Merge pull request #671 from ericysim/amazon

Add updaters for Amazon Linux 2018.03 and Amazon Linux 2
This commit is contained in:
Jimmy Zelinskie 2019-04-24 14:11:10 -04:00 committed by GitHub
commit 5fef44dd04
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 853 additions and 9 deletions

View File

@ -18,11 +18,12 @@ All of these components can be found in the `ext/` directory.
## Data Sources for the built-in drivers ## Data Sources for the built-in drivers
| Data Source | Data Collected | Format | License | | Data Source | Data Collected | Format | License |
|-------------------------------|--------------------------------------------------------------------------|--------|-----------------| |------------------------------------|--------------------------------------------------------------------------|--------|-----------------|
| [Debian Security Bug Tracker] | Debian 6, 7, 8, unstable namespaces | [dpkg] | [Debian] | | [Debian Security Bug Tracker] | Debian 6, 7, 8, unstable namespaces | [dpkg] | [Debian] |
| [Ubuntu CVE Tracker] | Ubuntu 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04 namespaces | [dpkg] | [GPLv2] | | [Ubuntu CVE Tracker] | Ubuntu 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04 namespaces | [dpkg] | [GPLv2] |
| [Red Hat Security Data] | CentOS 5, 6, 7 namespaces | [rpm] | [CVRF] | | [Red Hat Security Data] | CentOS 5, 6, 7 namespaces | [rpm] | [CVRF] |
| [Oracle Linux Security Data] | Oracle Linux 5, 6, 7 namespaces | [rpm] | [CVRF] | | [Oracle Linux Security Data] | Oracle Linux 5, 6, 7 namespaces | [rpm] | [CVRF] |
| [Amazon Linux Security Advisories] | Amazon Linux 2018.03, 2 namespaces | [rpm] | [MIT-0] |
| [SUSE OVAL Descriptions] | openSUSE, SUSE Linux Enterprise namespaces | [rpm] | [CC-BY-NC-4.0] | | [SUSE OVAL Descriptions] | openSUSE, SUSE Linux Enterprise namespaces | [rpm] | [CC-BY-NC-4.0] |
| [Alpine SecDB] | Alpine 3.3, Alpine 3.4, Alpine 3.5 namespaces | [apk] | [MIT] | | [Alpine SecDB] | Alpine 3.3, Alpine 3.4, Alpine 3.5 namespaces | [apk] | [MIT] |
| [NIST NVD] | Generic Vulnerability Metadata | N/A | [Public Domain] | | [NIST NVD] | Generic Vulnerability Metadata | N/A | [Public Domain] |
@ -32,6 +33,7 @@ All of these components can be found in the `ext/` directory.
[Red Hat Security Data]: https://www.redhat.com/security/data/metrics [Red Hat Security Data]: https://www.redhat.com/security/data/metrics
[Oracle Linux Security Data]: https://linux.oracle.com/security/ [Oracle Linux Security Data]: https://linux.oracle.com/security/
[SUSE OVAL Descriptions]: https://www.suse.com/de-de/support/security/oval/ [SUSE OVAL Descriptions]: https://www.suse.com/de-de/support/security/oval/
[Amazon Linux Security Advisories]: https://alas.aws.amazon.com/
[NIST NVD]: https://nvd.nist.gov [NIST NVD]: https://nvd.nist.gov
[dpkg]: https://en.wikipedia.org/wiki/dpkg [dpkg]: https://en.wikipedia.org/wiki/dpkg
[rpm]: http://www.rpm.org [rpm]: http://www.rpm.org
@ -42,6 +44,7 @@ All of these components can be found in the `ext/` directory.
[Alpine SecDB]: http://git.alpinelinux.org/cgit/alpine-secdb/ [Alpine SecDB]: http://git.alpinelinux.org/cgit/alpine-secdb/
[apk]: http://git.alpinelinux.org/cgit/apk-tools/ [apk]: http://git.alpinelinux.org/cgit/apk-tools/
[MIT]: https://gist.github.com/jzelinskie/6da1e2da728424d88518be2adbd76979 [MIT]: https://gist.github.com/jzelinskie/6da1e2da728424d88518be2adbd76979
[MIT-0]: https://spdx.org/licenses/MIT-0.html
[CC-BY-NC-4.0]: https://creativecommons.org/licenses/by-nc/4.0/] [CC-BY-NC-4.0]: https://creativecommons.org/licenses/by-nc/4.0/]
## Adding new drivers ## Adding new drivers

