From c60db4943cfb5666a3407bde28b79c0e6007b2f3 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Wed, 14 Dec 2022 15:51:51 -0500 Subject: [PATCH] port amazon provider Signed-off-by: Alex Goodman --- schema/vulnerability/os/schema-1.0.0.json | 1 - src/vunnel/cli/config.py | 1 + src/vunnel/providers/__init__.py | 3 +- src/vunnel/providers/amazon/__init__.py | 43 + src/vunnel/providers/amazon/parser.py | 274 +++++ src/vunnel/providers/github/__init__.py | 2 +- src/vunnel/utils/rpm.py | 243 +++++ tests/conftest.py | 12 +- tests/unit/providers/amazon/__init__.py | 0 .../input/2022_html/ALAS-2021-001 | 140 +++ .../amazon/test-fixtures/input/2022_rss.xml | 22 + .../test-fixtures/input/2_html/ALAS-2018-939 | 133 +++ .../amazon/test-fixtures/input/2_rss.xml | 22 + .../providers/amazon/test-fixtures/mock_html | 100 ++ .../providers/amazon/test-fixtures/mock_rss | 982 ++++++++++++++++++ tests/unit/providers/amazon/test_amazon.py | 97 ++ .../github/{test_parser.py => test_github.py} | 20 +- 17 files changed, 2080 insertions(+), 15 deletions(-) create mode 100644 src/vunnel/providers/amazon/__init__.py create mode 100644 src/vunnel/providers/amazon/parser.py create mode 100644 src/vunnel/utils/rpm.py create mode 100644 tests/unit/providers/amazon/__init__.py create mode 100644 tests/unit/providers/amazon/test-fixtures/input/2022_html/ALAS-2021-001 create mode 100644 tests/unit/providers/amazon/test-fixtures/input/2022_rss.xml create mode 100644 tests/unit/providers/amazon/test-fixtures/input/2_html/ALAS-2018-939 create mode 100644 tests/unit/providers/amazon/test-fixtures/input/2_rss.xml create mode 100644 tests/unit/providers/amazon/test-fixtures/mock_html create mode 100644 tests/unit/providers/amazon/test-fixtures/mock_rss create mode 100644 tests/unit/providers/amazon/test_amazon.py rename tests/unit/providers/github/{test_parser.py => test_github.py} (100%) diff --git a/schema/vulnerability/os/schema-1.0.0.json b/schema/vulnerability/os/schema-1.0.0.json index a51dbeab..919feb9b 100644 --- a/schema/vulnerability/os/schema-1.0.0.json +++ b/schema/vulnerability/os/schema-1.0.0.json @@ -141,7 +141,6 @@ } }, "required": [ - "CVSS", "Description", "FixedIn", "Link", diff --git a/src/vunnel/cli/config.py b/src/vunnel/cli/config.py index 7eceff73..b608fe6b 100644 --- a/src/vunnel/cli/config.py +++ b/src/vunnel/cli/config.py @@ -10,6 +10,7 @@ @dataclass class Providers: alpine: providers.alpine.Config = field(default_factory=providers.alpine.Config) + amazon: providers.amazon.Config = field(default_factory=providers.amazon.Config) centos: providers.centos.Config = field(default_factory=providers.centos.Config) nvd: providers.nvd.Config = field(default_factory=providers.nvd.Config) github: providers.github.Config = field(default_factory=providers.github.Config) diff --git a/src/vunnel/providers/__init__.py b/src/vunnel/providers/__init__.py index b1330c9c..4090ac16 100644 --- a/src/vunnel/providers/__init__.py +++ b/src/vunnel/providers/__init__.py @@ -1,7 +1,8 @@ -from vunnel.providers import alpine, centos, github, nvd +from vunnel.providers import alpine, amazon, centos, github, nvd _providers = { alpine.Provider.name: alpine.Provider, + amazon.Provider.name: amazon.Provider, centos.Provider.name: centos.Provider, nvd.Provider.name: nvd.Provider, github.Provider.name: github.Provider, diff --git a/src/vunnel/providers/amazon/__init__.py b/src/vunnel/providers/amazon/__init__.py new file mode 100644 index 00000000..40bcc15f --- /dev/null +++ b/src/vunnel/providers/amazon/__init__.py @@ -0,0 +1,43 @@ +from dataclasses import dataclass, field + +from vunnel import provider, schema + +from .parser import Parser, amazon_security_advisories + + +@dataclass +class Config: + security_advisories: dict[str, str] = field(default_factory=lambda: amazon_security_advisories) + runtime: provider.RuntimeConfig = field( + default_factory=lambda: provider.RuntimeConfig(existing_input=provider.InputStatePolicy.KEEP) + ) + request_timeout: int = 125 + + +class Provider(provider.Provider): + name = "amazon" + + def __init__(self, root: str, config: Config): + super().__init__(root, runtime_cfg=config.runtime) + self.config = config + + self.logger.debug(f"config: {config}") + + self.schema = schema.OSSchema() + self.parser = Parser( + workspace=self.input, + security_advisories=config.security_advisories, + download_timeout=config.request_timeout, + logger=self.logger, + ) + + def update(self) -> list[str]: + with self.results_writer() as writer: + for vuln in self.parser.get(skip_if_exists=self.config.runtime.skip_if_exists): + writer.write( + identifier=f"{vuln.NamespaceName}-{vuln.Name}".lower(), + schema=self.schema, + payload={"Vulnerability": vuln.json()}, + ) + + return self.parser.urls diff --git a/src/vunnel/providers/amazon/parser.py b/src/vunnel/providers/amazon/parser.py new file mode 100644 index 00000000..6ee0faaf --- /dev/null +++ b/src/vunnel/providers/amazon/parser.py @@ -0,0 +1,274 @@ +import logging +import os +import re +import xml.etree.ElementTree as ET +from collections import namedtuple +from html.parser import HTMLParser + +import requests + +from vunnel.utils import rpm + +namespace = "amzn" + +AlasSummary = namedtuple("AlasSummary", ["id", "url", "sev", "cves"]) +AlasFixedIn = namedtuple("AlasFixedIn", ["pkg", "ver"]) + +amazon_security_advisories = { + # '1': 'https://alas.aws.amazon.com/alas.rss', + "2": "https://alas.aws.amazon.com/AL2/alas.rss", + "2022": "https://alas.aws.amazon.com/AL2022/alas.rss", +} + +severity_map = { + "low": "Low", + "medium": "Medium", + "important": "High", + "critical": "Critical", +} + + +class Parser: + _title_pattern_ = re.compile(r"([^\s]+)\s+\(([^\)]+)\):.*") + _whitespace_pattern_ = re.compile(r"\s") + _rss_file_name_ = "{}_rss.xml" + _html_dir_name_ = "{}_html" + + def __init__(self, workspace, download_timeout=125, security_advisories=None, logger=None): + self.workspace = workspace + self.version_url_map = security_advisories if security_advisories else amazon_security_advisories + self.download_timeout = download_timeout + self.urls = [] + + if not logger: + logger = logging.getLogger(self.__class__.__name__) + self.logger = logger + + def _download_rss(self, rss_url, rss_file, skip_if_exists=False): + if skip_if_exists and os.path.exists(rss_file): + self.logger.debug(f"'skip_if_exists' flag enabled and found {rss_file}. Skipping download") + else: + try: + self.logger.info(f"downloading amazon security advisory from {rss_url}") + self.urls.append(rss_url) + r = requests.get(rss_url, timeout=self.download_timeout) + if r.status_code == 200: + with open(rss_file, "w", encoding="utf-8") as fp: + fp.write(r.text) + else: + raise Exception(f"GET {rss_url} failed with HTTP error {r.status_code}") + except Exception: + self.logger.exception("error downloading amazon linux vulnerability feeds") + raise + + def _parse_rss(self, file_path): + self.logger.debug(f"parsing RSS data from {file_path}") + alas_summaries = [] + + processing = False + for event, element in ET.iterparse(file_path, events=("start", "end")): + if event == "start" and element.tag == "item": + processing = True + elif processing and event == "end": + if element.tag == "title": + found = re.search(self._title_pattern_, element.text.strip()) + alas_id = found.group(1) + sev = found.group(2) + elif element.tag == "description": + desc_str = element.text.strip() + if desc_str: + cves = re.sub(self._whitespace_pattern_, "", desc_str).split(",") + else: + cves = [] + elif element.tag == "link": + url = element.text.strip() + elif element.tag == "item": + alas_summaries.append(AlasSummary(id=alas_id, url=url, sev=sev, cves=cves)) + processing = False + + # clear the element if its not being processed + if not processing and event == "end": + element.clear() + + return alas_summaries + + def _get_alas_html(self, alas_url, alas_file, skip_if_exists=True): + if skip_if_exists and os.path.exists(alas_file): # read alas from disk if its available + self.logger.debug(f"loading ALAS from {alas_file}") + with open(alas_file, "r", encoding="utf-8") as fp: + content = fp.read() + return content + + try: + self.logger.debug(f"downloading ALAS from {alas_url}") + r = requests.get(alas_url, timeout=self.download_timeout) + if r.status_code == 200: + content = r.text + with open(alas_file, "w", encoding="utf-8") as fp: + fp.write(content) + return content + raise Exception(f"GET {alas_url} failed with HTTP error {r.status_code}") + except Exception: + self.logger.exception(f"error downloading data from {alas_url}") + raise + + @staticmethod + def get_package_name_version(pkg): + if not pkg or not isinstance(pkg, str): + raise ValueError(f"Invalid package name: {pkg}") + + if not pkg.endswith(".rpm"): + pkg = pkg + ".rpm" + + name, version, release, epoch, arch = rpm.split_rpm_filename(pkg) # pylint: disable=unused-variable + + if release: + return AlasFixedIn(pkg=name, ver=(version + "-" + release)) + return AlasFixedIn(pkg=name, ver=version) + + def get(self, skip_if_exists=False): + for version, url in self.version_url_map.items(): + rss_file = os.path.join(self.workspace, self._rss_file_name_.format(version)) + html_dir = os.path.join(self.workspace, self._html_dir_name_.format(version)) + + self._download_rss(url, rss_file, skip_if_exists) + + # parse rss for alas summaries + alas_summaries = self._parse_rss(rss_file) + + # setup directory for alas htmls + if not os.path.exists(html_dir): + self.logger.debug("initializing workspace for ALAS files") + os.makedirs(html_dir) + + # iterate through list of alas summaries + for alas in alas_summaries: + # download alas html content + alas_file = os.path.join(html_dir, alas.id) + html_content = self._get_alas_html(alas.url, alas_file) + + # parse alas html for fixes + parser = PackagesHTMLParser() + parser.feed(html_content) + + # split the package name and version of the fixed in packages and construct a set + fixed_in = {self.get_package_name_version(pkg_name) for pkg_name in parser.fixes} + + # construct a vulnerability object and yield it + yield map_to_vulnerability(version, alas, fixed_in) + + +class JsonifierMixin: + def json(self): + jsonified = {} + for k, v in vars(self).items(): + if not k[0] == "_": + if isinstance(v, (list, set)): + jsonified[k] = [x.json() if hasattr(x, "json") and callable(x.json) else x for x in v] + elif isinstance(v, dict): + jsonified[k] = {x: y.json() if hasattr(y, "json") and callable(y.json) else y for x, y in v.items()} + else: + if hasattr(v, "json"): + jsonified[k] = v.json() + else: + jsonified[k] = v + return jsonified + + +class Vulnerability(JsonifierMixin): + """ + Class representing the record to be returned. Uses strange capitalization + to be backwards compatible in the json output with previous version of feed data. + """ + + def __init__(self): + self.Name = None + self.NamespaceName = None + self.Description = "" + self.Severity = None + self.Metadata = None + self.Link = None + self.FixedIn = [] + + +class FixedIn(JsonifierMixin): + """ + Class representing a fix record for return back to the service from the driver. The semantics of the version are: + "None" -> Package is vulnerable and no fix available yet + ! "None" -> Version of package with a fix for a vulnerability. Assume all older versions of the package are vulnerable. + + """ + + def __init__(self): + self.Name = None + self.NamespaceName = None + self.VersionFormat = None + self.Version = None + + +class PackagesHTMLParser(HTMLParser): + _new_packages_tuple_ = ("id", "new_packages") + _arch_list_ = ["x86_64:", "noarch:", "src:"] + + def __init__(self): + self.fixes = [] + self.fix_tag = None + self.fix_hit = False + self.arch_hit = False + super().__init__() + + def handle_starttag(self, tag, attrs): + if attrs and self._new_packages_tuple_ in attrs: + # print('Encountered element with ID new_packages, start tag: {}'.format(tag)) + self.fix_hit = True + self.fix_tag = tag + # else: + # print('Ignoring start tag: {}'.format(tag)) + + def handle_endtag(self, tag): + if self.fix_hit and self.fix_tag == tag: + # print('Encountered end tag for element with ID new_packages') + self.fix_hit = False + self.arch_hit = False + # else: + # print('Ignoring end tag: {}'.format(tag)) + + def handle_data(self, data): + data = data.strip() + + if self.fix_hit and data: + if data in self._arch_list_: # check if its a relevant arch + # print('Found relevant arch: "{}"'.format(data)) + self.arch_hit = True + elif data.endswith(":"): # Using i686: or src: as an indicator for end of processing + # if data != 'New Packages:': + # logger.debug('Ignoring irrelevant arch or data: {}'.format(data)) + self.arch_hit = False + elif self.arch_hit: # check if its a relevant package + # print('Found relevant package: {}'.format(data)) + self.fixes.append(data) + + # else: + # print('Ignoring data: {}'.format(data.strip())) + + +def map_to_vulnerability(version, alas, fixed_in): + if not alas: + raise ValueError("Invalid reference to AlasSummary") + + v = Vulnerability() + v.Name = alas.id + v.NamespaceName = namespace + ":" + version + v.Description = "" + v.Severity = severity_map.get(alas.sev, "Unknown") + v.Metadata = {"CVE": alas.cves if alas.cves else []} + v.Link = alas.url + for item in fixed_in: + f = FixedIn() + f.Name = item.pkg + f.NamespaceName = v.NamespaceName + f.VersionFormat = "rpm" + f.Version = item.ver + v.FixedIn.append(f) + + return v diff --git a/src/vunnel/providers/github/__init__.py b/src/vunnel/providers/github/__init__.py index 6d8236fb..4809b648 100644 --- a/src/vunnel/providers/github/__init__.py +++ b/src/vunnel/providers/github/__init__.py @@ -43,7 +43,7 @@ def __init__(self, root: str, config: Config): workspace=self.input, token=config.token, api_url=config.api_url, - download_timeout=self.config.request_timeout, + download_timeout=config.request_timeout, logger=self.logger, ) diff --git a/src/vunnel/utils/rpm.py b/src/vunnel/utils/rpm.py new file mode 100644 index 00000000..4e608de9 --- /dev/null +++ b/src/vunnel/utils/rpm.py @@ -0,0 +1,243 @@ +""" +RPM utilities with no binary dependencies on rpm or rpmUtil. + +""" + + +def parse_version(rpm_version): + """ + Return a tuple from the given version string. + + :param rpm_version: + :return: + """ + return rpm_version.split("-") + + +def split_rpm_filename(rpm_filename): + """ + Parse the components of an rpm filename and return them as a tuple: (name, version, release, epoch, arch) + + foo-1.0-1.x86_64.rpm -> foo, 1.0, 1, '', x86_64 + 1:bar-9-123a.ia64.rpm -> bar, 9, 123a, 1, ia64 + + :param rpm_filename: a string filename (not path) of an rpm file + :returns: a tuple of the constituent parts compliant with RPM