Merge pull request #182 from koooosh/update-ssm-agent

Update amazon-ssm-agent to v3.3.987.0
bottlerocket-os · Oct 8, 2024 · f5577ab · f5577ab
2 parents 428e89b + 53af3a0
commit f5577ab
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 10 deletions.
diff --git a/advisories/staging/BRSA-glvb5gspjgq6.toml b/advisories/staging/BRSA-glvb5gspjgq6.toml
@@ -0,0 +1,18 @@
+[advisory]
+id = "BRSA-glvb5gspjgq6"
+title = "amazon-ssm-agent CVE-2024-24790"
+cve = "CVE-2024-24790"
+severity = "moderate"
+description = "A flaw was found in amazon-ssm-agent in which the various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms."
+
+[[advisory.products]]
+package-name = "amazon-ssm-agent"
+patched-version = "3.3.987.0"
+patched-release = "0"
+patched-epoch = "0"
+
+[updateinfo]
+author = "kushupad"
+issue-date = 2024-10-07T18:35:49Z
+arches = ["x86_64", "aarch64"]
+version = "staging"
diff --git a/advisories/staging/BRSA-jsc9uatb4znj.toml b/advisories/staging/BRSA-jsc9uatb4znj.toml
@@ -0,0 +1,18 @@
+[advisory]
+id = "BRSA-jsc9uatb4znj"
+title = "amazon-ssm-agent CVE-2023-45288"
+cve = "CVE-2023-45288"
+severity = "moderate"
+description = "A flaw was found in amazon-ssm-agent that could cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This could cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected."
+
+[[advisory.products]]
+package-name = "amazon-ssm-agent"
+patched-version = "3.3.987.0"
+patched-release = "0"
+patched-epoch = "0"
+
+[updateinfo]
+author = "kushupad"
+issue-date = 2024-10-07T18:33:08Z
+arches = ["x86_64", "aarch64"]
+version = "staging"
diff --git a/packages/amazon-ssm-agent/0001-agent-Add-config-to-make-shell-optional.patch b/packages/amazon-ssm-agent/0001-agent-Add-config-to-make-shell-optional.patch
@@ -1,6 +1,6 @@
-From c835d2ddc855439173a8a59828c335d169c03d15 Mon Sep 17 00:00:00 2001
+From af0299d3f9ffb36b1f10b3c608b68301af664b1e Mon Sep 17 00:00:00 2001
 From: Kush Upadhyay <kushupad@amazon.com>
-Date: Tue, 2 Jul 2024 20:54:29 +0000
+Date: Mon, 7 Oct 2024 09:13:38 +0000
 Subject: [PATCH] agent: Add config to make shell optional
 
 Signed-off-by: Kush Upadhyay <kushupad@amazon.com>
@@ -11,19 +11,19 @@ Signed-off-by: Kush Upadhyay <kushupad@amazon.com>
  3 files changed, 28 insertions(+), 11 deletions(-)
 
 diff --git a/agent/appconfig/appconfig.go b/agent/appconfig/appconfig.go
-index b6abcf1..e214cd5 100644
+index 021d9f2..867f9e0 100644
 --- a/agent/appconfig/appconfig.go
 +++ b/agent/appconfig/appconfig.go
-@@ -118,6 +118,7 @@ func DefaultConfig() SsmagentConfig {
- 		SessionLogsRetentionDurationHours:     DefaultSessionLogsRetentionDurationHours,
+@@ -119,6 +119,7 @@ func DefaultConfig() SsmagentConfig {
+ 		SessionLogsDestination:                SessionLogsDestinationNone,
  		PluginLocalOutputCleanup:              DefaultPluginOutputRetention,
  		OrchestrationDirectoryCleanup:         DefaultOrchestrationDirCleanup,
 +		UseShell:                              false,
  	}
  	var agent = AgentInfo{
  		Name:                                    "amazon-ssm-agent",
 diff --git a/agent/appconfig/contracts.go b/agent/appconfig/contracts.go
-index 1337398..0a66441 100644
+index 687aed2..dcb8412 100644
 --- a/agent/appconfig/contracts.go
 +++ b/agent/appconfig/contracts.go
 @@ -50,6 +50,8 @@ type SsmCfg struct {

diff --git a/packages/amazon-ssm-agent/Cargo.toml b/packages/amazon-ssm-agent/Cargo.toml
@@ -9,8 +9,8 @@ build = "../build.rs"
 path = "../packages.rs"
 
 [[package.metadata.build-package.external-files]]
-url = "https://github.com/aws/amazon-ssm-agent/archive/3.3.808.0/amazon-ssm-agent-3.3.808.0.tar.gz"
-sha512 = "d8c8fe3aaa1362bde3c449e5eebfa0f0e728c514c8671e3990bfa4351d343a0000542d26f67c019ba8783d26e28e88417a4de4fd83706bd494f14ef7c4da7b86"
+url = "https://github.com/aws/amazon-ssm-agent/archive/3.3.987.0/amazon-ssm-agent-3.3.987.0.tar.gz"
+sha512 = "d0eaa116fc38a4c89e91fffdd3691500f9084aa0f8c6ca6edf755f126deadbd76f025eea7a72a4ebb234bfd54f1632e4e5d1c2c6fbcd9cde3e446da7e93a9f11"
 
 [build-dependencies]
 glibc = { path = "../glibc" }
diff --git a/packages/amazon-ssm-agent/amazon-ssm-agent.spec b/packages/amazon-ssm-agent/amazon-ssm-agent.spec
@@ -3,7 +3,7 @@
 %global goimport %{goproject}/%{gorepo}
 
 Name: %{_cross_os}amazon-ssm-agent
-Version: 3.3.808.0
+Version: 3.3.987.0
 Release: 1%{?dist}
 Summary: An agent to enable remote management of EC2 instances
 License: Apache-2.0
@@ -65,7 +65,7 @@ Conflicts: (%{_cross_os}image-feature(no-fips) or %{name}-plugin-bin)
 %{summary}.
 
 %prep
-%autosetup -n %{gorepo}-%{version} -p0001
+%autosetup -n %{gorepo}-%{version} -p1
 
 %build
 %set_cross_go_flags