View File

@ -52,6 +52,7 @@ import (
_ "github.com/coreos/clair/ext/notification/webhook" _ "github.com/coreos/clair/ext/notification/webhook"
_ "github.com/coreos/clair/ext/vulnmdsrc/nvd" _ "github.com/coreos/clair/ext/vulnmdsrc/nvd"
_ "github.com/coreos/clair/ext/vulnsrc/alpine" _ "github.com/coreos/clair/ext/vulnsrc/alpine"
_ "github.com/coreos/clair/ext/vulnsrc/amzn"
_ "github.com/coreos/clair/ext/vulnsrc/debian" _ "github.com/coreos/clair/ext/vulnsrc/debian"
_ "github.com/coreos/clair/ext/vulnsrc/oracle" _ "github.com/coreos/clair/ext/vulnsrc/oracle"
_ "github.com/coreos/clair/ext/vulnsrc/rhel" _ "github.com/coreos/clair/ext/vulnsrc/rhel"

349
ext/vulnsrc/amzn/amzn.go Normal file
View File

@ -0,0 +1,349 @@
// Copyright 2019 clair authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Package amzn implements a vulnerability source updater using
// ALAS (Amazon Linux Security Advisories).
package amzn
import (
"bufio"
"compress/gzip"
"encoding/xml"
"fmt"
"io"
"regexp"
"strings"
log "github.com/sirupsen/logrus"
"github.com/coreos/clair/database"
"github.com/coreos/clair/ext/versionfmt"
"github.com/coreos/clair/ext/versionfmt/rpm"
"github.com/coreos/clair/ext/vulnsrc"
"github.com/coreos/clair/pkg/commonerr"
"github.com/coreos/clair/pkg/httputil"
)
const (
amazonLinux1UpdaterFlag = "amazonLinux1Updater"
amazonLinux1MirrorListURI = "http://repo.us-west-2.amazonaws.com/2018.03/updates/x86_64/mirror.list"
amazonLinux1Name = "Amazon Linux 2018.03"
amazonLinux1Namespace = "amzn:2018.03"
amazonLinux1LinkFormat = "https://alas.aws.amazon.com/%s.html"
amazonLinux2UpdaterFlag = "amazonLinux2Updater"
amazonLinux2MirrorListURI = "https://cdn.amazonlinux.com/2/core/latest/x86_64/mirror.list"
amazonLinux2Name = "Amazon Linux 2"
amazonLinux2Namespace = "amzn:2"
amazonLinux2LinkFormat = "https://alas.aws.amazon.com/AL2/%s.html"
)
type updater struct {
UpdaterFlag string
MirrorListURI string
Name string
Namespace string
LinkFormat string
}
func init() {
// Register updater for Amazon Linux 2018.03.
amazonLinux1Updater := updater{
UpdaterFlag: amazonLinux1UpdaterFlag,
MirrorListURI: amazonLinux1MirrorListURI,
Name: amazonLinux1Name,
Namespace: amazonLinux1Namespace,
LinkFormat: amazonLinux1LinkFormat,
}
vulnsrc.RegisterUpdater("amzn1", &amazonLinux1Updater)
// Register updater for Amazon Linux 2.
amazonLinux2Updater := updater{
UpdaterFlag: amazonLinux2UpdaterFlag,
MirrorListURI: amazonLinux2MirrorListURI,
Name: amazonLinux2Name,
Namespace: amazonLinux2Namespace,
LinkFormat: amazonLinux2LinkFormat,
}
vulnsrc.RegisterUpdater("amzn2", &amazonLinux2Updater)
}
func (u *updater) Update(datastore database.Datastore) (vulnsrc.UpdateResponse, error) {
log.WithField("package", u.Name).Info("Start fetching vulnerabilities")
// Get the flag value (the timestamp of the latest ALAS of the previous update).
flagValue, found, err := database.FindKeyValueAndRollback(datastore, u.UpdaterFlag)
if err != nil {
return vulnsrc.UpdateResponse{}, err
}
if !found {
flagValue = ""
}
var timestamp string
// Get the ALASs from updateinfo.xml.gz from the repos.
updateInfo, err := u.getUpdateInfo()
if err != nil {
return vulnsrc.UpdateResponse{}, err
}