spec. + """ + + components = rpm_filename.rsplit(".rpm", 1)[0].rsplit(".", 1) + arch = components.pop() + + rel_comp = components[0].rsplit("-", 2) + release = rel_comp.pop() + + # Version + version = rel_comp.pop() + + # Epoch + epoch_comp = rel_comp[0].split(":", 1) if rel_comp else [] + if len(epoch_comp) == 1: + epoch = "" + name = epoch_comp[0] + elif len(epoch_comp) > 1: + epoch = epoch_comp[0] + name = epoch_comp[1] + else: + epoch = None + name = None + + return name, version, release, epoch, arch + + +def split_fullversion(version): + """ + Splits version string into a tuple (epoch, version, release). Inbound version string is specific to anchore engine's + implementation of versions and may not compliant with the rpm spec. + + Use this function for splitting versions already processed by anchore engine. For parsing info from rpm file name, use split_rpm_filename() + + '2.27-34.base.el7' -> (null, '2.27', '34.base.el7') + '1:2.27-34.base.el7' -> ('1', '2.27', '34.base.el7') + + :param version: Version string with or without an epoch prefix + :return: tuple (epoch, version, release). epoch is null if the inbound version does not contain epoch + """ + ver_comp = version.rsplit("-", 1) + + if len(ver_comp) > 1: + release = ver_comp.pop() + else: + release = None + + epoch_comp = ver_comp[0].split(":", 1) if ver_comp else [] + + if len(epoch_comp) == 1: + epoch = None + version = epoch_comp[0] + elif len(epoch_comp) > 1: + epoch = epoch_comp[0] + version = epoch_comp[1] + else: + epoch = None + version = None + + return ( + epoch, + version, + release, + ) + + +def compare_versions(ver_a, ver_b): + """ + Compare pkg and versions using anchore engine rules. Follows standard __cmp__ semantics of -1 iff a < b, 0 iff a == b, 1 iff a > b + + :param ver_a: + :param ver_b: + :return: + """ + if ver_a == ver_b: + return 0 + + (e1, v1, r1) = split_fullversion(ver_a) + (e2, v2, r2) = split_fullversion(ver_b) + + return compare_labels((e1, v1, r1), (e2, v2, r2)) + + +def compare_labels(evr_1, evr_2): + """ + Compare the EVR label tuples (epoch, version, release). + + :param evr_1: + :param evr_2: + :return: -1, 0, 1 is standard __cmp__ semantics + """ + epoch_1, ver_1, rel_1 = evr_1 + epoch_2, ver_2, rel_2 = evr_2 + + if epoch_1 is not None and epoch_2 is not None: # compare only when both epochs are available. ignore otherwise + if epoch_1 > epoch_2: + return 1 + if epoch_1 < epoch_2: + return -1 + + cmp_result = rpm_ver_cmp(ver_1, ver_2) + + if cmp_result != 0: + return cmp_result + + return rpm_ver_cmp(rel_1, rel_2) + + +# pylint: disable=no-else-return,too-many-return-statements,too-many-branches,unused-variable +def rpm_ver_cmp(a, b): + """ + A translation of the RPM lib's C code for version compare rpmvercmp in lib/rpmvercmp.c into pure python with + no external + + compare alpha and numeric segments of two versions + return 1: a is newer than b + 0: a and b are the same version + -1: b is newer than a + """ + if a is None: + a = "" + if b is None: + b = "" + + # Convert to a list of single chars + l_a = list(a.strip()) + l_b = list(b.strip()) + is_num = False + + # loop through each version segment of str1 and str2 and compare them + while l_a and l_b: + # Skip any whitespace preceding + while l_a and not l_a[0].isalnum(): + l_a.pop(0) + while l_b and not l_b[0].isalnum(): + l_b.pop(0) + + # If we ran to the end of either, we are finished with the loop + if not (l_a and l_b): + break + + # Get the next numeric or alpha segment to compare. Must get similar types from both strings. + # This is a greedy consumption from the src string. so l_a/l_b will be truncated from the front to + # construct the a/b_seg + is_num, a_seg = greedy_find_block(l_a) + b_is_num, b_seg = greedy_find_block(l_b, is_num) + + # this cannot happen, as we previously tested to make sure that + # the first string has a non-null segment + # if (one == str1) return -1; # arbitrary + if l_a == a_seg: + raise Exception("Encountered null segment in str. Unexpected") + # return -1 # Arbitrary per C impl + + # take care of the case where the two version segments are + # different types: one numeric, the other alpha (i.e. empty) + # numeric segments are always newer than alpha segments + # XXX See patch #60884 (and details) from bugzilla #50977. + # if (two == str2) return isnum ? 1 : -1; + if l_b == b_seg: + return 1 if is_num else -1 + + a_seg = "".join(a_seg) + b_seg = "".join(b_seg) + + if is_num: + # Strip leading zeros since this is a numeric comparison + a_seg = a_seg.lstrip("0") + b_seg = b_seg.lstrip("0") + + # whichever number has more digits wins + if len(a_seg) > len(b_seg): + return 1 + elif len(a_seg) < len(b_seg): + return -1 + + # String compare of the segments, covers both numeric and non since they are same length if numeric + if a_seg > b_seg: + return 1 + elif a_seg < b_seg: + return -1 + + # this catches the case where all numeric and alpha segments have + # compared identically but the segment separating characters were + # different + + # zhill - note the original comparison: if ((!*one) && (!*two)) return 0; + if not l_a and not l_b: + return 0 + + # whichever version still has characters left over wins + if not l_a: + return -1 + return 1 + + +def greedy_find_block(list_str, expected_digit=None): + """ + Scan the string and return the substring, index, and type of the next block. + A block is defined as a contiguous set of numeric or alpha characters. The point at which the string + converts from one to another is the edge of the block. + + Will pop elements of the list to consume them during processing + + :param list_str: a string in list form: ['a', 'c', 'd', '1', '0', '.'] + :return: (bool, list) tuple, where bool is isdigit() for first char of string + """ + + # True for digits, false for alpha + chr_type = list_str[0].isdigit() + if expected_digit is not None and expected_digit != chr_type: + # An explicit type request and the head of this string doesn't match, so return the other type and an empty list + return expected_digit, [] + + result = [] + while list_str and chr_type == list_str[0].isdigit(): + result += list_str.pop(0) + + return chr_type, result diff --git a/tests/conftest.py b/tests/conftest.py index 847ba631..e27c2a9e 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -11,10 +11,18 @@ def __init__(self, root: str, name: str): self.root = root self.name = name + @property + def input_dir(self): + return self.root / self.name / "input" + + @property + def results_dir(self): + return self.root / self.name / "results" + def result_files(self): results = [] - for f in os.listdir(self.root / self.name / "results"): - results.append(self.root / self.name / "results" / f) + for f in os.listdir(self.results_dir): + results.append(self.results_dir / f) return results def num_result_entries(self): diff --git a/tests/unit/providers/amazon/__init__.py b/tests/unit/providers/amazon/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/tests/unit/providers/amazon/test-fixtures/input/2022_html/ALAS-2021-001 b/tests/unit/providers/amazon/test-fixtures/input/2022_html/ALAS-2021-001 new file mode 100644 index 00000000..2f519f3f --- /dev/null +++ b/tests/unit/providers/amazon/test-fixtures/input/2022_html/ALAS-2021-001 @@ -0,0 +1,140 @@ + + + + + ALAS2022-2021-001 + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+

