-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: support Amazon Linux 2023 advisories (#107)
Signed-off-by: Weston Steimel <[email protected]>
- Loading branch information
1 parent
73c56bb
commit 0a2d2ee
Showing
5 changed files
with
163 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
139 changes: 139 additions & 0 deletions
139
tests/unit/providers/amazon/test-fixtures/input/2023_html/ALAS-2023-126
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,139 @@ | ||
|
|
||
| <!doctype html> | ||
| <html> | ||
| <head> | ||
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> | ||
| <title>ALAS2023-2023-126</title> | ||
| <link rel='icon' type='image/x-icon' href='../static/favicon.ico' /> | ||
| <link rel="stylesheet" href="../static/bootstrap.min.css" type='text/css' media='print, projection, screen' > | ||
| <link rel='stylesheet' href='../static/blue_style.css' type='text/css' media='print, projection, screen' /> | ||
| <link rel='stylesheet' href='../static/fontawesome.css' type='text/css' media='print, projection, screen' /> | ||
| <link rel='stylesheet' href='../static/style.css' type='text/css' media='print, projection, screen' /> | ||
| <script type='text/javascript' src='../static/jquery.min.js'></script> | ||
| <script type='text/javascript' src='../static/jquery.tablesorter.min.js'></script> | ||
| <script type="text/javascript" src="../static/index.js"></script> | ||
|
|
||
| <!--Add constant cookie banner on this page--> | ||
| <script type = 'text/javascript'> | ||
| var shortbread = AWSCShortbread(); | ||
| shortbread.checkForCookieConsent(); | ||
| function customize() { | ||
| shortbread.customizeCookies(); | ||
| } | ||
| </script> | ||
|
|
||
| <style> | ||
| a{text-decoration: none; color: #0073BB} | ||
| a:visited{color: #0073BB} | ||
| .Site { | ||
| display: flex; | ||
| display: -webkit-flex; /* Safari */ | ||
| min-height: 100vh; | ||
| flex-direction: column; | ||
| } | ||
| .Site-content { | ||
| flex: 1; | ||
| } | ||
| </style> | ||
| </head> | ||
| <body class="Site"> | ||
| <main class="Site-content"> | ||
| <div class="container"> | ||
| <nav class="navbar navbar-fixed-top navbar-inverse" style="background-color: #000000" id="bs-navbar"> | ||
| <a style="font-size: 20px; color: #FF9900" class="navbar-brand" href="/"><b>Amazon Linux Security Center</b></a> | ||
| <ul class="nav navbar-nav navbar-right" style="color: #ff9900"> | ||
| <li style="background-color: #333333;"> <a style="color: #FFFFFF" href="/">Amazon Linux</a> </li><li style="background-color: #333333;"> <a style="color: #FFFFFF" href="/alas2.html">Amazon Linux 2</a> </li><li style="background-color: #FF9900;"> <a style="color: #000000" href="/alas2023.html">Amazon Linux 2023</a> </li><li style="background-color: #333333;"> <a style="color: #FFFFFF" href="/announcements.html">Announcements</a> </li><li style="background-color: #333333;"> <a style="color: #FFFFFF" href="/faqs.html">FAQs</a> </li> | ||
| </ul> | ||
| </nav> | ||
| </div> | ||
| <div style='min-height: 523px; margin-top:80px;' class='nine columns content-with-nav' role='main'> | ||
| <section> | ||
| <div class='title'> | ||
| <h1 id='ALAS2023-2023-126'>ALAS2023-2023-126</h1> | ||
| </div> | ||
|
|
||
| <div class='text'> | ||
| <hr class='mid-pad'> | ||
| <span class='alas-info'> | ||
|
|
||
| <b>Amazon Linux 2023 Security Advisory:</b> ALAS-2023-126 | ||
|
|
||
| </span><br /> | ||
| <span class='alas-info'><b>Advisory Release Date:</b> 2023-03-07 00:29 Pacific</span><br /> | ||
| <span class='alas-info'><b>Advisory Updated Date:</b> 2023-03-08 00:51 Pacific</span><br /> | ||
|
|
||
| <div id='severity' class='alas-info'> | ||
| <b>Severity:</b> | ||