// Get the ALASs which were issued/updated since the previous update.
var alasList []ALAS
for _, alas := range updateInfo.ALASList {
if compareTimestamp(alas.Updated.Date, flagValue) > 0 {
alasList = append(alasList, alas)
if compareTimestamp(alas.Updated.Date, timestamp) > 0 {
timestamp = alas.Updated.Date
}
}
}
// Get the vulnerabilities.
vulnerabilities := u.alasListToVulnerabilities(alasList)
response := vulnsrc.UpdateResponse{
Vulnerabilities: vulnerabilities,
}
// Set the flag value.
if timestamp != "" {
response.FlagName = u.UpdaterFlag
response.FlagValue = timestamp
} else {
log.WithField("package", u.Name).Debug("no update")
}
return response, err
}
func (u *updater) Clean() {
}
func (u *updater) getUpdateInfo() (UpdateInfo, error) {
// Get the URI of updateinfo.xml.gz.
updateInfoURI, err := u.getUpdateInfoURI()
if err != nil {
return UpdateInfo{}, err
}
// Download updateinfo.xml.gz.
updateInfoResponse, err := httputil.GetWithUserAgent(updateInfoURI)
if err != nil {
log.WithError(err).Error("could not download updateinfo.xml.gz")
return UpdateInfo{}, commonerr.ErrCouldNotDownload
}
defer updateInfoResponse.Body.Close()
if !httputil.Status2xx(updateInfoResponse) {
log.WithField("StatusCode", updateInfoResponse.StatusCode).Error("could not download updateinfo.xml.gz")
return UpdateInfo{}, commonerr.ErrCouldNotDownload
}
// Decompress updateinfo.xml.gz.
updateInfoXml, err := gzip.NewReader(updateInfoResponse.Body)
if err != nil {
log.WithError(err).Error("could not decompress updateinfo.xml.gz")
return UpdateInfo{}, commonerr.ErrCouldNotParse
}
defer updateInfoXml.Close()
// Decode updateinfo.xml.
updateInfo, err := decodeUpdateInfo(updateInfoXml)
if err != nil {
log.WithError(err).Error("could not decode updateinfo.xml")
return UpdateInfo{}, commonerr.ErrCouldNotParse
}
return updateInfo, nil
}
func (u *updater) getUpdateInfoURI() (string, error) {
// Download mirror.list
mirrorListResponse, err := httputil.GetWithUserAgent(u.MirrorListURI)
if err != nil {
log.WithError(err).Error("could not download mirror list")
return "", commonerr.ErrCouldNotDownload
}
defer mirrorListResponse.Body.Close()
if !httputil.Status2xx(mirrorListResponse) {
log.WithField("StatusCode", mirrorListResponse.StatusCode).Error("could not download mirror list")
return "", commonerr.ErrCouldNotDownload
}
// Parse the URI of the first mirror.
scanner := bufio.NewScanner(mirrorListResponse.Body)
success := scanner.Scan()
if success != true {
log.WithError(err).Error("could not parse mirror list")
}
mirrorURI := scanner.Text()
// Download repomd.xml.
repoMdURI := mirrorURI + "/repodata/repomd.xml"
repoMdResponse, err := httputil.GetWithUserAgent(repoMdURI)
if err != nil {
log.WithError(err).Error("could not download repomd.xml")
return "", commonerr.ErrCouldNotDownload
}
defer repoMdResponse.Body.Close()
if !httputil.Status2xx(repoMdResponse) {
log.WithField("StatusCode", repoMdResponse.StatusCode).Error("could not download repomd.xml")
return "", commonerr.ErrCouldNotDownload
}
// Decode repomd.xml.
var repoMd RepoMd
err = xml.NewDecoder(repoMdResponse.Body).Decode(&repoMd)
if err != nil {
log.WithError(err).Error("could not decode repomd.xml")
return "", commonerr.ErrCouldNotDownload
}
// Parse the URI of updateinfo.xml.gz.
var updateInfoURI string
for _, repo := range repoMd.RepoList {
if repo.Type == "updateinfo" {
updateInfoURI = mirrorURI + "/" + repo.Location.Href
break
}
}
if updateInfoURI == "" {
log.Error("could not find updateinfo in repomd.xml")
return "", commonerr.ErrCouldNotDownload
}
return updateInfoURI, nil
}
func decodeUpdateInfo(updateInfoReader io.Reader) (UpdateInfo, error) {
var updateInfo UpdateInfo
err := xml.NewDecoder(updateInfoReader).Decode(&updateInfo)
if err != nil {
return updateInfo, err
}
return updateInfo, nil
}
func (u *updater) alasListToVulnerabilities(alasList []ALAS) []database.VulnerabilityWithAffected {
var vulnerabilities []database.VulnerabilityWithAffected
for _, alas := range alasList {
featureVersions := u.alasToFeatureVersions(alas)
if len(featureVersions) > 0 {
vulnerability := database.VulnerabilityWithAffected{
Vulnerability: database.Vulnerability{
Name: u.alasToName(alas),
Link: u.alasToLink(alas),
Severity: u.alasToSeverity(alas),
Description: u.alasToDescription(alas),
},
Affected: featureVersions,
}
vulnerabilities = append(vulnerabilities, vulnerability)
}
}
return vulnerabilities
}
func (u *updater) alasToName(alas ALAS) string {
return alas.Id
}
func (u *updater) alasToLink(alas ALAS) string {
if u.Name == amazonLinux1Name {
return fmt.Sprintf(u.LinkFormat, alas.Id)
}
if u.Name == amazonLinux2Name {
// "ALAS2-2018-1097" becomes "https://alas.aws.amazon.com/AL2/ALAS-2018-1097.html".
re := regexp.MustCompile(`^ALAS2-(.+)$`)
return fmt.Sprintf(u.LinkFormat, "ALAS-"+re.FindStringSubmatch(alas.Id)[1])
}
return ""
}
func (u *updater) alasToSeverity(alas ALAS) database.Severity {
switch alas.Severity {
case "low":
return database.LowSeverity
case "medium":
return database.MediumSeverity
case "important":
return database.HighSeverity
case "critical":
return database.CriticalSeverity
default:
log.WithField("severity", alas.Severity).Warning("could not determine vulnerability severity")
return database.UnknownSeverity
}
}
func (u *updater) alasToDescription(alas ALAS) string {
re := regexp.MustCompile(`\s+`)
return re.ReplaceAllString(strings.TrimSpace(alas.Description), " ")
}
func (u *updater) alasToFeatureVersions(alas ALAS) []database.AffectedFeature {
var featureVersions []database.AffectedFeature
for _, p := range alas.Packages {
var version string
if p.Epoch == "0" {
version = p.Version + "-" + p.Release
} else {
version = p.Epoch + ":" + p.Version + "-" + p.Release
}
err := versionfmt.Valid(rpm.ParserName, version)
if err != nil {
log.WithError(err).WithField("version", version).Warning("could not parse package version. skipping")
continue
}
featureVersion := database.AffectedFeature{
Namespace: database.Namespace{
Name: u.Namespace,
VersionFormat: rpm.ParserName,
},
FeatureName: p.Name,
AffectedVersion: version,
FeatureType: database.BinaryPackage,
}
if version != versionfmt.MaxVersion {
featureVersion.FixedInVersion = version
}
featureVersions = append(featureVersions, featureVersion)
}
return featureVersions
}
func compareTimestamp(date0 string, date1 string) int {
// format: YYYY-MM-DD hh:mm
if date0 < date1 {
return -1
} else if date0 > date1 {
return 1
} else {
return 0
}
}

