Add Amazon Linux advisories

[ambuj-1211]

Fixes: #72
This Pr adds amazon linux importer.

[ambuj-1211]

@ziadhany help me to create the fixed version as there are new packages provided here https://alas.aws.amazon.com/ALAS-2024-1943.html in the amazon_linux advisories URL and how to handle the affected_packages part effectively.

• One more thing that should I include cves also in the aliases along with the ALAS id.
• From this URL should I also consider including the Additional References in references of my Advisory Data object.

[keshav-space]

@ambuj-1211

Steps to get the Structured Advisory

Mirror List for AL

• AL1 => http://repo.us-west-2.amazonaws.com/2018.03/updates/x86_64/mirror.list
• AL2 => https://cdn.amazonlinux.com/2/core/latest/x86_64/mirror.list
• AL2022 => https://cdn.amazonlinux.com/al2022/core/mirrors/latest/x86_64/mirror.list
• AL2023 => https://cdn.amazonlinux.com/al2023/core/mirrors/latest/x86_64/mirror.list

Procedure:

1. Visit the AL mirror list and get the mirror server URL.
2. Append /repodata/updateinfo.xml.gz to the mirror server URL, and download the updateinfo.xml.gz file, which contains the structured security advisory as shown below.

<id>ALAS-2011-1</id>
<title>Amazon Linux AMI 2011.09 - ALAS-2011-1: medium priority package update for httpd</title>
<issued date="2011-09-27 22:46:00" />
<updated date="2014-09-14 14:25:00" />
<severity>medium</severity>
<description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2011-3192:
	The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header.
</description>
<references>
	<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192" title="" id="CVE-2011-3192" type="cve" />
	<reference href="https://rhn.redhat.com/errata/RHSA-2011:1245.html" title="" id="RHSA-2011:1245" type="redhat" />
</references>
<pkglist>
	<collection short="amazon-linux-ami">
		<name>Amazon Linux AMI</name>
		<package name="httpd-devel" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-devel-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
		<package name="httpd-debuginfo" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
		<package name="httpd" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
		<package name="httpd-tools" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-tools-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
                 ...
	</collection>
</pkglist>undefined</update>undefined<update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com">

Note

This only contains the fixed package versions.

[ambuj-1211]

@ambuj-1211

Steps to get the Structured Advisory

Mirror List for AL

• AL1 => http://repo.us-west-2.amazonaws.com/2018.03/updates/x86_64/mirror.list
• AL2 => https://cdn.amazonlinux.com/2/core/latest/x86_64/mirror.list
• AL2022 => https://cdn.amazonlinux.com/al2022/core/mirrors/latest/x86_64/mirror.list
• AL2023 => https://cdn.amazonlinux.com/al2023/core/mirrors/latest/x86_64/mirror.list

Procedure:

1. Visit the AL mirror list and get the mirror server URL.
2. Append /repodata/updateinfo.xml.gz to the mirror server URL, and download the updateinfo.xml.gz file, which contains the structured security advisory as shown below.

<id>ALAS-2011-1</id>
<title>Amazon Linux AMI 2011.09 - ALAS-2011-1: medium priority package update for httpd</title>
<issued date="2011-09-27 22:46:00" />
<updated date="2014-09-14 14:25:00" />
<severity>medium</severity>
<description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2011-3192:
	The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header.
</description>
<references>
	<reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192" title="" id="CVE-2011-3192" type="cve" />
	<reference href="https://rhn.redhat.com/errata/RHSA-2011:1245.html" title="" id="RHSA-2011:1245" type="redhat" />
</references>
<pkglist>
	<collection short="amazon-linux-ami">
		<name>Amazon Linux AMI</name>
		<package name="httpd-devel" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-devel-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
		<package name="httpd-debuginfo" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
		<package name="httpd" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
		<package name="httpd-tools" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686">
			<filename>Packages/httpd-tools-2.2.21-1.18.amzn1.i686.rpm</filename>
		</package>
                 ...
	</collection>
</pkglist>undefined</update>undefined<update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com">

Note

This only contains the fixed package versions.

@keshav-space So should I directly fetch whole data from these files? and where can I get the license to use the data from here.

[keshav-space]

@ambuj-1211

So should I directly fetch whole data from these files?

You can, but if you already have a way to get the AL advisory data and it's working, then there's no need to change.

and where can I get the license to use the data from here.

Not sure about the license yet. AL provides security and bug fixes to AL packages using updateinfo.xml, and they should be covered under the same license as AL? I'm not sure.

[ambuj-1211]

@ziadhany @TG1999 @keshav-space Not sure about the license, please help me with that.

[ziadhany]

@ambuj-1211

Please set the license to unknown, so we can either do more research or reach out to the API author directly to inquire about the data license.