| <span class='date'> | ||
| <span class='bulletin-type'> | ||
| <i class='fas fa-exclamation-triangle'></i> | ||
| </span> | ||
| </span> | ||
| Important<br /> | ||
| </div> | ||
|
|
||
| <div id='references'> | ||
| <b>References:</b> | ||
| <a href='/cve/html/CVE-2022-3787.html' target='_blank' rel='noopener noreferrer'>CVE-2022-3787 <i class="fas fa-external-link-alt"></i></a> | ||
| <a href='/cve/html/CVE-2022-41973.html' target='_blank' rel='noopener noreferrer'>CVE-2022-41973 <i class="fas fa-external-link-alt"></i></a> | ||
| <a href='/cve/html/CVE-2022-41974.html' target='_blank' rel='noopener noreferrer'>CVE-2022-41974 <i class="fas fa-external-link-alt"></i></a> | ||
| <br /> | ||
| <a href="../../faqs.html">FAQs regarding Amazon Linux ALAS/CVE Severity</a> | ||
| </div> | ||
|
|
||
| <hr class='mid-pad'> | ||
| <div id='issue_overview'> | ||
| <b>Issue Overview:</b> | ||
| <p>A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root. (CVE-2022-3787)</p><p>A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, in conjunction with CVE-2022-41974. Local users that are able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which may lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root. (CVE-2022-41973)</p><p>multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR. (CVE-2022-41974)</p> | ||
| </div> | ||
|
|
||
| <div id='affected_packages' class='alas-info'> | ||
| <br /> | ||
| <b>Affected Packages:</b> | ||
| <br /> | ||
| <p>device-mapper-multipath</p> | ||
| </div> | ||
|
|
||
| <div id='issue_correction'> | ||
| <br /> | ||
| <b>Issue Correction:</b> | ||
| <br />Run <i>dnf update device-mapper-multipath --releasever=2023.0.20230308</i> to update your system. | ||
| <br /></div> | ||
| <br /> | ||
| <div id='new_packages'> | ||
| <b>New Packages:</b><pre>aarch64:<br /> device-mapper-multipath-debuginfo-0.8.7-16.amzn2023.0.1.aarch64<br /> kpartx-debuginfo-0.8.7-16.amzn2023.0.1.aarch64<br /> device-mapper-multipath-debugsource-0.8.7-16.amzn2023.0.1.aarch64<br /> libdmmp-0.8.7-16.amzn2023.0.1.aarch64<br /> libdmmp-devel-0.8.7-16.amzn2023.0.1.aarch64<br /> libdmmp-debuginfo-0.8.7-16.amzn2023.0.1.aarch64<br /> device-mapper-multipath-devel-0.8.7-16.amzn2023.0.1.aarch64<br /> kpartx-0.8.7-16.amzn2023.0.1.aarch64<br /> device-mapper-multipath-0.8.7-16.amzn2023.0.1.aarch64<br /> device-mapper-multipath-libs-debuginfo-0.8.7-16.amzn2023.0.1.aarch64<br /> device-mapper-multipath-libs-0.8.7-16.amzn2023.0.1.aarch64<br /><br />i686:<br /> device-mapper-multipath-debuginfo-0.8.7-16.amzn2023.0.1.i686<br /> device-mapper-multipath-libs-debuginfo-0.8.7-16.amzn2023.0.1.i686<br /> device-mapper-multipath-libs-0.8.7-16.amzn2023.0.1.i686<br /> device-mapper-multipath-debugsource-0.8.7-16.amzn2023.0.1.i686<br /> device-mapper-multipath-0.8.7-16.amzn2023.0.1.i686<br /> kpartx-debuginfo-0.8.7-16.amzn2023.0.1.i686<br /> libdmmp-0.8.7-16.amzn2023.0.1.i686<br /> kpartx-0.8.7-16.amzn2023.0.1.i686<br /> libdmmp-debuginfo-0.8.7-16.amzn2023.0.1.i686<br /> libdmmp-devel-0.8.7-16.amzn2023.0.1.i686<br /> device-mapper-multipath-devel-0.8.7-16.amzn2023.0.1.i686<br /><br />src:<br /> device-mapper-multipath-0.8.7-16.amzn2023.0.1.src<br /><br />x86_64:<br /> device-mapper-multipath-libs-debuginfo-0.8.7-16.amzn2023.0.1.x86_64<br /> kpartx-0.8.7-16.amzn2023.0.1.x86_64<br /> device-mapper-multipath-debugsource-0.8.7-16.amzn2023.0.1.x86_64<br /> libdmmp-debuginfo-0.8.7-16.amzn2023.0.1.x86_64<br /> libdmmp-0.8.7-16.amzn2023.0.1.x86_64<br /> kpartx-debuginfo-0.8.7-16.amzn2023.0.1.x86_64<br /> device-mapper-multipath-devel-0.8.7-16.amzn2023.0.1.x86_64<br /> device-mapper-multipath-0.8.7-16.amzn2023.0.1.x86_64<br /> libdmmp-devel-0.8.7-16.amzn2023.0.1.x86_64<br /> device-mapper-multipath-debuginfo-0.8.7-16.amzn2023.0.1.x86_64<br /> device-mapper-multipath-libs-0.8.7-16.amzn2023.0.1.x86_64<br /><br /></pre></div> | ||
