Add updaters for Amazon Linux 2018.03 and Amazon Linux 2

We get vulnerabilities from ALAS (Amazon Linux Security Advisories) data, which can be found in updateinfo.xml from the repos.
This commit is contained in:
Eric Sim 2018-12-11 14:39:08 -08:00
parent d79827690c
commit 8fb9097dbd
11 changed files with 811 additions and 0 deletions

View File

@ -52,6 +52,7 @@ import (
_ "github.com/coreos/clair/ext/notification/webhook"
_ "github.com/coreos/clair/ext/vulnmdsrc/nvd"
_ "github.com/coreos/clair/ext/vulnsrc/alpine"
_ "github.com/coreos/clair/ext/vulnsrc/amzn"
_ "github.com/coreos/clair/ext/vulnsrc/debian"
_ "github.com/coreos/clair/ext/vulnsrc/oracle"
_ "github.com/coreos/clair/ext/vulnsrc/rhel"

319
ext/vulnsrc/amzn/amzn.go Normal file
View File

@ -0,0 +1,319 @@
// Copyright 2017 clair authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Package amzn implements a vulnerability source updater using
// ALAS (Amazon Linux Security Advisories).
package amzn
import (
"bufio"
"compress/gzip"
"encoding/xml"
"io"
"regexp"
"strings"
log "github.com/sirupsen/logrus"
"github.com/coreos/clair/database"
"github.com/coreos/clair/ext/versionfmt"
"github.com/coreos/clair/ext/versionfmt/rpm"
"github.com/coreos/clair/ext/vulnsrc"
"github.com/coreos/clair/pkg/commonerr"
"github.com/coreos/clair/pkg/httputil"
)
const (
amazonLinux1Name = "Amazon Linux 2018.03"
amazonLinux1Namespace = "amzn:2018.03"
amazonLinux1UpdaterFlag = "amazonLinux1Updater"
amazonLinux1MirrorListURI = "http://repo.us-west-2.amazonaws.com/2018.03/updates/x86_64/mirror.list"
amazonLinux2Name = "Amazon Linux 2"
amazonLinux2Namespace = "amzn:2"
amazonLinux2UpdaterFlag = "amazonLinux2Updater"
amazonLinux2MirrorListURI = "https://cdn.amazonlinux.com/2/core/latest/x86_64/mirror.list"
)
type updater struct {
Name string
Namespace string
UpdaterFlag string
MirrorListURI string
}
func init() {
// Register updater for Amazon Linux 2018.03.
amazonLinux1Updater := updater {
Name: amazonLinux1Name,
Namespace: amazonLinux1Namespace,
UpdaterFlag: amazonLinux1UpdaterFlag,
MirrorListURI: amazonLinux1MirrorListURI,
}
vulnsrc.RegisterUpdater("amzn", &amazonLinux1Updater)
// Register updater for Amazon Linux 2.
amazonLinux2Updater := updater {
Name: amazonLinux2Name,
Namespace: amazonLinux2Namespace,
UpdaterFlag: amazonLinux2UpdaterFlag,
MirrorListURI: amazonLinux2MirrorListURI,
}
vulnsrc.RegisterUpdater("amzn2", &amazonLinux2Updater)
}
func (u *updater) Update(datastore database.Datastore) (response vulnsrc.UpdateResponse, err error) {
log.WithField("package", u.Name).Info("Start fetching vulnerabilities")
// Get the flag value (the timestamp of the latest ALAS of the previous update).
flagValue, found, err := database.FindKeyValueAndRollback(datastore, u.UpdaterFlag)
if err != nil {
return response, err
}
if !found {
flagValue = "";
}
var timestamp string
// Get the ALASs from updateinfo.xml.gz from the repos.
updateInfo, err := u.getUpdateInfo()
if err != nil {
return response, err
}
// Get the ALASs which were issued/updated since the previous update.
var alasList []ALAS
for _, alas := range updateInfo.ALASList {
if compareTimestamp(alas.Updated.Date, flagValue) > 0 {
alasList = append(alasList, alas)
if compareTimestamp(alas.Updated.Date, timestamp) > 0 {
timestamp = alas.Updated.Date
}
}
}
// Get the vulnerabilities.
response.Vulnerabilities, err = u.alasListToVulnerabilities(alasList)
if err != nil {
return response, err
}
// Set the flag value.
if timestamp != "" {
response.FlagName = u.UpdaterFlag
response.FlagValue = timestamp
} else {
log.WithField("package", u.Name).Debug("no update")
}
return response, err
}
func (u *updater) Clean() {
}
func (u *updater) getUpdateInfo() (updateInfo UpdateInfo, err error) {
// Get the URI of updateinfo.xml.gz.
updateInfoURI, err := u.getUpdateInfoURI()
if err != nil {
return updateInfo, err
}
// Download updateinfo.xml.gz.
updateInfoResponse, err := httputil.GetWithUserAgent(updateInfoURI)
if err != nil {
log.WithError(err).Error("could not download updateinfo.xml.gz")
return updateInfo, commonerr.ErrCouldNotDownload
}
defer updateInfoResponse.Body.Close()
if !httputil.Status2xx(updateInfoResponse) {
log.WithField("StatusCode", updateInfoResponse.StatusCode).Error("could not download updateinfo.xml.gz")
return updateInfo, commonerr.ErrCouldNotDownload
}
// Decompress updateinfo.xml.gz.
updateInfoXml, err := gzip.NewReader(updateInfoResponse.Body)
if err != nil {
log.WithError(err).Error("could not decompress updateinfo.xml.gz")
return updateInfo, commonerr.ErrCouldNotDownload
}
defer updateInfoXml.Close()
// Decode updateinfo.xml.
updateInfo, err = decodeUpdateInfo(updateInfoXml)
if err != nil {
log.WithError(err).Error("could not decode updateinfo.xml")
return updateInfo, err
}
return
}
func (u *updater) getUpdateInfoURI() (updateInfoURI string, err error) {
// Download mirror.list
mirrorListResponse, err := httputil.GetWithUserAgent(u.MirrorListURI)
if err != nil {
log.WithError(err).Error("could not download mirror list")
return updateInfoURI, commonerr.ErrCouldNotDownload
}
defer mirrorListResponse.Body.Close()
// Parse the URI of the first mirror.
scanner := bufio.NewScanner(mirrorListResponse.Body)
success := scanner.Scan()
if success != true {
log.WithError(err).Error("could not parse mirror list")
}
mirrorURI := scanner.Text()
// Download repomd.xml.
repoMdURI := mirrorURI + "/repodata/repomd.xml"
repoMdResponse, err := httputil.GetWithUserAgent(repoMdURI)
if err != nil {
log.WithError(err).Error("could not download repomd.xml")
return updateInfoURI, commonerr.ErrCouldNotDownload
}
defer repoMdResponse.Body.Close()
// Decode repomd.xml.
var repoMd RepoMd
err = xml.NewDecoder(repoMdResponse.Body).Decode(&repoMd)
if err != nil {
log.WithError(err).Error("could not decode repomd.xml")
return updateInfoURI, commonerr.ErrCouldNotDownload
}
// Parse the URI of updateinfo.xml.gz.
for _, repo := range repoMd.RepoList {
if repo.Type == "updateinfo" {
updateInfoURI = mirrorURI + "/" + repo.Location.Href
break
}
}
if updateInfoURI == "" {
log.Error("could not find updateinfo in repomd.xml")
return updateInfoURI, commonerr.ErrCouldNotDownload
}
return
}
func decodeUpdateInfo(updateInfoReader io.Reader) (updateInfo UpdateInfo, err error) {
err = xml.NewDecoder(updateInfoReader).Decode(&updateInfo)
if err != nil {
return updateInfo, err
}
return
}
func (u *updater) alasListToVulnerabilities(alasList []ALAS) (vulnerabilities []database.VulnerabilityWithAffected, err error) {
for _, alas := range alasList {
featureVersions := u.alasToFeatureVersions(alas)
if len(featureVersions) > 0 {
vulnerability := database.VulnerabilityWithAffected{
Vulnerability: database.Vulnerability{
Name: u.alasToName(alas),
Link: u.alasToLink(alas),
Severity: u.alasToSeverity(alas),
Description: u.alasToDescription(alas),
},
Affected: featureVersions,
}
vulnerabilities = append(vulnerabilities, vulnerability)
}
}
return
}
func (u *updater) alasToName(alas ALAS) string {
return alas.Id
}
func (u *updater) alasToLink(alas ALAS) string {
if u.Name == amazonLinux1Name {
return "https://alas.aws.amazon.com/" + alas.Id + ".html"
}
// "ALAS2-2018-1097" becomes "https://alas.aws.amazon.com/AL2/ALAS-2018-1097.html".
re := regexp.MustCompile(`^ALAS2-(.+)$`)
return "https://alas.aws.amazon.com/AL2/ALAS-" + re.FindStringSubmatch(alas.Id)[1] + ".html"
}
func (u *updater) alasToSeverity(alas ALAS) database.Severity {
switch alas.Severity {
case "low":
return database.LowSeverity
case "medium":
return database.MediumSeverity
case "important":
return database.HighSeverity
case "critical":
return database.CriticalSeverity
default:
log.WithField("severity", alas.Severity).Warning("could not determine vulnerability severity")
return database.UnknownSeverity
}
}
func (u *updater) alasToDescription(alas ALAS) string {
re := regexp.MustCompile(`\s+`)
return re.ReplaceAllString(strings.TrimSpace(alas.Description), " ")
}
func (u *updater) alasToFeatureVersions(alas ALAS) (featureVersions []database.AffectedFeature) {
for _, p := range alas.Packages {
var version string
if p.Epoch == "0" {
version = p.Version + "-" + p.Release
} else {
version = p.Epoch + ":" + p.Version + "-" + p.Release
}
err := versionfmt.Valid(rpm.ParserName, version)
if err != nil {
log.WithError(err).WithField("version", version).Warning("could not parse package version. skipping")
continue
}
var featureVersion database.AffectedFeature
featureVersion.Namespace.Name = u.Namespace
featureVersion.Namespace.VersionFormat = rpm.ParserName
featureVersion.FeatureName = p.Name
featureVersion.AffectedVersion = version
if version != versionfmt.MaxVersion {
featureVersion.FixedInVersion = version
}
featureVersion.AffectedType = database.AffectBinaryPackage
featureVersions = append(featureVersions, featureVersion)
}
return
}
func compareTimestamp(date0 string, date1 string) int {
// format: YYYY-MM-DD hh:mm
if date0 < date1 {
return -1
} else if date0 > date1 {
return 1
} else {
return 0
}
}

View File

@ -0,0 +1,213 @@
// Copyright 2017 clair authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package amzn
import (
"io/ioutil"
"os"
"path/filepath"
"runtime"
"testing"
"github.com/coreos/clair/database"
"github.com/coreos/clair/ext/versionfmt/rpm"
"github.com/stretchr/testify/assert"
)
func TestAmazonLinux1(t *testing.T) {
amazonLinux1Updater := updater{
Name: "Amazon Linux 2018.03",
Namespace: "amzn:2018.03",
UpdaterFlag: "amazonLinux1Updater",
MirrorListURI: "http://repo.us-west-2.amazonaws.com/2018.03/updates/x86_64/mirror.list",
}
_, filename, _, _ := runtime.Caller(0)
path := filepath.Join(filepath.Dir(filename))
expectedDescription0Bytes, err := ioutil.ReadFile(path + "/testdata/amazon_linux_1_description_0.txt")
expectedDescription0 := string(expectedDescription0Bytes)
expectedDescription1Bytes, _ := ioutil.ReadFile(path + "/testdata/amazon_linux_1_description_1.txt")
expectedDescription1 := string(expectedDescription1Bytes)
updateInfoXml, _ := os.Open(path + "/testdata/amazon_linux_1_updateinfo.xml")
defer updateInfoXml.Close()
updateInfo, err := decodeUpdateInfo(updateInfoXml)
assert.Nil(t, err)
vulnerabilities, err := amazonLinux1Updater.alasListToVulnerabilities(updateInfo.ALASList)
assert.Nil(t, err)
assert.Equal(t, "ALAS-2011-1", vulnerabilities[0].Name)
assert.Equal(t, "https://alas.aws.amazon.com/ALAS-2011-1.html", vulnerabilities[0].Link)
assert.Equal(t, database.MediumSeverity, vulnerabilities[0].Severity)
assert.Equal(t, expectedDescription0, vulnerabilities[0].Description)
assert.Equal(t, 11, len(vulnerabilities[0].Affected))
expectedFeatureVersions0 := []database.AffectedFeature{
{
Namespace: database.Namespace{
Name: "amzn:2018.03",
VersionFormat: rpm.ParserName,
},
FeatureName: "httpd-devel",
AffectedVersion: "2.2.21-1.18.amzn1",
FixedInVersion: "2.2.21-1.18.amzn1",
AffectedType: database.AffectBinaryPackage,
},
{
Namespace: database.Namespace{
Name: "amzn:2018.03",
VersionFormat: rpm.ParserName,
},
FeatureName: "httpd-debuginfo",
AffectedVersion: "2.2.21-1.18.amzn1",
FixedInVersion: "2.2.21-1.18.amzn1",
AffectedType: database.AffectBinaryPackage,
},
}
for _, expectedFeatureVersion := range expectedFeatureVersions0 {
assert.Contains(t, vulnerabilities[0].Affected, expectedFeatureVersion)
}
assert.Equal(t, "ALAS-2011-2", vulnerabilities[1].Name)
assert.Equal(t, "https://alas.aws.amazon.com/ALAS-2011-2.html", vulnerabilities[1].Link)
assert.Equal(t, database.HighSeverity, vulnerabilities[1].Severity)
assert.Equal(t, expectedDescription1, vulnerabilities[1].Description)
assert.Equal(t, 8, len(vulnerabilities[1].Affected))
expectedFeatureVersions1 := []database.AffectedFeature{
{
Namespace: database.Namespace{
Name: "amzn:2018.03",
VersionFormat: rpm.ParserName,
},
FeatureName: "cyrus-imapd-debuginfo",
AffectedVersion: "2.3.16-6.4.amzn1",
FixedInVersion: "2.3.16-6.4.amzn1",
AffectedType: database.AffectBinaryPackage,
},
{
Namespace: database.Namespace{
Name: "amzn:2018.03",
VersionFormat: rpm.ParserName,
},
FeatureName: "cyrus-imapd-utils",
AffectedVersion: "2.3.16-6.4.amzn1",
FixedInVersion: "2.3.16-6.4.amzn1",
AffectedType: database.AffectBinaryPackage,
},
}
for _, expectedFeatureVersion := range expectedFeatureVersions1 {
assert.Contains(t, vulnerabilities[1].Affected, expectedFeatureVersion)
}
}
func TestAmazonLinux2(t *testing.T) {
amazonLinux2Updater := updater {
Name: "Amazon Linux 2",
Namespace: "amzn:2",
UpdaterFlag: "amazonLinux2Updater",
MirrorListURI: "https://cdn.amazonlinux.com/2/core/latest/x86_64/mirror.list",
}
_, filename, _, _ := runtime.Caller(0)
path := filepath.Join(filepath.Dir(filename))
description0Bytes, _ := ioutil.ReadFile(path + "/testdata/amazon_linux_2_description_0.txt")
expectedDescription0 := string(description0Bytes)
description1Bytes, _ := ioutil.ReadFile(path + "/testdata/amazon_linux_2_description_1.txt")
expectedDescription1 := string(description1Bytes)
updateInfoXml, _ := os.Open(path + "/testdata/amazon_linux_2_updateinfo.xml")
defer updateInfoXml.Close()
updateInfo, err := decodeUpdateInfo(updateInfoXml)
assert.Nil(t, err)
vulnerabilities, err := amazonLinux2Updater.alasListToVulnerabilities(updateInfo.ALASList)
assert.Nil(t, err)
assert.Equal(t, "ALAS2-2018-939", vulnerabilities[0].Name)
assert.Equal(t, "https://alas.aws.amazon.com/AL2/ALAS-2018-939.html", vulnerabilities[0].Link)
assert.Equal(t, database.CriticalSeverity, vulnerabilities[0].Severity)
assert.Equal(t, expectedDescription0, vulnerabilities[0].Description)
assert.Equal(t, 13, len(vulnerabilities[0].Affected))
expectedFeatureVersions0 := []database.AffectedFeature{
{
Namespace: database.Namespace{
Name: "amzn:2",
VersionFormat: rpm.ParserName,
},
FeatureName: "kernel",
AffectedVersion: "4.9.76-38.79.amzn2",
FixedInVersion: "4.9.76-38.79.amzn2",
AffectedType: database.AffectBinaryPackage,
},
{
Namespace: database.Namespace{
Name: "amzn:2",
VersionFormat: rpm.ParserName,
},
FeatureName: "kernel-headers",
AffectedVersion: "4.9.76-38.79.amzn2",
FixedInVersion: "4.9.76-38.79.amzn2",
AffectedType: database.AffectBinaryPackage,
},
}
for _, expectedFeatureVersion := range expectedFeatureVersions0 {
assert.Contains(t, vulnerabilities[0].Affected, expectedFeatureVersion)
}
assert.Equal(t, "ALAS2-2018-942", vulnerabilities[1].Name)
assert.Equal(t, "https://alas.aws.amazon.com/AL2/ALAS-2018-942.html", vulnerabilities[1].Link)
assert.Equal(t, database.HighSeverity, vulnerabilities[1].Severity)
assert.Equal(t, expectedDescription1, vulnerabilities[1].Description)
assert.Equal(t, 5, len(vulnerabilities[1].Affected))
expectedFeatureVersions1 := []database.AffectedFeature{
{
Namespace: database.Namespace{
Name: "amzn:2",
VersionFormat: rpm.ParserName,
},
FeatureName: "qemu-kvm",
AffectedVersion: "10:1.5.3-141.amzn2.5.3",
FixedInVersion: "10:1.5.3-141.amzn2.5.3",
AffectedType: database.AffectBinaryPackage,
},
{
Namespace: database.Namespace{
Name: "amzn:2",
VersionFormat: rpm.ParserName,
},
FeatureName: "qemu-img",
AffectedVersion: "10:1.5.3-141.amzn2.5.3",
FixedInVersion: "10:1.5.3-141.amzn2.5.3",
AffectedType: database.AffectBinaryPackage,
},
}
for _, expectedFeatureVersion := range expectedFeatureVersions1 {
assert.Contains(t, vulnerabilities[1].Affected, expectedFeatureVersion)
}
}

View File

@ -0,0 +1,28 @@
// Copyright 2017 clair authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package amzn
type RepoMd struct {
RepoList []Repo `xml:"data"`
}
type Repo struct {
Type string `xml:"type,attr"`
Location Location `xml:"location"`
}
type Location struct {
Href string `xml:"href,attr"`
}

View File

@ -0,0 +1 @@
Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2011-3192: A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.

View File

@ -0,0 +1 @@
Package updates are available for Amazon Linux that fix the following vulnerabilities: CVE-2011-3208: Stack-based buffer overflow in the split_wildmats function in nntpd.c in nntpd in Cyrus IMAP Server before 2.3.17 and 2.4.x before 2.4.11 allows remote attackers to execute arbitrary code via a crafted NNTP command. A buffer overflow flaw was found in the cyrus-imapd NNTP server, nntpd. A remote user able to use the nntpd service could use this flaw to crash the nntpd child process or, possibly, execute arbitrary code with the privileges of the cyrus user.

View File

@ -0,0 +1,104 @@
<?xml version="1.0" ?>
<updates>
<update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4">
<id>ALAS-2011-1</id>
<title>Amazon Linux AMI 2011.09 - ALAS-2011-1: medium priority package update for httpd</title>
<issued date="2011-09-27 22:46" />
<updated date="2014-09-14 14:25" />
<severity>medium</severity>
<description>
Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2011-3192:
A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header.
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
</description>
<references>
<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192" id="CVE-2011-3192" title="" type="cve" />
<reference href="https://rhn.redhat.com/errata/RHSA-2011:1245.html" id="RHSA-2011:1245" title="" type="redhat" />
</references>
<pkglist>
<collection short="amazon-linux-ami">
<name>Amazon Linux AMI</name>
<package arch="i686" epoch="0" name="httpd-devel" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-devel-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package arch="i686" epoch="0" name="httpd-debuginfo" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package arch="i686" epoch="0" name="httpd" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package arch="i686" epoch="0" name="httpd-tools" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-tools-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package arch="i686" epoch="1" name="mod_ssl" release="1.18.amzn1" version="2.2.21">
<filename>Packages/mod_ssl-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package arch="x86_64" epoch="1" name="mod_ssl" release="1.18.amzn1" version="2.2.21">
<filename>Packages/mod_ssl-2.2.21-1.18.amzn1.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="httpd-tools" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-tools-2.2.21-1.18.amzn1.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="httpd" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-2.2.21-1.18.amzn1.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="httpd-devel" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-devel-2.2.21-1.18.amzn1.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="httpd-debuginfo" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.x86_64.rpm</filename>
</package>
<package arch="noarch" epoch="0" name="httpd-manual" release="1.18.amzn1" version="2.2.21">
<filename>Packages/httpd-manual-2.2.21-1.18.amzn1.noarch.rpm</filename>
</package>
</collection>
</pkglist>
</update>
<update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4">
<id>ALAS-2011-2</id>
<title>Amazon Linux - ALAS-2011-2: important priority package update for cyrus-imapd</title>
<issued date="2011-10-10 22:29" />
<updated date="2014-09-14 14:25" />
<severity>important</severity>
<description>
Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3208:
Stack-based buffer overflow in the split_wildmats function in nntpd.c in nntpd in Cyrus IMAP Server before 2.3.17 and 2.4.x before 2.4.11 allows remote attackers to execute arbitrary code via a crafted NNTP command.
A buffer overflow flaw was found in the cyrus-imapd NNTP server, nntpd. A remote user able to use the nntpd service could use this flaw to crash the nntpd child process or, possibly, execute arbitrary code with the privileges of the cyrus user.
</description>
<references>
<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3208" id="CVE-2011-3208" title="" type="cve" />
<reference href="https://rhn.redhat.com/errata/RHSA-2011:1317.html" id="RHSA-2011:1317" title="" type="redhat" />
</references>
<pkglist>
<collection short="amazon-linux">
<name>Amazon Linux</name>
<package arch="i686" epoch="0" name="cyrus-imapd-debuginfo" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-debuginfo-2.3.16-6.4.amzn1.i686.rpm</filename>
</package>
<package arch="i686" epoch="0" name="cyrus-imapd-utils" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-utils-2.3.16-6.4.amzn1.i686.rpm</filename>
</package>
<package arch="i686" epoch="0" name="cyrus-imapd-devel" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-devel-2.3.16-6.4.amzn1.i686.rpm</filename>
</package>
<package arch="i686" epoch="0" name="cyrus-imapd" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-2.3.16-6.4.amzn1.i686.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="cyrus-imapd-debuginfo" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-debuginfo-2.3.16-6.4.amzn1.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="cyrus-imapd-devel" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-devel-2.3.16-6.4.amzn1.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="cyrus-imapd" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-2.3.16-6.4.amzn1.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="cyrus-imapd-utils" release="6.4.amzn1" version="2.3.16">
<filename>Packages/cyrus-imapd-utils-2.3.16-6.4.amzn1.x86_64.rpm</filename>
</package>
</collection>
</pkglist>
</update>
</updates>

View File

@ -0,0 +1 @@
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2017-5754: 1519781: CVE-2017-5754 hw: cpu: speculative execution permission faults handling An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue. CVE-2017-5715: An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks. 1519780: CVE-2017-5715 hw: cpu: speculative execution branch target injection

View File

@ -0,0 +1 @@
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2017-5715: An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks. 1519780: CVE-2017-5715 hw: cpu: speculative execution branch target injection

View File

@ -0,0 +1,104 @@
<?xml version="1.0" ?>
<updates>
<update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4">
<id>ALAS2-2018-939</id>
<title>Amazon Linux 2 2017.12 - ALAS2-2018-939: critical priority package update for kernel</title>
<issued date="2018-01-11 21:05" />
<updated date="2018-01-16 01:28" />
<severity>critical</severity>
<description>
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2017-5754:
1519781:
CVE-2017-5754 hw: cpu: speculative execution permission faults handling
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue.
CVE-2017-5715:
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor&amp;#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks.
1519780:
CVE-2017-5715 hw: cpu: speculative execution branch target injection
</description>
<references>
<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754" id="CVE-2017-5754" title="" type="cve" />
<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715" id="CVE-2017-5715" title="" type="cve" />
</references>
<pkglist>
<collection short="amazon-linux-2">
<name>Amazon Linux 2</name>
<package arch="x86_64" epoch="0" name="kernel" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="kernel-headers" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-headers-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="kernel-debuginfo-common-x86_64" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-debuginfo-common-x86_64-4.9.76-38.79.amzn2.x86_64.rpm</filename></package>
<package arch="x86_64" epoch="0" name="perf" release="38.79.amzn2" version="4.9.76">
<filename>Packages/perf-4.9.76-38.79.amzn2.x86_64.rpm</filename></package>
<package arch="x86_64" epoch="0" name="perf-debuginfo" release="38.79.amzn2" version="4.9.76">
<filename>Packages/perf-debuginfo-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="python-perf" release="38.79.amzn2" version="4.9.76">
<filename>Packages/python-perf-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="python-perf-debuginfo" release="38.79.amzn2" version="4.9.76">
<filename>Packages/python-perf-debuginfo-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="kernel-tools" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-tools-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="kernel-tools-devel" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-tools-devel-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="kernel-tools-debuginfo" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-tools-debuginfo-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="kernel-devel" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-devel-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="0" name="kernel-debuginfo" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-debuginfo-4.9.76-38.79.amzn2.x86_64.rpm</filename>
</package>
<package arch="noarch" epoch="0" name="kernel-doc" release="38.79.amzn2" version="4.9.76">
<filename>Packages/kernel-doc-4.9.76-38.79.amzn2.noarch.rpm</filename>
</package>
</collection>
</pkglist>
</update>
<update author="linux-security@amazon.com" from="linux-security@amazon.com" status="final" type="security" version="1.4">
<id>ALAS2-2018-942</id>
<title>Amazon Linux 2 2017.12 - ALAS2-2018-942: important priority package update for qemu-kvm</title>
<issued date="2018-02-07 18:49" /><updated date="2018-02-08 21:46" />
<severity>important</severity>
<description>
Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2017-5715:
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor&amp;#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks.
1519780:
CVE-2017-5715 hw: cpu: speculative execution branch target injection
</description>
<references>
<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715" id="CVE-2017-5715" title="" type="cve" />
</references>
<pkglist>
<collection short="amazon-linux-2">
<name>Amazon Linux 2</name>
<package arch="x86_64" epoch="10" name="qemu-kvm" release="141.amzn2.5.3" version="1.5.3">
<filename>Packages/qemu-kvm-1.5.3-141.amzn2.5.3.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="10" name="qemu-img" release="141.amzn2.5.3" version="1.5.3">
<filename>Packages/qemu-img-1.5.3-141.amzn2.5.3.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="10" name="qemu-kvm-common" release="141.amzn2.5.3" version="1.5.3">
<filename>Packages/qemu-kvm-common-1.5.3-141.amzn2.5.3.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="10" name="qemu-kvm-tools" release="141.amzn2.5.3" version="1.5.3">
<filename>Packages/qemu-kvm-tools-1.5.3-141.amzn2.5.3.x86_64.rpm</filename>
</package>
<package arch="x86_64" epoch="10" name="qemu-kvm-debuginfo" release="141.amzn2.5.3" version="1.5.3">
<filename>Packages/qemu-kvm-debuginfo-1.5.3-141.amzn2.5.3.x86_64.rpm</filename>
</package>
</collection>
</pkglist>
</update>
</updates>

View File

@ -0,0 +1,38 @@
// Copyright 2017 clair authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package amzn
type UpdateInfo struct {
ALASList []ALAS `xml:"update"`
}
type ALAS struct {
Id string `xml:"id"`
Updated Updated `xml:"updated"`
Severity string `xml:"severity"`
Description string `xml:"description"`
Packages []Package `xml:"pkglist>collection>package"`
}
type Updated struct {
Date string `xml:"date,attr"`
}
type Package struct {
Name string `xml:"name,attr"`
Epoch string `xml:"epoch,attr"`
Version string `xml:"version,attr"`
Release string `xml:"release,attr"`
}