Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Amazon Linux advisories #1569

Open
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

ambuj-1211
Copy link
Collaborator

Fixes: #72
This Pr adds amazon linux importer.

@ambuj-1211
Copy link
Collaborator Author

@ziadhany help me to create the fixed version as there are new packages provided here https://alas.aws.amazon.com/ALAS-2024-1943.html in the amazon_linux advisories URL and how to handle the affected_packages part effectively.

  • One more thing that should I include cves also in the aliases along with the ALAS id.
  • From this URL should I also consider including the Additional References in references of my Advisory Data object.

@ambuj-1211 ambuj-1211 changed the title Add amazonlinux advisories Add Amazon Linux advisories Aug 27, 2024
@keshav-space
Copy link
Member

keshav-space commented Aug 27, 2024

@ambuj-1211

Steps to get the Structured Advisory

Mirror List for AL

Procedure:

  1. Visit the AL mirror list and get the mirror server URL.
  2. Append /repodata/updateinfo.xml.gz to the mirror server URL, and download the updateinfo.xml.gz file, which contains the structured security advisory as shown below.
<id>ALAS-2011-1</id>
<title>Amazon Linux AMI 2011.09 - ALAS-2011-1: medium priority package update for httpd</title>
<issued date="2011-09-27 22:46:00" />
<updated date="2014-09-14 14:25:00" />
<severity>medium</severity>
<description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2011-3192:
	The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header.
</description>
<references>
	<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192" title="" id="CVE-2011-3192" type="cve" />
	<reference href="https://rhn.redhat.com/errata/RHSA-2011:1245.html" title="" id="RHSA-2011:1245" type="redhat" />
</references>
<pkglist>
	<collection short="amazon-linux-ami">
		<name>Amazon Linux AMI</name>
		<package name="httpd-devel" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-devel-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
		<package name="httpd-debuginfo" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
		<package name="httpd" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
		<package name="httpd-tools" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-tools-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
                 ...
	</collection>
</pkglist>undefined</update>undefined<update status="final" version="1.4" author="[email protected]" type="security" from="[email protected]">

Note

This only contains the fixed package versions.

@ambuj-1211
Copy link
Collaborator Author

@ambuj-1211

Steps to get the Structured Advisory

Mirror List for AL

Procedure:

  1. Visit the AL mirror list and get the mirror server URL.
  2. Append /repodata/updateinfo.xml.gz to the mirror server URL, and download the updateinfo.xml.gz file, which contains the structured security advisory as shown below.
<id>ALAS-2011-1</id>
<title>Amazon Linux AMI 2011.09 - ALAS-2011-1: medium priority package update for httpd</title>
<issued date="2011-09-27 22:46:00" />
<updated date="2014-09-14 14:25:00" />
<severity>medium</severity>
<description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2011-3192:
	The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header.
</description>
<references>
	<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192" title="" id="CVE-2011-3192" type="cve" />
	<reference href="https://rhn.redhat.com/errata/RHSA-2011:1245.html" title="" id="RHSA-2011:1245" type="redhat" />
</references>
<pkglist>
	<collection short="amazon-linux-ami">
		<name>Amazon Linux AMI</name>
		<package name="httpd-devel" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-devel-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
		<package name="httpd-debuginfo" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
		<package name="httpd" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
		<package name="httpd-tools" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-tools-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
                 ...
	</collection>
</pkglist>undefined</update>undefined<update status="final" version="1.4" author="[email protected]" type="security" from="[email protected]">

Note

This only contains the fixed package versions.

@keshav-space So should I directly fetch whole data from these files? and where can I get the license to use the data from here.

@keshav-space
Copy link
Member

@ambuj-1211

So should I directly fetch whole data from these files?

You can, but if you already have a way to get the AL advisory data and it's working, then there's no need to change.

and where can I get the license to use the data from here.

Not sure about the license yet. AL provides security and bug fixes to AL packages using updateinfo.xml, and they should be covered under the same license as AL? I'm not sure.

@ambuj-1211
Copy link
Collaborator Author

ambuj-1211 commented Aug 31, 2024

@ziadhany @TG1999 @keshav-space Not sure about the license, please help me with that.

@ziadhany
Copy link
Collaborator

ziadhany commented Sep 2, 2024

@ambuj-1211

Please set the license to unknown, so we can either do more research or reach out to the API author directly to inquire about the data license.

@TG1999 TG1999 added this to the v36.0.0 - 3-next milestone Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Collect vulnerabilities from Amazon Linux
4 participants