View File

@ -0,0 +1,213 @@
// Copyright 2017 clair authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package amzn
import (
"io/ioutil"
"os"
"path/filepath"
"runtime"
"testing"
"github.com/coreos/clair/database"
"github.com/coreos/clair/ext/versionfmt/rpm"
"github.com/stretchr/testify/assert"
)
func TestAmazonLinux1(t *testing.T) {
amazonLinux1Updater := updater{
MirrorListURI: "http://repo.us-west-2.amazonaws.com/2018.03/updates/x86_64/mirror.list",
Name: "Amazon Linux 2018.03",
Namespace: "amzn:2018.03",
UpdaterFlag: "amazonLinux1Updater",
LinkFormat: "https://alas.aws.amazon.com/%s.html",
}
_, filename, _, _ := runtime.Caller(0)
path := filepath.Join(filepath.Dir(filename))
expectedDescription0Bytes, err := ioutil.ReadFile(path + "/testdata/amazon_linux_1_description_0.txt")
expectedDescription0 := string(expectedDescription0Bytes)
expectedDescription1Bytes, _ := ioutil.ReadFile(path + "/testdata/amazon_linux_1_description_1.txt")
expectedDescription1 := string(expectedDescription1Bytes)
updateInfoXml, _ := os.Open(path + "/testdata/amazon_linux_1_updateinfo.xml")
defer updateInfoXml.Close()
updateInfo, err := decodeUpdateInfo(updateInfoXml)
assert.Nil(t, err)
vulnerabilities := amazonLinux1Updater.alasListToVulnerabilities(updateInfo.ALASList)
assert.Equal(t, "ALAS-2011-1", vulnerabilities[0].Name)
assert.Equal(t, "https://alas.aws.amazon.com/ALAS-2011-1.html", vulnerabilities[0].Link)
assert.Equal(t, database.MediumSeverity, vulnerabilities[0].Severity)
assert.Equal(t, expectedDescription0, vulnerabilities[0].Description)
assert.Equal(t, 11, len(vulnerabilities[0].Affected))
expectedFeatureVersions0 := []database.AffectedFeature{
{
Namespace: database.Namespace{
Name: "amzn:2018.03",
VersionFormat: rpm.ParserName,
},
FeatureName: "httpd-devel",
AffectedVersion: "2.2.21-1.18.amzn1",
FixedInVersion: "2.2.21-1.18.amzn1",
FeatureType: database.BinaryPackage,
},
{
Namespace: database.Namespace{
Name: "amzn:2018.03",
VersionFormat: rpm.ParserName,
},
FeatureName: "httpd-debuginfo",
AffectedVersion: "2.2.21-1.18.amzn1",
FixedInVersion: "2.2.21-1.18.amzn1",
FeatureType: database.BinaryPackage,
},
}
for _, expectedFeatureVersion := range expectedFeatureVersions0 {
assert.Contains(t, vulnerabilities[0].Affected, expectedFeatureVersion)
}
assert.Equal(t, "ALAS-2011-2", vulnerabilities[1].Name)
assert.Equal(t, "https://alas.aws.amazon.com/ALAS-2011-2.html", vulnerabilities[1].Link)
assert.Equal(t, database.HighSeverity, vulnerabilities[1].Severity)
assert.Equal(t, expectedDescription1, vulnerabilities[1].Description)
assert.Equal(t, 8, len(vulnerabilities[1].Affected))
expectedFeatureVersions1 := []database.AffectedFeature{
{
Namespace: database.Namespace{
Name: "amzn:2018.03",
VersionFormat: rpm.ParserName,
},
FeatureName: "cyrus-imapd-debuginfo",
AffectedVersion: "2.3.16-6.4.amzn1",
FixedInVersion: "2.3.16-6.4.amzn1",
FeatureType: database.BinaryPackage,
},
{
Namespace: database.Namespace{
Name: "amzn:2018.03",
VersionFormat: rpm.ParserName,
},
FeatureName: "cyrus-imapd-utils",
AffectedVersion: "2.3.16-6.4.amzn1",
FixedInVersion: "2.3.16-6.4.amzn1",
FeatureType: database.BinaryPackage,
},
}
for _, expectedFeatureVersion := range expectedFeatureVersions1 {
assert.Contains(t, vulnerabilities[1].Affected, expectedFeatureVersion)
}
}
func TestAmazonLinux2(t *testing.T) {
amazonLinux2Updater := updater{
MirrorListURI: "https://cdn.amazonlinux.com/2/core/latest/x86_64/mirror.list",
Name: "Amazon Linux 2",
Namespace: "amzn:2",
UpdaterFlag: "amazonLinux2Updater",
LinkFormat: "https://alas.aws.amazon.com/AL2/%s.html",
}
_, filename, _, _ := runtime.Caller(0)
path := filepath.Join(filepath.Dir(filename))
description0Bytes, _ := ioutil.ReadFile(path + "/testdata/amazon_linux_2_description_0.txt")
expectedDescription0 := string(description0Bytes)
description1Bytes, _ := ioutil.ReadFile(path + "/testdata/amazon_linux_2_description_1.txt")
expectedDescription1 := string(description1Bytes)
updateInfoXml, _ := os.Open(path + "/testdata/amazon_linux_2_updateinfo.xml")
defer updateInfoXml.Close()
updateInfo, err := decodeUpdateInfo(updateInfoXml)
assert.Nil(t, err)
vulnerabilities := amazonLinux2Updater.alasListToVulnerabilities(updateInfo.ALASList)
assert.Equal(t, "ALAS2-2018-939", vulnerabilities[0].Name)
assert.Equal(t, "https://alas.aws.amazon.com/AL2/ALAS-2018-939.html", vulnerabilities[0].Link)
assert.Equal(t, database.CriticalSeverity, vulnerabilities[0].Severity)
assert.Equal(t, expectedDescription0, vulnerabilities[0].Description)
assert.Equal(t, 13, len(vulnerabilities[0].Affected))
expectedFeatureVersions0 := []database.AffectedFeature{
{
Namespace: database.Namespace{
Name: "amzn:2",
VersionFormat: rpm.ParserName,
},
FeatureName: "kernel",
AffectedVersion: "4.9.76-38.79.amzn2",
FixedInVersion: "4.9.76-38.79.amzn2",
FeatureType: database.BinaryPackage,
},
{
Namespace: database.Namespace{
Name: "amzn:2",
VersionFormat: rpm.ParserName,
},
FeatureName: "kernel-headers",
AffectedVersion: "4.9.76-38.79.amzn2",
FixedInVersion: "4.9.76-38.79.amzn2",
FeatureType: database.BinaryPackage,
},
}
for _, expectedFeatureVersion := range expectedFeatureVersions0 {
assert.Contains(t, vulnerabilities[0].Affected, expectedFeatureVersion)
}
assert.Equal(t, "ALAS2-2018-942", vulnerabilities[1].Name)
assert.Equal(t, "https://alas.aws.amazon.com/AL2/ALAS-2018-942.html", vulnerabilities[1].Link)
assert.Equal(t, database.HighSeverity, vulnerabilities[1].Severity)
assert.Equal(t, expectedDescription1, vulnerabilities[1].Description)
assert.Equal(t, 5, len(vulnerabilities[1].Affected))
expectedFeatureVersions1 := []database.AffectedFeature{
{
Namespace: database.Namespace{
Name: "amzn:2",
VersionFormat: rpm.ParserName,
},
FeatureName: "qemu-kvm",
AffectedVersion: "10:1.5.3-141.amzn2.5.3",
FixedInVersion: "10:1.5.3-141.amzn2.5.3",
FeatureType: database.BinaryPackage,
},
{
Namespace: database.Namespace{
Name: "amzn:2",
VersionFormat: rpm.ParserName,
},
FeatureName: "qemu-img",
AffectedVersion: "10:1.5.3-141.amzn2.5.3",
FixedInVersion: "10:1.5.3-141.amzn2.5.3",
FeatureType: database.BinaryPackage,
},
}
for _, expectedFeatureVersion := range expectedFeatureVersions1 {
assert.Contains(t, vulnerabilities[1].Affected, expectedFeatureVersion)
}
}

View File

@ -0,0 +1,28 @@
// Copyright 2017 clair authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package amzn
type RepoMd struct {
RepoList []Repo `xml:"data"`
}
type Repo struct {
Type string `xml:"type,attr"`
Location Location `xml:"location"`
}
type Location struct {
Href string `xml:"href,attr"`
}

View File

@ -0,0 +1 @@
Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2011-3192: A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.

View File

@ -0,0 +1 @@
Package updates are available for Amazon Linux that fix the following vulnerabilities: CVE-2011-3208: Stack-based buffer overflow in the split_wildmats function in nntpd.c in nntpd in Cyrus IMAP Server before 2.3.17 and 2.4.x before 2.4.11 allows remote attackers to execute arbitrary code via a crafted NNTP command. A buffer overflow flaw was found in the cyrus-imapd NNTP server, nntpd. A remote user able to use the nntpd service could use this flaw to crash the nntpd child process or, possibly, execute arbitrary code with the privileges of the cyrus user.

View File

@ -0,0 +1,104 @@
<?xml version="1.0" ?>
<updates>
<update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4">
<id>ALAS-2011-1</id>
<title>Amazon Linux AMI 2011.09 - ALAS-2011-1: medium priority package update for httpd</title>
<issued date="2011-09-27 22:46" />
<updated date="2014-09-14 14:25" />
<severity>medium</severity>
<description>
Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2011-3192:
A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header.
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
</description>
<references>
<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192" id="CVE-2011-3192" title="" type="cve" />
<reference href="https://rhn.redhat.com/errata/RHSA-2011:1245.html" id="RHSA-2011:1245" title="" type="redhat" />
</references>
<pkglist>
<collection short="amazon-linux-ami">
<name>Amazon Linux AMI</name>
<package arch="i686" epoch="0" name="httpd-devel" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-devel-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package arch="i686" epoch="0" name="httpd-debuginfo" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package arch="i686" epoch="0" name="httpd" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package arch="i686" epoch="0" name="httpd-tools" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-tools-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package arch="i686" epoch="1" name="mod_ssl" release="1.18.amzn1" version="2.2.21">
<filename>Packages/mod_ssl-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package arch="x86_64" epoch="1" name="mod_ssl" release="1.18.amzn1" version="2.2.21">
<filename>Packages/mod_ssl-2.2.21-1.18.amzn1.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="httpd-tools" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-tools-2.2.21-1.18.amzn1.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="httpd" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-2.2.21-1.18.amzn1.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="httpd-devel" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-devel-2.2.21-1.18.amzn1.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.x86_64.rpm</filename>
</package>
<package arch="noarch" epoch="0" name="httpd-manual" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-manual-2.2.21-1.18.amzn1.noarch.rpm</filename>
</package>
</collection>
</pkglist>
</update>
<update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4">
<id>ALAS-2011-2</id>
<title>Amazon Linux - ALAS-2011-2: important priority package update for cyrus-imapd</title>
<issued date="2011-10-10 22:29" />
<updated date="2014-09-14 14:25" />
<severity>important</severity>
<description>
Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3208:
Stack-based buffer overflow in the split_wildmats function in nntpd.c in nntpd in Cyrus IMAP Server before 2.3.17 and 2.4.x before 2.4.11 allows remote attackers to execute arbitrary code via a crafted NNTP command.
A buffer overflow flaw was found in the cyrus-imapd NNTP server, nntpd. A remote user able to use the nntpd service could use this flaw to crash the nntpd child process or, possibly, execute arbitrary code with the privileges of the cyrus user.
</description>
<references>
<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3208" id="CVE-2011-3208" title="" type="cve" />
<reference href="https://rhn.redhat.com/errata/RHSA-2011:1317.html" id="RHSA-2011:1317" title="" type="redhat" />
</references>
<pkglist>
<collection short="amazon-linux">
<name>Amazon Linux</name>
<package arch="i686" epoch="0" name="cyrus-imapd-debuginfo" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-debuginfo-2.3.16-6.4.amzn1.i686.rpm</filename>
</package>
<package arch="i686" epoch="0" name="cyrus-imapd-utils" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-utils-2.3.16-6.4.amzn1.i686.rpm</filename>
</package>
<package arch="i686" epoch="0" name="cyrus-imapd-devel" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-devel-2.3.16-6.4.amzn1.i686.rpm</filename>
</package>
<package arch="i686" epoch="0" name="cyrus-imapd" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-2.3.16-6.4.amzn1.i686.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="cyrus-imapd-debuginfo" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-debuginfo-2.3.16-6.4.amzn1.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="cyrus-imapd-devel" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-devel-2.3.16-6.4.amzn1.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="cyrus-imapd" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-2.3.16-6.4.amzn1.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="cyrus-imapd-utils" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-utils-2.3.16-6.4.amzn1.x86_64.rpm</filename>
</package>
</collection>
</pkglist>
</update>
</updates>

View File

@ -0,0 +1 @@
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2017-5754: 1519781: CVE-2017-5754 hw: cpu: speculative execution permission faults handling An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue. CVE-2017-5715: An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks. 1519780: CVE-2017-5715 hw: cpu: speculative execution branch target injection

View File

@ -0,0 +1 @@
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2017-5715: An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks. 1519780: CVE-2017-5715 hw: cpu: speculative execution branch target injection

View File

@ -0,0 +1,104 @@
<?xml version="1.0" ?>
<updates>
<update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4">
<id>ALAS2-2018-939</id>
<title>Amazon Linux 2 2017.12 - ALAS2-2018-939: critical priority package update for kernel</title>
<issued date="2018-01-11 21:05" />
<updated date="2018-01-16 01:28" />
<severity>critical</severity>
<description>
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2017-5754:
1519781:
CVE-2017-5754 hw: cpu: speculative execution permission faults handling
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue.
CVE-2017-5715:
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor&amp;#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks.
1519780:
CVE-2017-5715 hw: cpu: speculative execution branch target injection
</description>
<references>
<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754" id="CVE-2017-5754" title="" type="cve" />
<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715" id="CVE-2017-5715" title="" type="cve" />
</references>
<pkglist>
<collection short="amazon-linux-2">
<name>Amazon Linux 2</name>
<package arch="x86_64" epoch="0" name="kernel" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="kernel-headers" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-headers-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-debuginfo-common-x86_64-4.9.76-38.79.amzn2.x86_64.rpm</filename></package>
<package arch="x86_64" epoch="0" name="perf" release="38.79.amzn2" version="4.9.76">
<filename>Packages/perf-4.9.76-38.79.amzn2.x86_64.rpm</filename></package>
<package arch="x86_64" epoch="0" name="perf-debuginfo" release="38.79.amzn2" version="4.9.76">
<filename>Packages/perf-debuginfo-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="python-perf" release="38.79.amzn2" version="4.9.76">
<filename>Packages/python-perf-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="python-perf-debuginfo" release="38.79.amzn2" version="4.9.76">
<filename>Packages/python-perf-debuginfo-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="kernel-tools" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-tools-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="kernel-tools-devel" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-tools-devel-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-tools-debuginfo-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="kernel-devel" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-devel-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="kernel-debuginfo" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-debuginfo-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="noarch" epoch="0" name="kernel-doc" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-doc-4.9.76-38.79.amzn2.noarch.rpm</filename>
</package>
</collection>
</pkglist>
</update>
<update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4">
<id>ALAS2-2018-942</id>
<title>Amazon Linux 2 2017.12 - ALAS2-2018-942: important priority package update for qemu-kvm</title>
<issued date="2018-02-07 18:49" /><updated date="2018-02-08 21:46" />
<severity>important</severity>
<description>
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2017-5715:
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor&amp;#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks.
1519780:
CVE-2017-5715 hw: cpu: speculative execution branch target injection
</description>
<references>
<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715" id="CVE-2017-5715" title="" type="cve" />
</references>
<pkglist>
<collection short="amazon-linux-2">
<name>Amazon Linux 2</name>
<package arch="x86_64" epoch="10" name="qemu-kvm" release="141.amzn2.5.3" version="1.5.3">
<filename>Packages/qemu-kvm-1.5.3-141.amzn2.5.3.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="10" name="qemu-img" release="141.amzn2.5.3" version="1.5.3">
<filename>Packages/qemu-img-1.5.3-141.amzn2.5.3.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="10" name="qemu-kvm-common" release="141.amzn2.5.3" version="1.5.3">
<filename>Packages/qemu-kvm-common-1.5.3-141.amzn2.5.3.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="10" name="qemu-kvm-tools" release="141.amzn2.5.3" version="1.5.3">
<filename>Packages/qemu-kvm-tools-1.5.3-141.amzn2.5.3.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="10" name="qemu-kvm-debuginfo" release="141.amzn2.5.3" version="1.5.3">
<filename>Packages/qemu-kvm-debuginfo-1.5.3-141.amzn2.5.3.x86_64.rpm</filename>
</package>
</collection>
</pkglist>
</update>
</updates>

View File

@ -0,0 +1,38 @@
// Copyright 2017 clair authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package amzn
type UpdateInfo struct {
ALASList []ALAS `xml:"update"`
}
type ALAS struct {
Id string `xml:"id"`
Updated Updated `xml:"updated"`
Severity string `xml:"severity"`
Description string `xml:"description"`
Packages []Package `xml:"pkglist>collection>package"`
}
type Updated struct {
Date string `xml:"date,attr"`
}
type Package struct {
Name string `xml:"name,attr"`
Epoch string `xml:"epoch,attr"`
Version string `xml:"version,attr"`
Release string `xml:"release,attr"`
}