[ALAS-2016-655] Amazon Linux AMI 2014.03 - ALAS-2016-655: medium priority package update for nginx
Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0747:
It was discovered that nginx did not limit recursion when resolving CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to use an excessive amount of resources if nginx enabled the resolver in its configuration.
1302589:
CVE-2016-0747 nginx: Insufficient limits of CNAME resolution in resolver
CVE-2016-0746:
A use-after-free flaw was found in the way nginx resolved certain CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to crash or, possibly, execute arbitrary code if nginx enabled the resolver in its configuration.
1302588:
CVE-2016-0746 nginx: use-after-free during CNAME response processing in resolver
CVE-2016-0742:
It was discovered that nginx could perform an out of bound read and dereference an invalid pointer when resolving CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to crash if nginx enabled the resolver in its configuration.
1302587:
CVE-2016-0742 nginx: invalid pointer dereference in resolver
| Package | Affected Version |
|---|---|
 pkg:rpm/amazonlinux/nginx?arch=x86_64&distro=amazonlinux-1
|
< 1.8.1-1.26.amzn1 |
|
pkg:rpm/amazonlinux/nginx?arch=i686&distro=amazonlinux-1
|
< 1.8.1-1.26.amzn1 |
|
pkg:rpm/amazonlinux/nginx-debuginfo?arch=x86_64&distro=amazonlinux-1
|
< 1.8.1-1.26.amzn1 |
|
pkg:rpm/amazonlinux/nginx-debuginfo?arch=i686&distro=amazonlinux-1
|
< 1.8.1-1.26.amzn1 |
- ID
- ALAS-2016-655
- Severity
- medium
- URL
- https://alas.aws.amazon.com/ALAS-2016-655.html
- Published
-
2016-02-19T15:50:00
(8 years ago) - Modified
-
2016-02-19T15:50:00
(8 years ago) - Rights
- Amazon Linux Security Team
- Other Advisories
DSA-3473-1
FEDORA-2016-bf03932bb3
FREEBSD:C1C18EE1-C711-11E5-96D6-14DAE9D210B8
GLSA-201606-06
NGINX:CVE-2016-0742
SUSE-SU-2016:1232-1
USN-2892-1| Source | # ID | Name | URL |
|---|---|---|---|
| CVE | CVE-2016-0742 |
|
|
| CVE | CVE-2016-0746 |
|
|
| CVE | CVE-2016-0747 |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:rpm/amazonlinux/nginx?arch=x86_64&distro=amazonlinux-1 | amazonlinux |
nginx
|
< 1.8.1-1.26.amzn1 | amazonlinux-1 | x86_64 | |
| Affected | pkg:rpm/amazonlinux/nginx?arch=i686&distro=amazonlinux-1 | amazonlinux |
nginx
|
< 1.8.1-1.26.amzn1 | amazonlinux-1 | i686 | |
| Affected | pkg:rpm/amazonlinux/nginx-debuginfo?arch=x86_64&distro=amazonlinux-1 | amazonlinux |
nginx-debuginfo
|
< 1.8.1-1.26.amzn1 | amazonlinux-1 | x86_64 | |
| Affected | pkg:rpm/amazonlinux/nginx-debuginfo?arch=i686&distro=amazonlinux-1 | amazonlinux |
nginx-debuginfo
|
< 1.8.1-1.26.amzn1 | amazonlinux-1 | i686 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |