nexB
Add Amazon Linux advisories
@ziadhany help me to create the fixed version as there are new packages provided here https://alas.aws.amazon.com/ALAS-2024-1943.html in the amazon_linux advisories URL and how to handle the affected_packages part effectively.
- One more thing that should I include cves also in the aliases along with the ALAS id.
- From this URL should I also consider including the Additional References in references of my Advisory Data object.
@ambuj-1211
Steps to get the Structured Advisory
Mirror List for AL
- AL1 => http://repo.us-west-2.amazonaws.com/2018.03/updates/x86_64/mirror.list
- AL2 => https://cdn.amazonlinux.com/2/core/latest/x86_64/mirror.list
- AL2022 => https://cdn.amazonlinux.com/al2022/core/mirrors/latest/x86_64/mirror.list
- AL2023 => https://cdn.amazonlinux.com/al2023/core/mirrors/latest/x86_64/mirror.list
Procedure:
- Visit the AL mirror list and get the
mirror server URL. - Append
/repodata/updateinfo.xml.gzto themirror server URL, and download theupdateinfo.xml.gzfile, which contains the structured security advisory as shown below.
<id>ALAS-2011-1</id>
<title>Amazon Linux AMI 2011.09 - ALAS-2011-1: medium priority package update for httpd</title>
<issued date="2011-09-27 22:46:00" />
<updated date="2014-09-14 14:25:00" />
<severity>medium</severity>
<description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2011-3192:
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header.
</description>
<references>
<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192" title="" id="CVE-2011-3192" type="cve" />
<reference href="https://rhn.redhat.com/errata/RHSA-2011:1245.html" title="" id="RHSA-2011:1245" type="redhat" />
</references>
<pkglist>
<collection short="amazon-linux-ami">
<name>Amazon Linux AMI</name>
<package name="httpd-devel" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
<filename>Packages/httpd-devel-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package name="httpd-debuginfo" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
<filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package name="httpd" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
<filename>Packages/httpd-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
<package name="httpd-tools" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
<filename>Packages/httpd-tools-2.2.21-1.18.amzn1.i686.rpm</filename>
</package>
...
</collection>
</pkglist>undefined</update>undefined<update status="final" version="1.4" author="[email protected]" type="security" from="[email protected]">
[!NOTE]
This only contains the fixed package versions.
@ambuj-1211
Steps to get the Structured Advisory
Mirror List for AL
- AL1 => http://repo.us-west-2.amazonaws.com/2018.03/updates/x86_64/mirror.list
- AL2 => https://cdn.amazonlinux.com/2/core/latest/x86_64/mirror.list
- AL2022 => https://cdn.amazonlinux.com/al2022/core/mirrors/latest/x86_64/mirror.list
- AL2023 => https://cdn.amazonlinux.com/al2023/core/mirrors/latest/x86_64/mirror.list
Procedure:
- Visit the AL mirror list and get the
mirror server URL.- Append
/repodata/updateinfo.xml.gzto themirror server URL, and download theupdateinfo.xml.gzfile, which contains the structured security advisory as shown below.<id>ALAS-2011-1</id> <title>Amazon Linux AMI 2011.09 - ALAS-2011-1: medium priority package update for httpd</title> <issued date="2011-09-27 22:46:00" /> <updated date="2014-09-14 14:25:00" /> <severity>medium</severity> <description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2011-3192: The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086. A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. </description> <references> <reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192" title="" id="CVE-2011-3192" type="cve" /> <reference href="https://rhn.redhat.com/errata/RHSA-2011:1245.html" title="" id="RHSA-2011:1245" type="redhat" /> </references> <pkglist> <collection short="amazon-linux-ami"> <name>Amazon Linux AMI</name> <package name="httpd-devel" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686"> <filename>Packages/httpd-devel-2.2.21-1.18.amzn1.i686.rpm</filename> </package> <package name="httpd-debuginfo" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686"> <filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.i686.rpm</filename> </package> <package name="httpd" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686"> <filename>Packages/httpd-2.2.21-1.18.amzn1.i686.rpm</filename> </package> <package name="httpd-tools" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686"> <filename>Packages/httpd-tools-2.2.21-1.18.amzn1.i686.rpm</filename> </package> ... </collection> </pkglist>undefined</update>undefined<update status="final" version="1.4" author="[email protected]" type="security" from="[email protected]">Note
This only contains the fixed package versions.
@keshav-space So should I directly fetch whole data from these files? and where can I get the license to use the data from here.
@ambuj-1211
So should I directly fetch whole data from these files?
You can, but if you already have a way to get the AL advisory data and it's working, then there's no need to change.
and where can I get the license to use the data from here.
Not sure about the license yet. AL provides security and bug fixes to AL packages using updateinfo.xml, and they should be covered under the same license as AL? I'm not sure.
@ziadhany @TG1999 @keshav-space Not sure about the license, please help me with that.
@ambuj-1211
Please set the license to unknown, so we can either do more research or reach out to the API author directly to inquire about the data license.
@ziadhany @TG1999 please review this one and tell me the changes which I need to make.