ALAS2022-2021-001

+
+ +
+
+ + + Amazon Linux 2022 Security Advisory: ALAS-2021-001 + +
+ Advisory Release Date: 2021-10-26 02:25 Pacific
+ Advisory Updated Date: 2021-10-27 00:24 Pacific
+ +
+ Severity: + + + + + + Medium
+
+ + + +
+
+ Issue Overview: +

A flaw was found in vim. A possible heap-based buffer overflow could allow an attacker to input a specially crafted file leading to a crash or code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3778)

A use-after-free vulnerability in vim could allow an attacker to input a specially crafted file leading to memory corruption and a potentially exploitable crash or code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3796)

An out-of-bounds write flaw was found in vim's drawscreen.c win_redr_status() function. This flaw allows an attacker to trick a user to open a crafted file with specific arguments in vim, triggering an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, and system availability. (CVE-2021-3872)

There's an out-of-bounds read flaw in Vim's ex_docmd.c. An attacker who is capable of tricking a user into opening a specially crafted file could trigger an out-of-bounds read on a memmove operation, potentially causing an impact to application availability. (CVE-2021-3875)

+
+ +
+
+ Affected Packages: +
+

vim

+
+ +
+
+ Issue Correction: +
Run yum update vim to update your system. +
+
+
+ New Packages:
aarch64:
    vim-X11-debuginfo-8.2.3512-1.amzn2022.aarch64
    vim-common-debuginfo-8.2.3512-1.amzn2022.aarch64
    vim-debuginfo-8.2.3512-1.amzn2022.aarch64
    vim-enhanced-debuginfo-8.2.3512-1.amzn2022.aarch64
    vim-enhanced-8.2.3512-1.amzn2022.aarch64
    vim-minimal-8.2.3512-1.amzn2022.aarch64
    vim-X11-8.2.3512-1.amzn2022.aarch64
    vim-minimal-debuginfo-8.2.3512-1.amzn2022.aarch64
    vim-debugsource-8.2.3512-1.amzn2022.aarch64
    vim-common-8.2.3512-1.amzn2022.aarch64

i686:
    vim-enhanced-debuginfo-8.2.3512-1.amzn2022.i686
    vim-X11-debuginfo-8.2.3512-1.amzn2022.i686
    vim-debugsource-8.2.3512-1.amzn2022.i686
    vim-common-8.2.3512-1.amzn2022.i686
    vim-X11-8.2.3512-1.amzn2022.i686
    vim-enhanced-8.2.3512-1.amzn2022.i686
    vim-minimal-debuginfo-8.2.3512-1.amzn2022.i686
    vim-minimal-8.2.3512-1.amzn2022.i686
    vim-debuginfo-8.2.3512-1.amzn2022.i686
    vim-common-debuginfo-8.2.3512-1.amzn2022.i686

noarch:
    vim-default-editor-8.2.3512-1.amzn2022.noarch
    vim-filesystem-8.2.3512-1.amzn2022.noarch

src:
    vim-8.2.3512-1.amzn2022.src

x86_64:
    vim-X11-debuginfo-8.2.3512-1.amzn2022.x86_64
    vim-common-debuginfo-8.2.3512-1.amzn2022.x86_64
    vim-debugsource-8.2.3512-1.amzn2022.x86_64
    vim-minimal-8.2.3512-1.amzn2022.x86_64
    vim-debuginfo-8.2.3512-1.amzn2022.x86_64
    vim-minimal-debuginfo-8.2.3512-1.amzn2022.x86_64
    vim-enhanced-8.2.3512-1.amzn2022.x86_64
    vim-enhanced-debuginfo-8.2.3512-1.amzn2022.x86_64
    vim-X11-8.2.3512-1.amzn2022.x86_64
    vim-common-8.2.3512-1.amzn2022.x86_64

+
+
+

Additional References

+

+ Red Hat: CVE-2021-3778, + CVE-2021-3796, + CVE-2021-3872, + CVE-2021-3875

+

+ Mitre: CVE-2021-3778, + CVE-2021-3796, + CVE-2021-3872, + CVE-2021-3875

+
+
+
+
+ + + + diff --git a/tests/unit/providers/amazon/test-fixtures/input/2022_rss.xml b/tests/unit/providers/amazon/test-fixtures/input/2022_rss.xml new file mode 100644 index 00000000..2e5432e8 --- /dev/null +++ b/tests/unit/providers/amazon/test-fixtures/input/2022_rss.xml @@ -0,0 +1,22 @@ + + + + Amazon Linux 2022 Security Bulletins + Amazon Linux 2022 Security Bulletins + https://alas.aws.amazon.com + en-us + 35 + + + ALAS-2021-001 (medium): vim + + CVE-2021-3778, CVE-2021-3796, CVE-2021-3872, CVE-2021-3875 + + Tue, 26 Oct 2021 02:25:00 GMT + Wed, 27 Oct 2021 00:24:00 GMT + https://alas.aws.amazon.com/AL2022/ALAS-2021-001.html + https://alas.aws.amazon.com/AL2022/ALAS-2021-001.html + + + + diff --git a/tests/unit/providers/amazon/test-fixtures/input/2_html/ALAS-2018-939 b/tests/unit/providers/amazon/test-fixtures/input/2_html/ALAS-2018-939 new file mode 100644 index 00000000..3c252136 --- /dev/null +++ b/tests/unit/providers/amazon/test-fixtures/input/2_html/ALAS-2018-939 @@ -0,0 +1,133 @@ + + + + + ALAS-2018-939 + + + + + + + + + + + + + + + +
+
+ +
+
+
+
+

ALAS-2018-939

+
+ +
+
+ + + Amazon Linux 2 Security Advisory: ALAS-2018-939 + +
+ Advisory Release Date: 2018-01-11 21:05 Pacific
+ Advisory Updated Date: 2018-01-16 01:28 Pacific
+ +
+ Severity: + + + + + + Critical
+
+ +
+ References: + CVE-2017-5715  + CVE-2017-5754  +
+
+ +
+
+ Issue Overview: +

An updated kernel release for Amazon Linux has been made available which prevents speculative execution of indirect branches within the kernel. This release incorporates latest stable open source Linux security improvements to address CVE-2017-5715 within the kernel and builds upon previously incorporated Kernel Page Table Isolation (KPTI) that addressed CVE-2017-5754. Customers must upgrade to the latest Amazon Linux kernel or AMI to effectively mitigate the impact of both CVE-2017-5754 and CVE-2017-5715 on MMU privilege separation (kernel mode vs. user mode) within their instance.

Customers with existing Amazon Linux AMI instances should run the following command to ensure they receive the updated package:

<i>sudo yum update kernel</i>

As is standard per any update of the Linux kernel, after the yum update is complete, a reboot is required for updates to take effect.

Please refer to https://aws.amazon.com/security/security-bulletins/AWS-2018-013/ for additional information regarding CVE-2017-5754.

Updated on 2018-01-06: Additional KPTI improvements.
Updated on 2018-01-09: Updated details
Updated on 2018-01-13: Additional fixes for CVE-2017-5715

+
+ +
+
+ Affected Packages: +
+

kernel

+
+ +
+
+ Issue Correction: +
Run yum update kernel to update your system. You will need to reboot your system in order for the new kernel to be running.
+
+
+ New Packages:
noarch:
    kernel-doc-4.9.76-38.79.amzn2.noarch

src:
    kernel-4.9.76-38.79.amzn2.src

x86_64:
    kernel-4.9.76-38.79.amzn2.x86_64
    kernel-headers-4.9.76-38.79.amzn2.x86_64
    kernel-debuginfo-common-x86_64-4.9.76-38.79.amzn2.x86_64
    perf-4.9.76-38.79.amzn2.x86_64
    perf-debuginfo-4.9.76-38.79.amzn2.x86_64
    python-perf-4.9.76-38.79.amzn2.x86_64
    python-perf-debuginfo-4.9.76-38.79.amzn2.x86_64
    kernel-tools-4.9.76-38.79.amzn2.x86_64
    kernel-tools-devel-4.9.76-38.79.amzn2.x86_64
    kernel-tools-debuginfo-4.9.76-38.79.amzn2.x86_64
    kernel-devel-4.9.76-38.79.amzn2.x86_64
    kernel-debuginfo-4.9.76-38.79.amzn2.x86_64

+
+
+

Additional References

+

+ Red Hat: CVE-2017-5715, + CVE-2017-5754

+

+ Mitre: CVE-2017-5715, + CVE-2017-5754

+
+
+
+
+ + + + diff --git a/tests/unit/providers/amazon/test-fixtures/input/2_rss.xml b/tests/unit/providers/amazon/test-fixtures/input/2_rss.xml new file mode 100644 index 00000000..3da76936 --- /dev/null +++ b/tests/unit/providers/amazon/test-fixtures/input/2_rss.xml @@ -0,0 +1,22 @@ + + + + Amazon Linux AMI Security Bulletins + Amazon Linux AMI Security Bulletins + https://alas.aws.amazon.com + en-us + 35 + + + ALAS-2018-939 (critical): kernel + + CVE-2017-5715, CVE-2017-5754 + + Thu, 11 Jan 2018 21:05:00 GMT + Tue, 16 Jan 2018 01:28:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-939.html + https://alas.aws.amazon.com/AL2/ALAS-2018-939.html + + + + diff --git a/tests/unit/providers/amazon/test-fixtures/mock_html b/tests/unit/providers/amazon/test-fixtures/mock_html new file mode 100644 index 00000000..819a1768 --- /dev/null +++ b/tests/unit/providers/amazon/test-fixtures/mock_html @@ -0,0 +1,100 @@ + + + + ALAS2-2018-949 + + + + + + + + + + + +
+ +
+
+
+
+

ALAS2-2018-949

+
+ +
+
+ + + Amazon Linux 2 Security Advisory: ALAS-2018-949 + + +
+ Advisory Release Date: 2018-02-08 21:45 Pacific
+ +
+ Severity: + + + + + + Important
+
+ + + +
+
+ Issue Overview: +

SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998)
It was discovered that the JMX component of OpenJDK failed to properly set the deserialization filter for the SingleEntryRegistry in certain cases. A remote attacker could possibly use this flaw to bypass intended deserialization restrictions. (CVE-2018-2637 )

