Amazon Linux Local Security Checks : Amazon Linux: Security Advisory (ALAS-2016-655)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.120645

Categoría: Amazon Linux Local Security Checks

Título: Amazon Linux: Security Advisory (ALAS-2016-655)

Resumen: The remote host is missing an update for the 'nginx' package(s) announced via the ALAS-2016-655 advisory.

Descripción: Summary:
The remote host is missing an update for the 'nginx' package(s) announced via the ALAS-2016-655 advisory.

Vulnerability Insight:
It was discovered that nginx could perform an out of bound read and dereference an invalid pointer when resolving CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to crash if nginx enabled the resolver in its configuration. (CVE-2016-0742)

A use-after-free flaw was found in the way nginx resolved certain CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to crash or, possibly, execute arbitrary code if nginx enabled the resolver in its configuration. (CVE-2016-0746)

It was discovered that nginx did not limit recursion when resolving CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to use an excessive amount of resources if nginx enabled the resolver in its configuration. (CVE-2016-0747)

Affected Software/OS:
'nginx' package(s) on Amazon Linux.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2016-0742
Debian Security Information: DSA-3473 (Google Search)
http://www.debian.org/security/2016/dsa-3473
http://seclists.org/fulldisclosure/2021/Sep/36
https://security.gentoo.org/glsa/201606-06
http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html
RedHat Security Advisories: RHSA-2016:1425
https://access.redhat.com/errata/RHSA-2016:1425
http://www.securitytracker.com/id/1034869
SuSE Security Announcement: openSUSE-SU-2016:0371 (Google Search)
http://lists.opensuse.org/opensuse-updates/2016-02/msg00042.html
http://www.ubuntu.com/usn/USN-2892-1
Common Vulnerability Exposure (CVE) ID: CVE-2016-0746
Common Vulnerability Exposure (CVE) ID: CVE-2016-0747

Copyright Copyright (C) 2016 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.120645
Categoría:	Amazon Linux Local Security Checks
Título:	Amazon Linux: Security Advisory (ALAS-2016-655)
Resumen:	The remote host is missing an update for the 'nginx' package(s) announced via the ALAS-2016-655 advisory.
Descripción:	Summary: The remote host is missing an update for the 'nginx' package(s) announced via the ALAS-2016-655 advisory. Vulnerability Insight: It was discovered that nginx could perform an out of bound read and dereference an invalid pointer when resolving CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to crash if nginx enabled the resolver in its configuration. (CVE-2016-0742) A use-after-free flaw was found in the way nginx resolved certain CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to crash or, possibly, execute arbitrary code if nginx enabled the resolver in its configuration. (CVE-2016-0746) It was discovered that nginx did not limit recursion when resolving CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to use an excessive amount of resources if nginx enabled the resolver in its configuration. (CVE-2016-0747) Affected Software/OS: 'nginx' package(s) on Amazon Linux. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2016-0742 Debian Security Information: DSA-3473 (Google Search) http://www.debian.org/security/2016/dsa-3473 http://seclists.org/fulldisclosure/2021/Sep/36 https://security.gentoo.org/glsa/201606-06 http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html RedHat Security Advisories: RHSA-2016:1425 https://access.redhat.com/errata/RHSA-2016:1425 http://www.securitytracker.com/id/1034869 SuSE Security Announcement: openSUSE-SU-2016:0371 (Google Search) http://lists.opensuse.org/opensuse-updates/2016-02/msg00042.html http://www.ubuntu.com/usn/USN-2892-1 Common Vulnerability Exposure (CVE) ID: CVE-2016-0746 Common Vulnerability Exposure (CVE) ID: CVE-2016-0747
Copyright	Copyright (C) 2016 Greenbone AG