Name | Package | Severity | Description
-- | -- | -- | --
ALAS2-2020-1488 | kernel-devel:4.14.186-146.268.amzn2 | HIGH | Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-14386: 99999:
ALAS2-2020-1480 | kernel-devel:4.14.186-146.268.amzn2 | HIGH | Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-15393: In the Linux kernel through 5.7.6, usbtest_disconnect in drivers/usb/misc/usbtest.c has a memory leak, aka CID-28ebeb8db770. 1852584: CVE-2020-15393 kernel: memory leak in usbtest_disconnect function in drivers/usb/misc/usbtest.c CVE-2020-12655: 1832543: CVE-2020-12655 kernel: sync of excessive duration via an XFS v5 image with crafted metadata An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767. CVE-2020-10781: 1847832: CVE-2020-10781 kernel: zram sysfs resource consumption A flaw was found in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable. CVE-2019-9445: 1819384: CVE-2019-9445 kernel: out of bounds read due to missing bounds check in F2FS driver leads to local information disclosure In the Android kernel in F2FS driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation. CVE-2019-3016: In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out. 1792167: CVE-2019-3016 kernel: kvm: Information leak within a KVM guest CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4. 1774933: CVE-2019-19074 kernel: a memory leak in the ath9k management function in allows local DoS CVE-2019-19073: 1774937: CVE-2019-19073 kernel: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel (DOS) Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10. CVE-2019-19061: 1775029: CVE-2019-19061 kernel: A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c allows for a DoS A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-9c0530e898f3. CVE-2019-19054: 1775063: CVE-2019-19054 kernel: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c allows attackers to cause a DoS A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b. CVE-2019-18808: 1777418: CVE-2019-18808 kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247. CVE-2018-8043: The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in the Linux kernel through 4.15.8 does not validate certain resource availability, which allows local users to cause a denial of service (NULL pointer dereference). 1554199: CVE-2018-8043 kernel: NULL pointer dereference in drivers/net/phy/mdio-bcm-unimac.c:unimac_mdio_probe() can lead to denial of service CVE-2018-10323: The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image. 1571627: CVE-2018-10323 kernel: Invalid pointer dereference in xfs_bmapi_write() when mounting and operating on crafted xfs image allows denial of service CVE-2017-18232: 1558066: CVE-2017-18232 kernel: Mishandling mutex within libsas allowing local Denial of Service 1558066: CVE-2017-18232 kernel: Mishandling mutex within libsas allowing local Denial of Service The Serial Attached SCSI (SAS) implementation in the Linux kernel mishandles a mutex within libsas. This allows local users to cause a denial of service (deadlock) by triggering certain error-handling code. The Serial Attached SCSI (SAS) implementation in the Linux kernel through 4.15.9 mishandles a mutex within libsas, which allows local users to cause a denial of service (deadlock) by triggering certain error-handling code.
ALAS2-2020-1480 | kernel-headers:4.14.186-146.268.amzn2 | HIGH | Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-15393: In the Linux kernel through 5.7.6, usbtest_disconnect in drivers/usb/misc/usbtest.c has a memory leak, aka CID-28ebeb8db770. 1852584: CVE-2020-15393 kernel: memory leak in usbtest_disconnect function in drivers/usb/misc/usbtest.c CVE-2020-12655: 1832543: CVE-2020-12655 kernel: sync of excessive duration via an XFS v5 image with crafted metadata An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767. CVE-2020-10781: 1847832: CVE-2020-10781 kernel: zram sysfs resource consumption A flaw was found in the ZRAM kernel module, where a user with a local account and the ability to read the /sys/class/zram-control/hot_add file can create ZRAM device nodes in the /dev/ directory. This read allocates kernel memory and is not accounted for a user that triggers the creation of that ZRAM device. With this vulnerability, continually reading the device may consume a large amount of system memory and cause the Out-of-Memory (OOM) killer to activate and terminate random userspace processes, possibly making the system inoperable. CVE-2019-9445: 1819384: CVE-2019-9445 kernel: out of bounds read due to missing bounds check in F2FS driver leads to local information disclosure In the Android kernel in F2FS driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation. CVE-2019-3016: In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out. 1792167: CVE-2019-3016 kernel: kvm: Information leak within a KVM guest CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4. 