Loading of classes from untrusted locations (I18n, 8182601)
It was discovered that the I18n component of OpenJDK could use an untrusted search path when loading resource bundle classes. A local attacker could possibly use this flaw to execute arbitrary code as another local user by making their Java application load an attacker controlled class file. (CVE-2018-2602 )

LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449)
It was discovered that the LDAP component of OpenJDK failed to properly encode special characters in user names when adding them to an LDAP search query. A remote attacker could possibly use this flaw to manipulate LDAP queries performed by the LdapLoginModule class. (CVE-2018-2588 )

ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284)
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Libraries). Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). (CVE-2018-2663 )

Insufficient validation of the invokeinterface instruction (Hotspot, 8174962)
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N). (CVE-2018-2582 )

GTK library loading use-after-free (AWT, 8185325)
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N). (CVE-2018-2641 )

LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606)
It was discovered that the LDAPCertStore class in the JNDI component of OpenJDK failed to securely handle LDAP referrals. An attacker could possibly use this flaw to make it fetch attacker controlled certificate data. (CVE-2018-2633 )

Insufficient strength of key agreement (JCE, 8185292)
It was discovered that the key agreement implementations in the JCE component of OpenJDK did not guarantee sufficient strength of used keys to adequately protect generated shared secret. This could make it easier to break data encryption by attacking key agreement rather than the encryption using the negotiated secret. (CVE-2018-2618 )

Unsynchronized access to encryption key data (Libraries, 8172525)
It was discovered that multiple encryption key classes in the Libraries component of OpenJDK did not properly synchronize access to their internal data. This could possibly cause a multi-threaded Java application to apply weak encryption to data because of the use of a key that was zeroed out. (CVE-2018-2579 )

Unbounded memory allocation during deserialization (AWT, 8190289)
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). (CVE-2018-2677 )

DerValue unbounded memory allocation (Libraries, 8182387)
It was discovered that the Libraries component of OpenJDK failed to sufficiently limit the amount of memory allocated when reading DER encoded input. A remote attacker could possibly use this flaw to make a Java application use an excessive amount of memory if it parsed attacker supplied DER encoded input. (CVE-2018-2603 )

Unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142)
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). (CVE-2018-2678 )

Use of global credentials for HTTP/SPNEGO (JGSS, 8186600)
The JGSS component of OpenJDK ignores the value of the javax.security.auth.useSubjectCredsOnly property when using HTTP/SPNEGO authentication and always uses global credentials. It was discovered that this could cause global credentials to be unexpectedly used by an untrusted Java application. (CVE-2018-2634 )

GSS context use-after-free (JGSS, 8186212)
It was discovered that the JGSS component of OpenJDK failed to properly handle GSS context in the native GSS library wrapper in certain cases. A remote attacker could possibly make a Java application using JGSS to use a previously freed context. (CVE-2018-2629 )

DnsClient missing source port randomization (JNDI, 8182125)
It was discovered that the DNS client implementation in the JNDI component of OpenJDK did not use random source ports when sending out DNS queries. This could make it easier for a remote attacker to spoof responses to those queries. (CVE-2018-2599 )

+
+ +
+
+ Affected Packages: +
+

java-1.8.0-openjdk

+
+ +
+
+ Issue Correction: +
Run yum update java-1.8.0-openjdk to update your system. +
+
+
+ New Packages:
noarch:
    java-1.8.0-openjdk-javadoc-1.8.0.161-0.b14.amzn2.noarch
    java-1.8.0-openjdk-javadoc-zip-1.8.0.161-0.b14.amzn2.noarch
    java-1.8.0-openjdk-javadoc-debug-1.8.0.161-0.b14.amzn2.noarch
    java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.161-0.b14.amzn2.noarch

src:
    java-1.8.0-openjdk-1.8.0.161-0.b14.amzn2.src

x86_64:
    java-1.8.0-openjdk-1.8.0.161-0.b14.amzn2.x86_64
    java-1.8.0-openjdk-debug-1.8.0.161-0.b14.amzn2.x86_64
    java-1.8.0-openjdk-headless-1.8.0.161-0.b14.amzn2.x86_64
    java-1.8.0-openjdk-headless-debug-1.8.0.161-0.b14.amzn2.x86_64
    java-1.8.0-openjdk-devel-1.8.0.161-0.b14.amzn2.x86_64
    java-1.8.0-openjdk-devel-debug-1.8.0.161-0.b14.amzn2.x86_64
    java-1.8.0-openjdk-demo-1.8.0.161-0.b14.amzn2.x86_64
    java-1.8.0-openjdk-demo-debug-1.8.0.161-0.b14.amzn2.x86_64
    java-1.8.0-openjdk-src-1.8.0.161-0.b14.amzn2.x86_64
    java-1.8.0-openjdk-src-debug-1.8.0.161-0.b14.amzn2.x86_64
    java-1.8.0-openjdk-accessibility-1.8.0.161-0.b14.amzn2.x86_64
    java-1.8.0-openjdk-accessibility-debug-1.8.0.161-0.b14.amzn2.x86_64
    java-1.8.0-openjdk-debuginfo-1.8.0.161-0.b14.amzn2.x86_64

+
+
+
+ + diff --git a/tests/unit/providers/amazon/test-fixtures/mock_rss b/tests/unit/providers/amazon/test-fixtures/mock_rss new file mode 100644 index 00000000..a0d91a51 --- /dev/null +++ b/tests/unit/providers/amazon/test-fixtures/mock_rss @@ -0,0 +1,982 @@ + + + + Amazon Linux AMI Security Bulletins + Amazon Linux AMI Security Bulletins + https://alas.aws.amazon.com + en-us + 35 + + + ALAS-2018-1106 (medium): 389-ds-base + + CVE-2018-14648 + + Thu, 15 Nov 2018 00:10:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1106.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1106.html + + + + ALAS-2018-1105 (important): tomcat + + CVE-2018-1336 + + Thu, 08 Nov 2018 23:44:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1105.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1105.html + + + + ALAS-2018-1104 (medium): mod_http2 + + CVE-2018-11763 + + Thu, 08 Nov 2018 23:43:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1104.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1104.html + + + + ALAS-2018-1103 (important): spamassassin + + CVE-2017-15705, CVE-2018-11781 + + Thu, 08 Nov 2018 23:42:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1103.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1103.html + + + + ALAS-2018-1102 (medium): openssl + + CVE-2018-0495, CVE-2017-3735, CVE-2018-0732, CVE-2018-0739 + + Thu, 08 Nov 2018 23:41:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1102.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1102.html + + + + ALAS-2018-1100 (medium): kernel + + CVE-2018-18021, CVE-2018-17972 + + Thu, 08 Nov 2018 23:39:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1100.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1100.html + + + + ALAS-2018-1097 (critical): java-1.8.0-openjdk + + CVE-2018-3149, CVE-2018-3136, CVE-2018-3139, CVE-2018-3180, CVE-2018-3169, CVE-2018-3214, CVE-2018-3183 + + Thu, 25 Oct 2018 23:24:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1097.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1097.html + + + + ALAS-2018-1096 (medium): flatpak + + CVE-2018-6560 + + Thu, 25 Oct 2018 23:04:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1096.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1096.html + + + + ALAS-2018-1095 (medium): nss + + CVE-2018-12384 + + Thu, 25 Oct 2018 23:04:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1095.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1095.html + + + + ALAS-2018-1094 (medium): 389-ds-base + + CVE-2018-10850, CVE-2018-14624, CVE-2018-10935, CVE-2018-14638 + + Thu, 25 Oct 2018 23:04:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1094.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1094.html + + + + ALAS-2018-1093 (important): git + + CVE-2018-17456 + + Thu, 25 Oct 2018 23:24:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1093.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1093.html + + + + ALAS-2018-1089 (medium): zsh + + CVE-2018-13259, CVE-2018-0502 + + Wed, 10 Oct 2018 00:14:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1089.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1089.html + + + + ALAS-2018-1088 (important): ghostscript + + CVE-2018-16539, CVE-2018-16802, CVE-2018-16511, CVE-2018-15908, CVE-2018-15909, CVE-2018-16509, CVE-2018-16513, CVE-2018-15911, CVE-2018-15910, CVE-2018-16541, CVE-2018-16540, CVE-2018-16542, CVE-2018-11645, CVE-2018-16585 + + Wed, 10 Oct 2018 00:13:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1088.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1088.html + + + + ALAS-2018-1087 (important): kernel + + CVE-2018-14634 + + Wed, 10 Oct 2018 00:08:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1087.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1087.html + + + + ALAS-2018-1086 (important): kernel + + CVE-2018-16658, CVE-2018-14633, CVE-2018-17182 + + Wed, 10 Oct 2018 00:05:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1086.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1086.html + + + + ALAS-2018-1082 (important): bind + + CVE-2018-5740 + + Tue, 25 Sep 2018 17:49:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1082.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1082.html + + + + ALAS-2018-1080 (important): postgresql + + CVE-2018-10915 + + Tue, 25 Sep 2018 17:48:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1080.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1080.html + + + + ALAS-2018-1078 (medium): mariadb + + CVE-2017-10379, CVE-2017-10378, CVE-2017-10268, CVE-2017-3651, CVE-2017-3653, CVE-2017-3641, CVE-2018-2665, CVE-2018-2819, CVE-2017-3636, CVE-2018-2622, CVE-2018-2817, CVE-2018-2640, CVE-2018-2771, CVE-2018-2813, CVE-2018-2761, CVE-2018-2562, CVE-2018-2767, CVE-2018-2755, CVE-2017-10384, CVE-2018-2668, CVE-2018-2781 + + Sat, 15 Sep 2018 04:12:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1078.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1078.html + + + + ALAS-2018-1077 (important): mutt + + CVE-2018-14357, CVE-2018-14354, CVE-2018-14362 + + Sat, 15 Sep 2018 03:55:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1077.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1077.html + + + + ALAS-2018-1076 (low): policycoreutils + + CVE-2018-1063 + + Sat, 15 Sep 2018 03:54:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1076.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1076.html + + + + ALAS-2018-1075 (low): openssh + + CVE-2018-15473 + + Tue, 25 Sep 2018 17:48:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1075.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1075.html + + + + ALAS-2018-1073 (important): qemu-kvm + + CVE-2018-11806, CVE-2018-7550 + + Sat, 15 Sep 2018 03:53:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1073.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1073.html + + + + ALAS-2018-1064 (medium): java-1.7.0-openjdk + + CVE-2018-2952 + + Tue, 21 Aug 2018 23:39:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1064.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1064.html + + + + ALAS-2018-1063 (important): yum-utils + + CVE-2018-10897 + + Tue, 21 Aug 2018 23:39:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1063.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1063.html + + + + ALAS-2018-1062 (medium): httpd + + CVE-2018-8011 + + Tue, 21 Aug 2018 23:38:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1062.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1062.html + + + + ALAS-2018-1061 (critical): thunderbird + + CVE-2018-5188, CVE-2018-12366, CVE-2018-12365, CVE-2018-12364, CVE-2018-12363, CVE-2018-12362, CVE-2018-12360, CVE-2018-12372, CVE-2018-12373, CVE-2018-12374, CVE-2018-12359 + + Tue, 21 Aug 2018 23:38:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1061.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1061.html + + + + ALAS-2018-1060 (important): openslp + + CVE-2017-17833 + + Tue, 21 Aug 2018 23:34:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1060.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1060.html + + + + ALAS-2018-1058 (critical): kernel + + CVE-2018-3615, CVE-2018-5391, CVE-2018-3620, CVE-2018-3646 + + Tue, 14 Aug 2018 17:54:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1058.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1058.html + + + + ALAS-2018-1054 (medium): java-1.8.0-openjdk + + CVE-2018-2952 + + Thu, 09 Aug 2018 22:16:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1054.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1054.html + + + + ALAS-2018-1053 (low): ncurses + + CVE-2018-10754 + + Thu, 09 Aug 2018 22:15:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1053.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1053.html + + + + ALAS-2018-1052 (medium): curl + + CVE-2018-0500 + + Thu, 09 Aug 2018 22:15:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1052.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1052.html + + + + ALAS-2018-1051 (low): kernel + + CVE-2018-13093, CVE-2018-13094 + + Mon, 06 Aug 2018 18:37:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1051.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1051.html + + + + ALAS-2018-1050 (critical): kernel + + CVE-2018-5390 + + Mon, 06 Aug 2018 19:11:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1050.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1050.html + + + + ALAS-2018-1049 (important): libvirt + + CVE-2018-5748, CVE-2018-1064, CVE-2018-3639 + + Tue, 24 Jul 2018 21:23:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1049.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1049.html + + + + ALAS-2018-1048 (medium): glibc + + CVE-2018-11236, CVE-2017-15670, CVE-2017-15804, CVE-2017-18269 + + Wed, 08 Aug 2018 16:57:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1048.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1048.html + + + + ALAS-2018-1046 (medium): kernel + + CVE-2018-11412 + + Tue, 24 Jul 2018 21:23:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1046.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1046.html + + + + ALAS-2018-1045 (important): gnupg2 + + CVE-2018-12020 + + Thu, 09 Aug 2018 23:13:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1045.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1045.html + + + + ALAS-2018-1044 (medium): kernel + + CVE-2018-12232 + + Thu, 05 Jul 2018 21:44:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1044.