| </div> | ||
| <div style="flex:1; margin-bottom: 40px;" class="links-container"> | ||
| <h3 class="section-heading">Additional References</h3> | ||
| <p> | ||
| Red Hat: <a style="margin-bottom: 40px;" href="https://access.redhat.com/security/cve/CVE-2022-3787" target="_blank" rel="noopener noreferrer">CVE-2022-3787</a>, | ||
| <a style="margin-bottom: 40px;" href="https://access.redhat.com/security/cve/CVE-2022-41973" target="_blank" rel="noopener noreferrer">CVE-2022-41973</a>, | ||
| <a style="margin-bottom: 40px;" href="https://access.redhat.com/security/cve/CVE-2022-41974" target="_blank" rel="noopener noreferrer">CVE-2022-41974</a></p> | ||
| <p> | ||
| Mitre: <a style="margin-bottom: 40px;" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3787" target="_blank" rel="noopener noreferrer">CVE-2022-3787</a>, | ||
| <a style="margin-bottom: 40px;" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41973" target="_blank" rel="noopener noreferrer">CVE-2022-41973</a>, | ||
| <a style="margin-bottom: 40px;" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41974" target="_blank" rel="noopener noreferrer">CVE-2022-41974</a></p> | ||
| </div> | ||
| </section> | ||
| </div> | ||
| </main> | ||
| <footer style="padding-left: 30px; padding-right: 30px;"><p style="color: #687078"> | ||
| CVE description copyright © 2023 | ||
| <a href="https://cve.mitre.org/about/termsofuse.html" target="_blank" rel="noopener noreferrer">The MITRE Corporation</a> | ||
| </p> | ||
| <p style="color: #687078"> | ||
| CVE description copyright © 2023 Red Hat, Inc. Per | ||
| <a href="https://access.redhat.com/security/data" target="_blank" rel="noopener noreferrer">https://access.redhat.com/security/data</a>, | ||
| RedHat's CVE report is licensed under | ||
| <a href="https://creativecommons.org/licenses/by/4.0/" target="_blank" rel="noopener noreferrer">CC BY 4.0</a>. | ||
| </p> | ||
| </footer> | ||
| <footer style="padding-left: 30px; padding-right: 30px;"><p> | ||
| <a href="https://aws.amazon.com/privacy/" target="_blank" rel="noopener noreferrer">Privacy</a> | | ||
| <a href="https://aws.amazon.com/terms/" target="_blank" rel="noopener noreferrer">Site terms</a> | | ||
| <a href="#" onclick="customize()">Cookie preferences</a> | | ||
| <span style="color: #687078">© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.</span> | ||
| </p> | ||
| </footer> | ||
| </body> | ||
| </html> |
21 changes: 21 additions & 0 deletions
21
tests/unit/providers/amazon/test-fixtures/input/2023_rss.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| <?xml version="1.0" encoding="UTF-8" ?> | ||
| <rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"> | ||
| <channel> | ||
| <title>Amazon Linux 2023 Security Bulletins</title> | ||
| <description>Amazon Linux 2023 Security Bulletins</description> | ||
| <link>https://alas.aws.amazon.com</link> | ||
| <language>en-us</language> | ||
| <ttl>35</ttl> | ||
|
|
||
| <item> | ||
| <title>ALAS-2023-126 (important): device-mapper-multipath</title> | ||
| <description> | ||
| CVE-2022-3787, CVE-2022-41973, CVE-2022-41974 | ||
| </description> | ||
| <pubDate>Tue, 07 Mar 2023 00:29:00 GMT</pubDate> | ||
| <lastBuildDate>Wed, 08 Mar 2023 00:51:00 GMT</lastBuildDate> | ||
| <guid>https://alas.aws.amazon.com/AL2023/ALAS-2023-126.html</guid> | ||
| <link>https://alas.aws.amazon.com/AL2023/ALAS-2023-126.html</link> | ||
| </item> | ||
| </channel> | ||
| </rss> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters