Poppler 0.73.0, a heap-based buffer over-read (due to an integer signedness error in the XRef::getEntry function in XRef.cc) allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document, as demonstrated by pdftocairo. 16076 16077 CVE-2018-20662: 16078 1665273: 16079 CVE-2018-20662 poppler: SIGABRT PDFDoc::setup class in PDFDoc.cc 16080 In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to cause a denial-of-service (application crash caused by Object.h SIGABRT, because of a wrong return value from PDFDoc::setup) by crafting a PDF file in which an xref data structure is mishandled during extractPDFSubtype processing. 16081 16082 CVE-2018-20650: 16083 1665263: 16084 CVE-2018-20650 poppler: reachable Object::dictLookup assertion in FileSpec class in FileSpec.cc 16085 A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in pdfdetach. 16086 16087 CVE-2018-20481: 16088 1665266: 16089 CVE-2018-20481 poppler: NULL pointer dereference in the XRef::getEntry in XRef.cc 16090 XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef entries, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc. 16091 16092 CVE-2018-19149: 16093 Poppler before 0.70.0 has a NULL pointer dereference in _poppler_attachment_new when called from poppler_annot_file_attachment_get_attachment. 16094 1649457: 16095 CVE-2018-19149 poppler: NULL pointer dereference in _poppler_attachment_new 16096 16097 CVE-2018-19060: 16098 1649450: 16099 CVE-2018-19060 poppler: pdfdetach utility does not validate save paths 16100 An issue was discovered in Poppler 0.71.0. There is a NULL pointer dereference in goo/GooString.h, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating a filename of an embedded file before constructing a save path. 16101 16102 CVE-2018-19059: 16103 1649440: 16104 CVE-2018-19059 poppler: out-of-bounds read in EmbFile::save2 in FileSpec.cc 16105 An issue was discovered in Poppler 0.71.0. There is a out-of-bounds read in EmbFile::save2 in FileSpec.cc, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating embedded files before save attempts. 16106 16107 CVE-2018-19058: 16108 An issue was discovered in Poppler 0.71.0. There is a reachable abort in Object.h, will lead to denial of service because EmbFile::save2 in FileSpec.cc lacks a stream check before saving an embedded file. 16109 1649435: 16110 CVE-2018-19058 poppler: reachable abort in Object.h 16111 16112 CVE-2018-18897: 16113 An issue was discovered in Poppler 0.71.0. There is a memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc, as demonstrated by pdftocairo. 16114 1646546: 16115 CVE-2018-18897 poppler: memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc 16116 16117 CVE-2018-16646: 16118 1626618: 16119 CVE-2018-16646 poppler: infinite recursion in Parser::getObj function in Parser.cc 16120 In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack. 16121 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19058" id="CVE-2018-19058" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19059" id="CVE-2018-19059" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20481" id="CVE-2018-20481" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18897" id="CVE-2018-18897" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19149" id="CVE-2018-19149" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16646" id="CVE-2018-16646" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19060" id="CVE-2018-19060" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20662" id="CVE-2018-20662" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20650" id="CVE-2018-20650" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9200" id="CVE-2019-9200" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9631" id="CVE-2019-9631" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7310" id="CVE-2019-7310" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="poppler-cpp" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-cpp-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-cpp-devel" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-cpp-devel-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-debuginfo" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-debuginfo-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-utils" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-utils-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-devel" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-devel-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-glib-devel" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-glib-devel-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="poppler-glib" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-glib-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="poppler-devel" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-devel-0.26.5-38.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-glib-devel" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-glib-devel-0.26.5-38.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-cpp-devel" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-cpp-devel-0.26.5-38.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-0.26.5-38.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-utils" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-utils-0.26.5-38.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-glib" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-glib-0.26.5-38.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-debuginfo" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-debuginfo-0.26.5-38.19.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="poppler-cpp" release="38.19.amzn1" version="0.26.5"><filename>Packages/poppler-cpp-0.26.5-38.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1277</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1277: critical priority package update for exim</title><issued date="2019-09-08 22:54" /><updated date="2019-09-09 20:58" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 16122 CVE-2019-15846: 16123 1748397: 16124 CVE-2019-15846 exim: out-of-bounds access in string_interpret_escape() leading to buffer overflow in the SMTP delivery process 16125 Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash. 16126 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15846" id="CVE-2019-15846" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="exim-pgsql" release="1.24.amzn1" version="4.92"><filename>Packages/exim-pgsql-4.92-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-mysql" release="1.24.amzn1" version="4.92"><filename>Packages/exim-mysql-4.92-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-mon" release="1.24.amzn1" version="4.92"><filename>Packages/exim-mon-4.92-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-greylist" release="1.24.amzn1" version="4.92"><filename>Packages/exim-greylist-4.92-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim-debuginfo" release="1.24.amzn1" version="4.92"><filename>Packages/exim-debuginfo-4.92-1.24.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="exim" release="1.24.amzn1" version="4.92"><filename>Packages/exim-4.92-1.24.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="exim-greylist" release="1.24.amzn1" version="4.92"><filename>Packages/exim-greylist-4.92-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-pgsql" release="1.24.amzn1" version="4.92"><filename>Packages/exim-pgsql-4.92-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-mon" release="1.24.amzn1" version="4.92"><filename>Packages/exim-mon-4.92-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim" release="1.24.amzn1" version="4.92"><filename>Packages/exim-4.92-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-debuginfo" release="1.24.amzn1" version="4.92"><filename>Packages/exim-debuginfo-4.92-1.24.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="exim-mysql" release="1.24.amzn1" version="4.92"><filename>Packages/exim-mysql-4.92-1.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1278</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1278: low priority package update for kernel</title><issued date="2019-09-13 22:43" /><updated date="2019-09-13 22:43" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 16127 CVE-2018-9516: 16128 A flaw was found in the Linux kernel in the hid_debug_events_read() function in the drivers/hid/hid-debug.c file. A lack of the certain checks may allow a privileged user (&quot;root&quot;) to achieve an out-of-bounds write and thus receiving user space buffer corruption. 16129 1631036: 16130 CVE-2018-9516 kernel: HID: debug: Buffer overflow in hid_debug_events_read() in drivers/hid/hid-debug.c 16131 A flaw was found in the Linux kernel in the hid_debug_events_read() function in the drivers/hid/hid-debug.c file. A lack of the certain checks may result in receiving userspace buffer overflow and an out-of-bounds write or to the infinite loop. 16132 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9516" id="CVE-2018-9516" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-debuginfo-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-tools-devel-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-devel-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-tools-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="62.37.amzn1" version="4.14.55"><filename>Packages/perf-debuginfo-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-tools-debuginfo-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="62.37.amzn1" version="4.14.55"><filename>Packages/perf-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-headers-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-headers-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-tools-debuginfo-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-tools-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-debuginfo-common-i686-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-devel-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="62.37.amzn1" version="4.14.55"><filename>Packages/perf-debuginfo-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-tools-devel-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="62.37.amzn1" version="4.14.55"><filename>Packages/perf-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-debuginfo-4.14.55-62.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="62.37.amzn1" version="4.14.55"><filename>Packages/kernel-4.14.55-62.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1279</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1279: low priority package update for kernel</title><issued date="2019-09-13 22:43" /><updated date="2019-09-13 22:43" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 16133 CVE-2018-7755: 16134 1553216: 16135 CVE-2018-7755 kernel: Information exposure in fd_locked_ioctl function in drivers/block/floppy.c 16136 An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR. 16137 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7755" id="CVE-2018-7755" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-devel" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-devel-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-headers-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-tools-debuginfo-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-tools-devel-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="69.57.amzn1" version="4.14.77"><filename>Packages/perf-debuginfo-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="69.57.amzn1" version="4.14.77"><filename>Packages/perf-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-tools-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-debuginfo-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="69.57.amzn1" version="4.14.77"><filename>Packages/perf-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-devel-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="69.57.amzn1" version="4.14.77"><filename>Packages/perf-debuginfo-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-debuginfo-common-i686-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-tools-devel-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-debuginfo-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-tools-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-tools-debuginfo-4.14.77-69.57.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="69.57.amzn1" version="4.14.77"><filename>Packages/kernel-headers-4.14.77-69.57.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1280</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1280: medium priority package update for kernel</title><issued date="2019-09-13 22:45" /><updated date="2019-09-13 22:45" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 16138 CVE-2018-9363: 16139 A buffer overflow due to a singed-unsigned comparsion was found in hidp_process_report() in the net/bluetooth/hidp/core.c in the Linux kernel. The buffer length is an unsigned int but gets cast to a signed int which in certain conditions can lead to a system panic and a denial-of-service. 16140 1623067: 16141 CVE-2018-9363 kernel: Buffer overflow in hidp_process_report 16142 16143 CVE-2018-15594: 16144 It was found that paravirt_patch_call/jump() functions in the arch/x86/kernel/paravirt.c in the Linux kernel mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtualized guests. 16145 1620555: 16146 CVE-2018-15594 kernel: Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests 16147 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15594" id="CVE-2018-15594" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9363" id="CVE-2018-9363" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-headers" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-headers-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-debuginfo-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="66.56.amzn1" version="4.14.67"><filename>Packages/perf-debuginfo-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="66.56.amzn1" version="4.14.67"><filename>Packages/perf-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-tools-debuginfo-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-devel-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-tools-devel-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-tools-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="66.56.amzn1" version="4.14.67"><filename>Packages/perf-debuginfo-4.14.67-66.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-tools-debuginfo-4.14.67-66.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-debuginfo-4.14.67-66.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-4.14.67-66.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-debuginfo-common-i686-4.14.67-66.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-tools-devel-4.14.67-66.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-devel-4.14.67-66.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-tools-4.14.67-66.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="66.56.amzn1" version="4.14.67"><filename>Packages/kernel-headers-4.14.67-66.56.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="66.56.amzn1" version="4.14.67"><filename>Packages/perf-4.14.67-66.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1281</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1281: medium priority package update for kernel</title><issued date="2019-09-13 22:48" /><updated date="2019-09-13 22:48" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 16148 CVE-2019-15902: 16149 1752081: 16150 CVE-2019-15902 kernel: backporting error in ptrace_get_debugreg() 16151 A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream &quot;x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()&quot; commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped. 16152 16153 CVE-2019-15538: 16154 1746777: 16155 CVE-2019-15538 kernel: denial of service in in xfs_setattr_nonsize in fs/xfs/xfs_iops.c 16156 An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS. 16157 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15538" id="CVE-2019-15538" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15902" id="CVE-2019-15902" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="kernel-tools" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-tools-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-headers" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-headers-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-devel" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-tools-devel-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf-debuginfo" release="91.122.amzn1" version="4.14.143"><filename>Packages/perf-debuginfo-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-tools-debuginfo-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-debuginfo" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-debuginfo-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="kernel-devel" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-devel-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="perf" release="91.122.amzn1" version="4.14.143"><filename>Packages/perf-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="kernel-headers" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-headers-4.14.143-91.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf" release="91.122.amzn1" version="4.14.143"><filename>Packages/perf-4.14.143-91.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-4.14.143-91.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-devel" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-tools-devel-4.14.143-91.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools-debuginfo" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-tools-debuginfo-4.14.143-91.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo-common-i686" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-debuginfo-common-i686-4.14.143-91.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="perf-debuginfo" release="91.122.amzn1" version="4.14.143"><filename>Packages/perf-debuginfo-4.14.143-91.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-devel" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-devel-4.14.143-91.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-tools" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-tools-4.14.143-91.122.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="kernel-debuginfo" release="91.122.amzn1" version="4.14.143"><filename>Packages/kernel-debuginfo-4.14.143-91.122.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1282</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1282: medium priority package update for php71 php72 php73</title><issued date="2019-09-13 22:49" /><updated date="2019-09-13 22:50" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 16158 CVE-2019-9640: 16159 An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn. 16160 1688939: 16161 CVE-2019-9640 php: Invalid read in exif_process_SOFn() 16162 16163 CVE-2019-9637: 16164 1688897: 16165 CVE-2019-9637 php: File rename across filesystems may allow unwanted access during processing 16166 An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data. 16167 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9640" id="CVE-2019-9640" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9637" id="CVE-2019-9637" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php71-debuginfo" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-debuginfo-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pgsql" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-pgsql-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-pdo-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-fpm" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-fpm-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mcrypt" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-mcrypt-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pspell" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-pspell-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gd" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-gd-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-json" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-json-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-tidy" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-tidy-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xmlrpc" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-xmlrpc-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-embedded" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-embedded-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dba" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-dba-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mbstring" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-mbstring-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-process" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-process-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-odbc" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-odbc-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dbg" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-dbg-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-bcmath" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-bcmath-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-soap" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-soap-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-imap" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-imap-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mysqlnd" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-mysqlnd-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-common" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-common-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gmp" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-gmp-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xml" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-xml-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-intl" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-intl-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-recode" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-recode-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-opcache" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-opcache-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo-dblib" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-pdo-dblib-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-enchant" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-enchant-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-ldap" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-ldap-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-cli" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-cli-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-devel" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-devel-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-snmp" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-snmp-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php71-process" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-process-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-imap" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-imap-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-cli" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-cli-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dba" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-dba-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-debuginfo" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-debuginfo-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mbstring" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-mbstring-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-enchant" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-enchant-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-devel" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-devel-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-odbc" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-odbc-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pgsql" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-pgsql-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-pdo-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-opcache" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-opcache-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-soap" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-soap-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mysqlnd" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-mysqlnd-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo-dblib" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-pdo-dblib-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-tidy" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-tidy-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-common" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-common-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-bcmath" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-bcmath-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mcrypt" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-mcrypt-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xmlrpc" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-xmlrpc-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-ldap" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-ldap-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-json" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-json-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-recode" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-recode-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xml" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-xml-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pspell" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-pspell-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-intl" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-intl-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-snmp" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-snmp-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-embedded" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-embedded-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gd" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-gd-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-fpm" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-fpm-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dbg" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-dbg-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gmp" release="1.37.amzn1" version="7.1.27"><filename>Packages/php71-gmp-7.1.27-1.37.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-fpm" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-fpm-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-mbstring" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-mbstring-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-mysqlnd" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-mysqlnd-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-bcmath" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-bcmath-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-cli" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-cli-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-soap" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-soap-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-gd" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-gd-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-recode" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-recode-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-ldap" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-ldap-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-devel" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-devel-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-intl" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-intl-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-imap" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-imap-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-tidy" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-tidy-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-debuginfo" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-debuginfo-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pgsql" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-pgsql-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-snmp" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-snmp-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-dba" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-dba-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-xml" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-xml-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-odbc" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-odbc-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-embedded" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-embedded-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pdo-dblib" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-pdo-dblib-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-gmp" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-gmp-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-opcache" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-opcache-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-process" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-process-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pspell" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-pspell-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-dbg" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-dbg-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-enchant" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-enchant-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-common" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-common-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-xmlrpc" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-xmlrpc-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-json" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-json-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pdo" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-pdo-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php72-pdo" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-pdo-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pdo-dblib" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-pdo-dblib-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-xmlrpc" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-xmlrpc-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-dba" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-dba-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-bcmath" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-bcmath-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-cli" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-cli-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-tidy" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-tidy-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-gmp" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-gmp-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-opcache" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-opcache-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-gd" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-gd-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-intl" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-intl-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-soap" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-soap-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-imap" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-imap-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-embedded" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-embedded-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-common" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-common-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-xml" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-xml-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-odbc" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-odbc-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-mbstring" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-mbstring-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-debuginfo" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-debuginfo-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pspell" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-pspell-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-fpm" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-fpm-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-recode" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-recode-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-snmp" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-snmp-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-dbg" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-dbg-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-mysqlnd" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-mysqlnd-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-devel" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-devel-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-process" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-process-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pgsql" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-pgsql-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-enchant" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-enchant-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-json" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-json-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-ldap" release="1.11.amzn1" version="7.2.16"><filename>Packages/php72-ldap-7.2.16-1.11.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-dbg" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-dbg-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-common" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-common-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pspell" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-pspell-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-process" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-process-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-intl" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-intl-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-odbc" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-odbc-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-gd" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-gd-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pgsql" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-pgsql-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-gmp" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-gmp-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-fpm" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-fpm-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-snmp" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-snmp-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pdo" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-pdo-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-embedded" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-embedded-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-enchant" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-enchant-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-cli" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-cli-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-tidy" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-tidy-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-opcache" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-opcache-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-imap" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-imap-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-xmlrpc" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-xmlrpc-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-ldap" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-ldap-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-recode" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-recode-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-dba" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-dba-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-xml" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-xml-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-bcmath" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-bcmath-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-mysqlnd" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-mysqlnd-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-devel" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-devel-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-soap" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-soap-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pdo-dblib" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-pdo-dblib-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-json" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-json-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-debuginfo" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-debuginfo-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-mbstring" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-mbstring-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php73-snmp" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-snmp-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-process" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-process-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-embedded" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-embedded-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-odbc" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-odbc-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pspell" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-pspell-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-debuginfo" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-debuginfo-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-dba" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-dba-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-common" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-common-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-tidy" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-tidy-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-gd" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-gd-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-bcmath" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-bcmath-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-fpm" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-fpm-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-xml" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-xml-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-ldap" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-ldap-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pgsql" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-pgsql-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-dbg" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-dbg-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-xmlrpc" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-xmlrpc-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-enchant" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-enchant-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-mbstring" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-mbstring-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-json" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-json-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-imap" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-imap-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pdo" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-pdo-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-mysqlnd" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-mysqlnd-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-cli" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-cli-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-soap" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-soap-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-intl" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-intl-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pdo-dblib" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-pdo-dblib-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-recode" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-recode-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-opcache" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-opcache-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-devel" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-devel-7.3.4-1.14.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-gmp" release="1.14.amzn1" version="7.3.4"><filename>Packages/php73-gmp-7.3.4-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1283</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1283: low priority package update for php71 php73</title><issued date="2019-09-13 22:53" /><updated date="2019-09-13 22:54" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 16168 CVE-2019-13224: 16169 1728970: 16170 CVE-2019-13224 oniguruma: use-after-free in onig_new_deluxe() in regext.c 16171 A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust. 16172 16173 CVE-2019-11042: 16174 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. 16175 1739465: 16176 CVE-2019-11042 php: heap buffer over-read in exif_process_user_comment() 16177 16178 CVE-2019-11041: 16179 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. 16180 1739459: 16181 CVE-2019-11041 php: heap buffer over-read in exif_scan_thumbnail() 16182 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11042" id="CVE-2019-11042" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224" id="CVE-2019-13224" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11041" id="CVE-2019-11041" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php71-embedded" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-embedded-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dbg" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-dbg-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pspell" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-pspell-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-devel" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-devel-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-dba" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-dba-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-process" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-process-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mcrypt" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-mcrypt-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xml" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-xml-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-bcmath" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-bcmath-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mysqlnd" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-mysqlnd-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-common" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-common-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-enchant" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-enchant-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-intl" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-intl-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-pdo-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-debuginfo" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-debuginfo-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-snmp" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-snmp-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-xmlrpc" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-xmlrpc-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-mbstring" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-mbstring-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pdo-dblib" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-pdo-dblib-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gmp" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-gmp-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-json" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-json-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-imap" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-imap-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-ldap" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-ldap-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-tidy" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-tidy-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-odbc" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-odbc-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-fpm" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-fpm-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-opcache" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-opcache-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-soap" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-soap-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-recode" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-recode-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-pgsql" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-pgsql-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-cli" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-cli-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php71-gd" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-gd-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php71-ldap" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-ldap-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mbstring" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-mbstring-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-devel" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-devel-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-cli" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-cli-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mcrypt" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-mcrypt-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dba" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-dba-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-mysqlnd" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-mysqlnd-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-fpm" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-fpm-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-embedded" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-embedded-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-recode" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-recode-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-opcache" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-opcache-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-intl" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-intl-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-bcmath" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-bcmath-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-enchant" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-enchant-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-tidy" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-tidy-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-dbg" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-dbg-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-debuginfo" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-debuginfo-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pspell" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-pspell-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gd" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-gd-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xml" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-xml-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pgsql" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-pgsql-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-snmp" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-snmp-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-pdo-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-odbc" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-odbc-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-pdo-dblib" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-pdo-dblib-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-common" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-common-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-json" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-json-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-imap" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-imap-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-gmp" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-gmp-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-process" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-process-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-xmlrpc" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-xmlrpc-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php71-soap" release="1.41.amzn1" version="7.1.31"><filename>Packages/php71-soap-7.1.31-1.41.amzn1.i686.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-odbc" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-odbc-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-xml" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-xml-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-mysqlnd" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-mysqlnd-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-mbstring" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-mbstring-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-ldap" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-ldap-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-recode" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-recode-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-devel" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-devel-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-embedded" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-embedded-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-opcache" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-opcache-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-dbg" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-dbg-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-common" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-common-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-gd" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-gd-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-snmp" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-snmp-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-enchant" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-enchant-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-bcmath" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-bcmath-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-xmlrpc" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-xmlrpc-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-gmp" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-gmp-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-tidy" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-tidy-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-dba" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-dba-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-fpm" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-fpm-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pgsql" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-pgsql-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-cli" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-cli-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pdo-dblib" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-pdo-dblib-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-debuginfo" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-debuginfo-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-process" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-process-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-imap" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-imap-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-soap" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-soap-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-json" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-json-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pspell" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-pspell-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-intl" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-intl-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php73-pdo" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-pdo-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php73-xmlrpc" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-xmlrpc-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-bcmath" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-bcmath-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pdo" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-pdo-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-tidy" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-tidy-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-gd" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-gd-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-common" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-common-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pdo-dblib" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-pdo-dblib-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-dbg" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-dbg-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-opcache" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-opcache-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-process" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-process-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-recode" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-recode-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-snmp" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-snmp-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-gmp" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-gmp-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-enchant" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-enchant-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-cli" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-cli-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-odbc" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-odbc-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-embedded" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-embedded-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-dba" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-dba-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-mysqlnd" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-mysqlnd-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-debuginfo" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-debuginfo-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-devel" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-devel-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-mbstring" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-mbstring-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pgsql" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-pgsql-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-xml" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-xml-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-fpm" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-fpm-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-ldap" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-ldap-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-imap" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-imap-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-pspell" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-pspell-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-json" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-json-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-intl" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-intl-7.3.8-1.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php73-soap" release="1.18.amzn1" version="7.3.8"><filename>Packages/php73-soap-7.3.8-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1284</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1284: low priority package update for php72</title><issued date="2019-09-13 22:55" /><updated date="2019-09-13 22:55" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 16183 CVE-2019-11042: 16184 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. 16185 1739465: 16186 CVE-2019-11042 php: heap buffer over-read in exif_process_user_comment() 16187 16188 CVE-2019-11041: 16189 When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. 16190 1739459: 16191 CVE-2019-11041 php: heap buffer over-read in exif_scan_thumbnail() 16192 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11042" id="CVE-2019-11042" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11041" id="CVE-2019-11041" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="php72-tidy" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-tidy-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-xmlrpc" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-xmlrpc-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-cli" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-cli-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-embedded" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-embedded-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-mysqlnd" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-mysqlnd-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-devel" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-devel-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pdo-dblib" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-pdo-dblib-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-imap" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-imap-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-fpm" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-fpm-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-enchant" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-enchant-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-debuginfo" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-debuginfo-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-gmp" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-gmp-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-gd" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-gd-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-json" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-json-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-dba" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-dba-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-snmp" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-snmp-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pgsql" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-pgsql-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-common" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-common-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-mbstring" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-mbstring-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-bcmath" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-bcmath-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-process" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-process-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pdo" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-pdo-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-soap" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-soap-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-intl" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-intl-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-recode" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-recode-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-ldap" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-ldap-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-xml" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-xml-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-odbc" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-odbc-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-dbg" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-dbg-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-pspell" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-pspell-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="php72-opcache" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-opcache-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="php72-dba" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-dba-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pspell" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-pspell-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-opcache" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-opcache-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-common" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-common-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-snmp" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-snmp-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-mbstring" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-mbstring-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-xmlrpc" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-xmlrpc-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-tidy" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-tidy-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-imap" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-imap-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-bcmath" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-bcmath-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-enchant" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-enchant-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-gmp" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-gmp-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pdo-dblib" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-pdo-dblib-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pgsql" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-pgsql-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-intl" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-intl-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-fpm" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-fpm-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-soap" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-soap-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-debuginfo" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-debuginfo-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-xml" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-xml-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-devel" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-devel-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-process" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-process-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-recode" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-recode-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-pdo" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-pdo-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-json" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-json-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-dbg" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-dbg-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-mysqlnd" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-mysqlnd-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-ldap" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-ldap-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-embedded" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-embedded-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-odbc" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-odbc-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-cli" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-cli-7.2.21-1.15.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="php72-gd" release="1.15.amzn1" version="7.2.21"><filename>Packages/php72-gd-7.2.21-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1285</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1285: medium priority package update for zsh</title><issued date="2019-09-13 22:56" /><updated date="2019-09-13 22:56" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 16193 CVE-2018-13259: 16194 1626184: 16195 CVE-2018-13259 zsh: Improper handling of shebang line longer than 64 16196 It was discovered that zsh does not properly validate the shebang of input files and it truncates it to the first 64 bytes. A local attacker may use this flaw to make zsh execute a different binary than what is expected, named with a substring of the shebang one. 16197 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13259" id="CVE-2018-13259" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="zsh-html" release="33.18.amzn1" version="5.0.2"><filename>Packages/zsh-html-5.0.2-33.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="zsh" release="33.18.amzn1" version="5.0.2"><filename>Packages/zsh-5.0.2-33.18.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="zsh-debuginfo" release="33.18.amzn1" version="5.0.2"><filename>Packages/zsh-debuginfo-5.0.2-33.18.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="zsh-html" release="33.18.amzn1" version="5.0.2"><filename>Packages/zsh-html-5.0.2-33.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="zsh" release="33.18.amzn1" version="5.0.2"><filename>Packages/zsh-5.0.2-33.18.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="zsh-debuginfo" release="33.18.amzn1" version="5.0.2"><filename>Packages/zsh-debuginfo-5.0.2-33.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1286</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1286: medium priority package update for libjpeg-turbo</title><issued date="2019-09-13 22:58" /><updated date="2019-09-13 22:58" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 16198 CVE-2018-14498: 16199 1687424: 16200 CVE-2018-14498 libjpeg-turbo: heap-based buffer over-read via crafted 8-bit BMP in get_8bit_row in rdbmp.c leads to denial of service 16201 get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries. 16202 16203 CVE-2018-11813: 16204 1588803: 16205 CVE-2018-11813 libjpeg: "cjpeg" utility large loop because read_pixel in rdtarga.c mishandles EOF 16206 libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF. 16207 16208 CVE-2018-11214: 16209 An out-of-bounds read vulnerability has been discovered in libjpeg-turbo when reading one row of pixels of a PPM file. An attacker could use this flaw to crash the application and cause a denial of service. 16210 1579980: 16211 CVE-2018-11214 libjpeg: Segmentation fault in get_text_rgb_row function in rdppm.c 16212 16213 CVE-2018-11213: 16214 1579979: 16215 CVE-2018-11213 libjpeg: Segmentation fault in get_text_gray_row function in rdppm.c 16216 An out-of-bound read vulnerability has been discovered in libjpeg-turbo when reading one row of pixels of a PGM file. An attacker could use this flaw to crash the application and cause a denial of service. 16217 16218 CVE-2018-11212: 16219 1579973: 16220 CVE-2018-11212 libjpeg-turbo: Divide By Zero in alloc_sarray function in jmemmgr.c 16221 A divide by zero vulnerability has been discovered in libjpeg-turbo in alloc_sarray function of jmemmgr.c file. An attacker could use this vulnerability to cause a denial of service via a crafted file. 16222 16223 CVE-2016-3616: 16224 The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file. 16225 1319661: 16226 CVE-2016-3616 libjpeg: null pointer dereference in cjpeg 16227 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11212" id="CVE-2018-11212" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11213" id="CVE-2018-11213" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11214" id="CVE-2018-11214" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14498" id="CVE-2018-14498" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3616" id="CVE-2016-3616" title="" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11813" id="CVE-2018-11813" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="x86_64" epoch="0" name="libjpeg-turbo-static" release="8.16.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-static-1.2.90-8.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libjpeg-turbo-devel" release="8.16.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-devel-1.2.90-8.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libjpeg-turbo-debuginfo" release="8.16.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-debuginfo-1.2.90-8.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libjpeg-turbo-utils" release="8.16.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-utils-1.2.90-8.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="libjpeg-turbo" release="8.16.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-1.2.90-8.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="turbojpeg-devel" release="8.16.amzn1" version="1.2.90"><filename>Packages/turbojpeg-devel-1.2.90-8.16.amzn1.x86_64.rpm</filename></package><package arch="x86_64" epoch="0" name="turbojpeg" release="8.16.amzn1" version="1.2.90"><filename>Packages/turbojpeg-1.2.90-8.16.amzn1.x86_64.rpm</filename></package><package arch="i686" epoch="0" name="turbojpeg-devel" release="8.16.amzn1" version="1.2.90"><filename>Packages/turbojpeg-devel-1.2.90-8.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="turbojpeg" release="8.16.amzn1" version="1.2.90"><filename>Packages/turbojpeg-1.2.90-8.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo-utils" release="8.16.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-utils-1.2.90-8.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo" release="8.16.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-1.2.90-8.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo-static" release="8.16.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-static-1.2.90-8.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo-debuginfo" release="8.16.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-debuginfo-1.2.90-8.16.amzn1.i686.rpm</filename></package><package arch="i686" epoch="0" name="libjpeg-turbo-devel" release="8.16.amzn1" version="1.2.90"><filename>Packages/libjpeg-turbo-devel-1.2.90-8.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4"><id>ALAS-2019-1287</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1287: medium priority package update for perl-Archive-Tar</title><issued date="2019-09-13 22:59" /><updated date="2019-09-13 22:59" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: 16228 CVE-2018-12015: 16229 1588760: 16230 CVE-2018-12015 perl: Directory traversal in Archive::Tar 16231 It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter. 16232 </description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015" id="CVE-2018-12015" title="" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package arch="noarch" epoch="0" name="perl-Archive-Tar" release="3.6.amzn1" version="1.92"><filename>Packages/perl-Archive-Tar-1.92-3.6.amzn1.noarch.rpm</filename></package></collection></pkglist></update></updates> 16233