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1044.html + + + + ALAS-2018-1043 (important): plexus-archiver + + CVE-2018-1002200 + + Tue, 24 Jul 2018 21:16:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1043.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1043.html + + + + ALAS-2018-1042 (low): openssh + + CVE-2017-15906 + + Tue, 24 Jul 2018 21:14:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1042.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1042.html + + + + ALAS-2018-1041 (important): xmlrpc + + CVE-2016-5003 + + Tue, 24 Jul 2018 21:13:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1041.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1041.html + + + + ALAS-2018-1039 (important): java-1.8.0-openjdk + + CVE-2018-3639 + + Mon, 11 Jun 2018 22:11:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1039.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1039.html + + + + ALAS-2018-1038 (important): kernel + + CVE-2018-1120, CVE-2018-3639, CVE-2018-3693 + + Sat, 15 Sep 2018 03:47:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1038.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1038.html + + + + ALAS-2018-1037 (important): java-1.7.0-openjdk + + CVE-2018-3639 + + Mon, 11 Jun 2018 22:10:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1037.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1037.html + + + + ALAS-2018-1036 (important): 389-ds-base + + CVE-2018-1089 + + Mon, 11 Jun 2018 22:09:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1036.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1036.html + + + + ALAS-2018-1035 (important): git + + CVE-2018-11235, CVE-2018-11233 + + Mon, 11 Jun 2018 22:09:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1035.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1035.html + + + + ALAS-2018-1034 (important): qemu-kvm + + CVE-2017-15268, CVE-2018-5683, CVE-2018-3639, CVE-2017-13711, CVE-2017-15124, CVE-2018-7858, CVE-2017-13672 + + Mon, 11 Jun 2018 22:08:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1034.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1034.html + + + + ALAS-2018-1033 (important): libvirt + + CVE-2018-3639 + + Mon, 11 Jun 2018 22:08:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1033.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1033.html + + + + ALAS-2018-1032 (critical): thunderbird + + CVE-2018-5159, CVE-2018-5161, CVE-2018-5162, CVE-2018-5170, CVE-2018-5168, CVE-2018-5150, CVE-2018-5184, CVE-2018-5185, CVE-2018-5155, CVE-2018-5154, CVE-2018-5178, CVE-2018-5183 + + Mon, 11 Jun 2018 22:07:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1032.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1032.html + + + + ALAS-2018-1031 (important): procps-ng + + CVE-2018-1124, CVE-2018-1126 + + Mon, 11 Jun 2018 22:05:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1031.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1031.html + + + + ALAS-2018-1030 (low): xdg-user-dirs + + CVE-2017-15131 + + Mon, 11 Jun 2018 22:03:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1030.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1030.html + + + + ALAS-2018-1029 (important): curl + + CVE-2018-1000301, CVE-2018-1000300 + + Mon, 11 Jun 2018 22:03:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1029.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1029.html + + + + ALAS-2018-1023 (important): kernel + + CVE-2018-1087, CVE-2018-1000199, CVE-2017-16939, CVE-2018-1068, CVE-2018-1108, CVE-2018-8897, CVE-2018-1091 + + Tue, 29 May 2018 23:20:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1023.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1023.html + + + + ALAS-2018-1022 (medium): ghostscript + + CVE-2018-10194 + + Tue, 29 May 2018 23:19:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1022.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1022.html + + + + ALAS-2018-1021 (critical): dhcp + + CVE-2018-1111 + + Tue, 29 May 2018 23:19:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1021.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1021.html + + + + ALAS-2018-1020 (medium): nghttp2 + + CVE-2018-1000168 + + Tue, 29 May 2018 23:17:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1020.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1020.html + + + + ALAS-2018-1015 (low): libvpx + + CVE-2017-13194 + + Fri, 11 May 2018 00:01:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1015.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1015.html + + + + ALAS-2018-1014 (important): corosync + + CVE-2018-1084 + + Fri, 11 May 2018 00:00:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1014.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1014.html + + + + ALAS-2018-1013 (medium): zsh + + CVE-2018-1083, CVE-2018-1100, CVE-2018-1071 + + Thu, 10 May 2018 23:59:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1013.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1013.html + + + + ALAS-2018-1012 (medium): libvncserver + + CVE-2018-7225 + + Thu, 10 May 2018 23:57:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1012.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1012.html + + + + ALAS-2018-1011 (medium): golang + + CVE-2018-6574, CVE-2017-15041, CVE-2017-15042 + + Thu, 10 May 2018 23:56:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1011.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1011.html + + + + ALAS-2018-1010 (medium): krb5 + + CVE-2017-11368, CVE-2017-7562 + + Thu, 10 May 2018 23:50:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1010.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1010.html + + + + ALAS-2018-1009 (medium): ntp + + CVE-2016-7426, CVE-2016-9311, CVE-2016-9310, CVE-2017-6464, CVE-2017-6462, CVE-2016-7429, CVE-2017-6463, CVE-2016-7433 + + Thu, 10 May 2018 23:49:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1009.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1009.html + + + + ALAS-2018-1008 (important): patch + + CVE-2018-1000156 + + Thu, 10 May 2018 23:49:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1008.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1008.html + + + + ALAS-2018-1007 (critical): java-1.7.0-openjdk + + CVE-2018-2790, CVE-2018-2796, CVE-2018-2797, CVE-2018-2794, CVE-2018-2795, CVE-2018-2815, CVE-2018-2814, CVE-2018-2798, CVE-2018-2799, CVE-2018-2800 + + Thu, 10 May 2018 23:49:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1007.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1007.html + + + + ALAS-2018-1006 (medium): PackageKit + + CVE-2018-1106 + + Thu, 26 Apr 2018 22:42:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1006.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1006.html + + + + ALAS-2018-1005 (important): pcs + + CVE-2018-1000119, CVE-2018-1079, CVE-2018-1086 + + Thu, 26 Apr 2018 22:41:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1005.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1005.html + + + + ALAS-2018-1004 (medium): openssl + + CVE-2018-0737, CVE-2017-3738, CVE-2017-3736, CVE-2017-3737 + + Thu, 26 Apr 2018 22:38:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1004.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1004.html + + + + ALAS-2018-1002 (critical): java-1.8.0-openjdk + + CVE-2018-2790, CVE-2018-2796, CVE-2018-2797, CVE-2018-2794, CVE-2018-2795, CVE-2018-2815, CVE-2018-2814, CVE-2018-2798, CVE-2018-2799, CVE-2018-2800 + + Thu, 26 Apr 2018 22:32:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-1002.html + https://alas.aws.amazon.com/AL2/ALAS-2018-1002.html + + + + ALAS-2018-999 (important): slf4j + + CVE-2018-8088 + + Thu, 19 Apr 2018 22:45:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-999.html + https://alas.aws.amazon.com/AL2/ALAS-2018-999.html + + + + ALAS-2018-998 (critical): librelp + + CVE-2018-1000140 + + Thu, 19 Apr 2018 22:44:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-998.html + https://alas.aws.amazon.com/AL2/ALAS-2018-998.html + + + + ALAS-2018-996 (medium): stunnel, amazon-efs-utils + + + + Fri, 20 Apr 2018 00:19:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-996.html + https://alas.aws.amazon.com/AL2/ALAS-2018-996.html + + + + ALAS-2018-995 (medium): curl + + CVE-2018-1000121, CVE-2018-1000120, CVE-2018-1000122 + + Thu, 19 Apr 2018 22:42:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-995.html + https://alas.aws.amazon.com/AL2/ALAS-2018-995.html + + + + ALAS-2018-994 (important): kernel + + CVE-2018-1068, CVE-2017-13215, CVE-2018-10901, CVE-2018-10675, CVE-2018-7995 + + Sat, 15 Sep 2018 03:51:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-994.html + https://alas.aws.amazon.com/AL2/ALAS-2018-994.html + + + + ALAS-2018-992 (medium): glibc + + CVE-2018-6485, CVE-2018-6551 + + Thu, 05 Apr 2018 23:26:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-992.html + https://alas.aws.amazon.com/AL2/ALAS-2018-992.html + + + + ALAS-2018-987 (medium): mod_wsgi + + CVE-2014-8583 + + Thu, 05 Apr 2018 23:25:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-987.html + https://alas.aws.amazon.com/AL2/ALAS-2018-987.html + + + + ALAS-2018-986 (low): zsh + + CVE-2018-7548, CVE-2018-7549, CVE-2017-18205, CVE-2017-18206 + + Thu, 05 Apr 2018 23:25:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-986.html + https://alas.aws.amazon.com/AL2/ALAS-2018-986.html + + + + ALAS-2018-985 (medium): mailman + + CVE-2018-5950 + + Thu, 05 Apr 2018 23:23:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-985.html + https://alas.aws.amazon.com/AL2/ALAS-2018-985.html + + + + ALAS-2018-984 (important): dhcp + + CVE-2018-5733, CVE-2018-5732 + + Thu, 05 Apr 2018 23:23:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-984.html + https://alas.aws.amazon.com/AL2/ALAS-2018-984.html + + + + ALAS-2018-983 (medium): ruby + + CVE-2018-1000073, CVE-2017-17790, CVE-2018-1000077, CVE-2018-1000076, CVE-2018-1000075, CVE-2018-1000074, CVE-2018-1000079, CVE-2018-1000078 + + Thu, 05 Apr 2018 23:22:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-983.html + https://alas.aws.amazon.com/AL2/ALAS-2018-983.html + + + + ALAS-2018-981 (critical): libvorbis + + CVE-2018-5146 + + Mon, 26 Mar 2018 22:10:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-981.html + https://alas.aws.amazon.com/AL2/ALAS-2018-981.html + + + + ALAS-2018-980 (important): 389-ds-base + + CVE-2017-15135, CVE-2018-1054 + + Mon, 26 Mar 2018 22:10:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-980.html + https://alas.aws.amazon.com/AL2/ALAS-2018-980.html + + + + ALAS-2018-971 (important): kernel + + CVE-2018-1068 + + Fri, 16 Mar 2018 22:56:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-971.html + https://alas.aws.amazon.com/AL2/ALAS-2018-971.html + + + + ALAS-2018-964 (medium): memcached + + CVE-2018-1000115 + + Tue, 29 May 2018 23:20:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-964.html + https://alas.aws.amazon.com/AL2/ALAS-2018-964.html + + + + ALAS-2018-963 (medium): dhcp + + CVE-2017-3144 + + Wed, 21 Feb 2018 21:24:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-963.html + https://alas.aws.amazon.com/AL2/ALAS-2018-963.html + + + + ALAS-2018-962 (important): linux-firmware + + CVE-2017-5715 + + Wed, 21 Feb 2018 21:23:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-962.html + https://alas.aws.amazon.com/AL2/ALAS-2018-962.html + + + + ALAS-2018-961 (medium): systemd + + CVE-2018-1049 + + Wed, 21 Feb 2018 21:22:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-961.html + https://alas.aws.amazon.com/AL2/ALAS-2018-961.html + + + + ALAS-2018-960 (medium): nautilus + + CVE-2017-14604 + + Wed, 21 Feb 2018 21:22:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-960.html + https://alas.aws.amazon.com/AL2/ALAS-2018-960.html + + + + ALAS-2018-956 (important): kernel + + CVE-2018-5750, CVE-2017-17741, CVE-2017-5753, CVE-2018-5344, CVE-2018-1000028, CVE-2017-1000405 + + Wed, 21 Feb 2018 21:21:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-956.html + https://alas.aws.amazon.com/AL2/ALAS-2018-956.html + + + + ALAS-2018-955 (important): 389-ds-base + + CVE-2017-15134 + + Wed, 21 Feb 2018 21:18:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-955.html + https://alas.aws.amazon.com/AL2/ALAS-2018-955.html + + + + ALAS-2018-954 (important): bind + + CVE-2017-3145 + + Wed, 21 Feb 2018 21:18:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-954.html + https://alas.aws.amazon.com/AL2/ALAS-2018-954.html + + + + ALAS-2018-953 (important): microcode_ctl + + CVE-2017-5715 + + Thu, 08 Feb 2018 21:50:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-953.html + https://alas.aws.amazon.com/AL2/ALAS-2018-953.html + + + + ALAS-2018-952 (important): libvirt + + CVE-2017-5715 + + Thu, 08 Feb 2018 21:49:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-952.html + https://alas.aws.amazon.com/AL2/ALAS-2018-952.html + + + + ALAS-2018-951 (important): curl + + CVE-2018-1000007, CVE-2018-1000005 + + Thu, 05 Apr 2018 17:04:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-951.html + https://alas.aws.amazon.com/AL2/ALAS-2018-951.html + + + + ALAS-2018-949 (important): java-1.8.0-openjdk + + CVE-2018-2677, CVE-2018-2599, CVE-2018-2603, CVE-2018-2579, CVE-2018-2678, CVE-2018-2634, CVE-2018-2582, CVE-2018-2602, CVE-2018-2629, CVE-2018-2618, CVE-2018-2633, CVE-2018-2588, CVE-2018-2641, CVE-2018-2637, CVE-2018-2663 + + Thu, 08 Feb 2018 21:45:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-949.html + https://alas.aws.amazon.com/AL2/ALAS-2018-949.html + + + + ALAS-2018-942 (important): qemu-kvm + + CVE-2017-5715 + + Thu, 08 Feb 2018 21:46:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-942.html + https://alas.aws.amazon.com/AL2/ALAS-2018-942.html + + + + ALAS-2018-939 (critical): kernel + + CVE-2017-5754, + CVE-2017-5715 + + Tue, 16 Jan 2018 01:28:00 GMT + https://alas.aws.amazon.com/AL2/ALAS-2018-939.html + https://alas.aws.amazon.com/AL2/ALAS-2018-939.html + + + + diff --git a/tests/unit/providers/amazon/test_amazon.py b/tests/unit/providers/amazon/test_amazon.py new file mode 100644 index 00000000..abdb1d40 --- /dev/null +++ b/tests/unit/providers/amazon/test_amazon.py @@ -0,0 +1,97 @@ +import os +import shutil + +import pytest +import requests + +from vunnel.providers.amazon import Config, Provider, parser + + +class TestParser: + def test_rss_parsing(self, tmpdir, helpers): + mock_data_path = helpers.local_dir("test-fixtures/mock_rss") + p = parser.Parser(workspace=tmpdir) + summaries = p._parse_rss(mock_data_path) + + assert isinstance(summaries, list) + assert len(summaries) > 0 # TODO: what is the right answer? + + for alas in summaries: + assert isinstance(alas, parser.AlasSummary) + assert alas.id is not None + assert alas.url is not None + assert alas.sev.lower() in parser.severity_map.keys() + + # TODO: beef up these assertions (should cover the full data shape) + + def test_html_parsing(self, helpers): + new_packages = [ + "java-1.8.0-openjdk-javadoc-1.8.0.161-0.b14.amzn2.noarch", + "java-1.8.0-openjdk-javadoc-zip-1.8.0.161-0.b14.amzn2.noarch", + "java-1.8.0-openjdk-javadoc-debug-1.8.0.161-0.b14.amzn2.noarch", + "java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.161-0.b14.amzn2.noarch", + "java-1.8.0-openjdk-1.8.0.161-0.b14.amzn2.src", + "java-1.8.0-openjdk-1.8.0.161-0.b14.amzn2.x86_64", + "java-1.8.0-openjdk-debug-1.8.0.161-0.b14.amzn2.x86_64", + "java-1.8.0-openjdk-headless-1.8.0.161-0.b14.amzn2.x86_64", + "java-1.8.0-openjdk-headless-debug-1.8.0.161-0.b14.amzn2.x86_64", + "java-1.8.0-openjdk-devel-1.8.0.161-0.b14.amzn2.x86_64", + "java-1.8.0-openjdk-devel-debug-1.8.0.161-0.b14.amzn2.x86_64", + "java-1.8.0-openjdk-demo-1.8.0.161-0.b14.amzn2.x86_64", + "java-1.8.0-openjdk-demo-debug-1.8.0.161-0.b14.amzn2.x86_64", + "java-1.8.0-openjdk-src-1.8.0.161-0.b14.amzn2.x86_64", + "java-1.8.0-openjdk-src-debug-1.8.0.161-0.b14.amzn2.x86_64", + "java-1.8.0-openjdk-accessibility-1.8.0.161-0.b14.amzn2.x86_64", + "java-1.8.0-openjdk-accessibility-debug-1.8.0.161-0.b14.amzn2.x86_64", + "java-1.8.0-openjdk-debuginfo-1.8.0.161-0.b14.amzn2.x86_64", + ] + + mock_data_path = helpers.local_dir("test-fixtures/mock_html") + with open(mock_data_path, "r") as fp: + html_content = fp.read() + + p = parser.PackagesHTMLParser() + p.feed(html_content) + + assert p.fixes is not None + assert new_packages == p.fixes + # TODO: beef up these assertions (should cover the full data shape) + + def test_get_pkg_name_version(self): + f = parser.Parser.get_package_name_version("java-1.8.0-openjdk-javadoc-1.8.0.161-0.b14.amzn2.noarch") + assert f.pkg == "java-1.8.0-openjdk-javadoc" + assert f.ver == "1.8.0.161-0.b14.amzn2" + + f = parser.Parser.get_package_name_version("java-1.8.0-openjdk-1.8.0.161-0.b14.amzn2.src") + assert f.pkg == "java-1.8.0-openjdk" + assert f.ver == "1.8.0.161-0.b14.amzn2" + + f = parser.Parser.get_package_name_version("java-1.8.0-openjdk-debug-1.8.0.161-0.b14.amzn2.x86_64") + assert f.pkg == "java-1.8.0-openjdk-debug" + assert f.ver == "1.8.0.161-0.b14.amzn2" + + a = parser.Parser.get_package_name_version("java-1.8.0-openjdk-1.8.0.161-0.b14.amzn2.src") + b = parser.Parser.get_package_name_version("java-1.8.0-openjdk-1.8.0.161-0.b14.amzn2.x86_64") + assert a == b + + +@pytest.fixture +def disable_get_requests(monkeypatch): + def disabled(*args, **kwargs): + raise RuntimeError("requests disabled but HTTP GET attempted") + + monkeypatch.setattr(parser.requests, "get", disabled) + + +def test_provider_schema(helpers, disable_get_requests): + workspace = helpers.provider_workspace(name=Provider.name) + + provider = Provider(root=workspace.root, config=Config()) + + mock_data_path = helpers.local_dir("test-fixtures/input") + shutil.copytree(mock_data_path, workspace.input_dir, dirs_exist_ok=True) + + provider.update() + + assert 2 == workspace.num_result_entries() + assert workspace.result_schemas_valid(require_entries=True) diff --git a/tests/unit/providers/github/test_parser.py b/tests/unit/providers/github/test_github.py similarity index 100% rename from tests/unit/providers/github/test_parser.py rename to tests/unit/providers/github/test_github.py index fa2fa950..85c99bee 100644 --- a/tests/unit/providers/github/test_parser.py +++ b/tests/unit/providers/github/test_github.py @@ -149,6 +149,16 @@ def node(): } +@pytest.fixture +def fake_get_query(monkeypatch): + def apply(return_values): + responses = Capture(return_values=return_values) + monkeypatch.setattr(parser, "get_query", responses) + return responses + + return apply + + class TestNodeParser: def test_no_such_attribute(self, node): result = parser.NodeParser(node).parse() @@ -278,16 +288,6 @@ def __call__(self, *a, **kw): return self.return_values.pop() -@pytest.fixture -def fake_get_query(monkeypatch): - def apply(return_values): - responses = Capture(return_values=return_values) - monkeypatch.setattr(parser, "get_query", responses) - return responses - - return apply - - class TestGetNestedVulnerabilities: def test_paginates_with_cursor(self, empty_response, advisories, fake_get_query): # first and second responses have 2 vulns and indicates there is a next page. The