-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Amazon Linux advisories #1569
base: main
Are you sure you want to change the base?
Add Amazon Linux advisories #1569
Conversation
@ziadhany help me to create the fixed version as there are new packages provided here https://alas.aws.amazon.com/ALAS-2024-1943.html in the amazon_linux advisories URL and how to handle the affected_packages part effectively.
|
Steps to get the Structured AdvisoryMirror List for AL
Procedure:
<id>ALAS-2011-1</id>
<title>Amazon Linux AMI 2011.09 - ALAS-2011-1: medium priority package update for httpd</title>
<issued date="2011-09-27 22:46:00" />
<updated date="2014-09-14 14:25:00" />
<severity>medium</severity>
<description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2011-3192:
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header.
</description>
<references>
<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192" title="" id="CVE-2011-3192" type="cve" />
<reference href="https://rhn.redhat.com/errata/RHSA-2011:1245.html" title="" id="RHSA-2011:1245" type="redhat" />
</references>
<pkglist>
<collection short="amazon-linux-ami">
<name>Amazon Linux AMI</name>
<package name="httpd-devel" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
<filename>Packages/httpd-devel-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package name="httpd-debuginfo" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
<filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package name="httpd" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
<filename>Packages/httpd-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package name="httpd-tools" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
<filename>Packages/httpd-tools-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
...
</collection>
</pkglist>undefined</update>undefined<update status="final" version="1.4" author="[email protected]" type="security" from="[email protected]"> Note This only contains the fixed package versions. |
@keshav-space So should I directly fetch whole data from these files? and where can I get the license to use the data from here. |
You can, but if you already have a way to get the AL advisory data and it's working, then there's no need to change.
Not sure about the license yet. AL provides security and bug fixes to AL packages using |
Signed-off-by: ambuj <[email protected]>
…-1211/vulnerablecode into add-amazonlinux-advisories Signed-off-by: ambuj <[email protected]>
@ziadhany @TG1999 @keshav-space Not sure about the license, please help me with that. |
Please set the license to |
Fixes: #72
This Pr adds amazon linux importer.