1774933: CVE-2019-19074 kernel: a memory leak in the ath9k management function in allows local DoS CVE-2019-19073: 1774937: CVE-2019-19073 kernel: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel (DOS) Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function, aka CID-853acf7caf10. CVE-2019-19061: 1775029: CVE-2019-19061 kernel: A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c allows for a DoS A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-9c0530e898f3. CVE-2019-19054: 1775063: CVE-2019-19054 kernel: A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c allows attackers to cause a DoS A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b. CVE-2019-18808: 1777418: CVE-2019-18808 kernel: memory leak in ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247. CVE-2018-8043: The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in the Linux kernel through 4.15.8 does not validate certain resource availability, which allows local users to cause a denial of service (NULL pointer dereference). 1554199: CVE-2018-8043 kernel: NULL pointer dereference in drivers/net/phy/mdio-bcm-unimac.c:unimac_mdio_probe() can lead to denial of service CVE-2018-10323: The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image. 1571627: CVE-2018-10323 kernel: Invalid pointer dereference in xfs_bmapi_write() when mounting and operating on crafted xfs image allows denial of service CVE-2017-18232: 1558066: CVE-2017-18232 kernel: Mishandling mutex within libsas allowing local Denial of Service 1558066: CVE-2017-18232 kernel: Mishandling mutex within libsas allowing local Denial of Service The Serial Attached SCSI (SAS) implementation in the Linux kernel mishandles a mutex within libsas. This allows local users to cause a denial of service (deadlock) by triggering certain error-handling code. The Serial Attached SCSI (SAS) implementation in the Linux kernel through 4.15.9 mishandles a mutex within libsas, which allows local users to cause a denial of service (deadlock) by triggering certain error-handling code.
ALAS2-2020-1488 | kernel-headers:4.14.186-146.268.amzn2 | HIGH | Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-14386: 99999:
ALAS2-2020-1483 | python:2.7.18-1.amzn2.0.1 | MEDIUM | Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. 1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive
ALAS2-2020-1483 | python-devel:2.7.18-1.amzn2.0.1 | MEDIUM | Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. 1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive
ALAS2-2020-1483 | python-libs:2.7.18-1.amzn2.0.1 | MEDIUM | Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. 1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive
ALAS2-2020-1484 | python3:3.7.8-1.amzn2.0.1 | MEDIUM | Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-14422: Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. 1854926: CVE-2020-14422 python: DoS via inefficiency in IPv{4,6}Interface classes CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. 1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive
ALAS2-2020-1484 | python3-devel:3.7.8-1.amzn2.0.1 | MEDIUM | Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-14422: Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. 1854926: CVE-2020-14422 python: DoS via inefficiency in IPv{4,6}Interface classes CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. 1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive
ALAS2-2020-1484 | python3-libs:3.7.8-1.amzn2.0.1 | MEDIUM | Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2020-14422: Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. 1854926: CVE-2020-14422 python: DoS via inefficiency in IPv{4,6}Interface classes CVE-2019-20907: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. 1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive
ALAS2-2020-1477 | gettext:0.19.8.1-2.amzn2.0.2 | LOW | Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-18751: 1647043: CVE-2018-18751 gettext: double free in default_add_message in read-catalog.c An issue was discovered in GNU gettext 0.19.8. There is a double free in default_add_message in read-catalog.c, related to an invalid free in po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.
ALAS2-2020-1477 | gettext-common-devel:0.19.8.1-2.amzn2.0.2 | LOW | Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-18751: 1647043: CVE-2018-18751 gettext: double free in default_add_message in read-catalog.c An issue was discovered in GNU gettext 0.19.8. There is a double free in default_add_message in read-catalog.c, related to an invalid free in po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.
ALAS2-2020-1477 | gettext-devel:0.19.8.1-2.amzn2.0.2 | LOW | Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-18751: 1647043: CVE-2018-18751 gettext: double free in default_add_message in read-catalog.c An issue was discovered in GNU gettext 0.19.8. There is a double free in default_add_message in read-catalog.c, related to an invalid free in po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.
ALAS2-2020-1477 | gettext-libs:0.19.8.1-2.amzn2.0.2 | LOW | Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2018-18751: 1647043: CVE-2018-18751 gettext: double free in default_add_message in read-catalog.c An issue was discovered in GNU gettext 0.19.8. There is a double free in default_add_message in read-catalog.c, related to an invalid free in po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt.