From daf5457c5e4839c451be40268b30c29e3f0fca34 Mon Sep 17 00:00:00 2001 From: Kush Upadhyay Date: Mon, 7 Oct 2024 09:18:04 +0000 Subject: [PATCH 1/2] packages: update amazon-ssm-agent to v3.3.987.0 Signed-off-by: Kush Upadhyay --- ...001-agent-Add-config-to-make-shell-optional.patch | 12 ++++++------ packages/amazon-ssm-agent/Cargo.toml | 4 ++-- packages/amazon-ssm-agent/amazon-ssm-agent.spec | 4 ++-- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/packages/amazon-ssm-agent/0001-agent-Add-config-to-make-shell-optional.patch b/packages/amazon-ssm-agent/0001-agent-Add-config-to-make-shell-optional.patch index 5a68aacfa..313400c2d 100644 --- a/packages/amazon-ssm-agent/0001-agent-Add-config-to-make-shell-optional.patch +++ b/packages/amazon-ssm-agent/0001-agent-Add-config-to-make-shell-optional.patch @@ -1,6 +1,6 @@ -From c835d2ddc855439173a8a59828c335d169c03d15 Mon Sep 17 00:00:00 2001 +From af0299d3f9ffb36b1f10b3c608b68301af664b1e Mon Sep 17 00:00:00 2001 From: Kush Upadhyay -Date: Tue, 2 Jul 2024 20:54:29 +0000 +Date: Mon, 7 Oct 2024 09:13:38 +0000 Subject: [PATCH] agent: Add config to make shell optional Signed-off-by: Kush Upadhyay @@ -11,11 +11,11 @@ Signed-off-by: Kush Upadhyay 3 files changed, 28 insertions(+), 11 deletions(-) diff --git a/agent/appconfig/appconfig.go b/agent/appconfig/appconfig.go -index b6abcf1..e214cd5 100644 +index 021d9f2..867f9e0 100644 --- a/agent/appconfig/appconfig.go +++ b/agent/appconfig/appconfig.go -@@ -118,6 +118,7 @@ func DefaultConfig() SsmagentConfig { - SessionLogsRetentionDurationHours: DefaultSessionLogsRetentionDurationHours, +@@ -119,6 +119,7 @@ func DefaultConfig() SsmagentConfig { + SessionLogsDestination: SessionLogsDestinationNone, PluginLocalOutputCleanup: DefaultPluginOutputRetention, OrchestrationDirectoryCleanup: DefaultOrchestrationDirCleanup, + UseShell: false, @@ -23,7 +23,7 @@ index b6abcf1..e214cd5 100644 var agent = AgentInfo{ Name: "amazon-ssm-agent", diff --git a/agent/appconfig/contracts.go b/agent/appconfig/contracts.go -index 1337398..0a66441 100644 +index 687aed2..dcb8412 100644 --- a/agent/appconfig/contracts.go +++ b/agent/appconfig/contracts.go @@ -50,6 +50,8 @@ type SsmCfg struct { diff --git a/packages/amazon-ssm-agent/Cargo.toml b/packages/amazon-ssm-agent/Cargo.toml index 69eea2bb6..43825e8e4 100644 --- a/packages/amazon-ssm-agent/Cargo.toml +++ b/packages/amazon-ssm-agent/Cargo.toml @@ -9,8 +9,8 @@ build = "../build.rs" path = "../packages.rs" [[package.metadata.build-package.external-files]] -url = "https://github.com/aws/amazon-ssm-agent/archive/3.3.808.0/amazon-ssm-agent-3.3.808.0.tar.gz" -sha512 = "d8c8fe3aaa1362bde3c449e5eebfa0f0e728c514c8671e3990bfa4351d343a0000542d26f67c019ba8783d26e28e88417a4de4fd83706bd494f14ef7c4da7b86" +url = "https://github.com/aws/amazon-ssm-agent/archive/3.3.987.0/amazon-ssm-agent-3.3.987.0.tar.gz" +sha512 = "d0eaa116fc38a4c89e91fffdd3691500f9084aa0f8c6ca6edf755f126deadbd76f025eea7a72a4ebb234bfd54f1632e4e5d1c2c6fbcd9cde3e446da7e93a9f11" [build-dependencies] glibc = { path = "../glibc" } diff --git a/packages/amazon-ssm-agent/amazon-ssm-agent.spec b/packages/amazon-ssm-agent/amazon-ssm-agent.spec index 72152c939..baede43c9 100644 --- a/packages/amazon-ssm-agent/amazon-ssm-agent.spec +++ b/packages/amazon-ssm-agent/amazon-ssm-agent.spec @@ -3,7 +3,7 @@ %global goimport %{goproject}/%{gorepo} Name: %{_cross_os}amazon-ssm-agent -Version: 3.3.808.0 +Version: 3.3.987.0 Release: 1%{?dist} Summary: An agent to enable remote management of EC2 instances License: Apache-2.0 @@ -65,7 +65,7 @@ Conflicts: (%{_cross_os}image-feature(no-fips) or %{name}-plugin-bin) %{summary}. %prep -%autosetup -n %{gorepo}-%{version} -p0001 +%autosetup -n %{gorepo}-%{version} -p1 %build %set_cross_go_flags From 53af3a05f73986fabdceb0e922602c71b66ca478 Mon Sep 17 00:00:00 2001 From: Kush Upadhyay Date: Mon, 7 Oct 2024 20:03:17 +0000 Subject: [PATCH 2/2] advisories: add BRSAs for amazon-ssm-agent CVEs Signed-off-by: Kush Upadhyay --- advisories/staging/BRSA-glvb5gspjgq6.toml | 18 ++++++++++++++++++ advisories/staging/BRSA-jsc9uatb4znj.toml | 18 ++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 advisories/staging/BRSA-glvb5gspjgq6.toml create mode 100644 advisories/staging/BRSA-jsc9uatb4znj.toml diff --git a/advisories/staging/BRSA-glvb5gspjgq6.toml b/advisories/staging/BRSA-glvb5gspjgq6.toml new file mode 100644 index 000000000..c50f04556 --- /dev/null +++ b/advisories/staging/BRSA-glvb5gspjgq6.toml @@ -0,0 +1,18 @@ +[advisory] +id = "BRSA-glvb5gspjgq6" +title = "amazon-ssm-agent CVE-2024-24790" +cve = "CVE-2024-24790" +severity = "moderate" +description = "A flaw was found in amazon-ssm-agent in which the various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms." + +[[advisory.products]] +package-name = "amazon-ssm-agent" +patched-version = "3.3.987.0" +patched-release = "0" +patched-epoch = "0" + +[updateinfo] +author = "kushupad" +issue-date = 2024-10-07T18:35:49Z +arches = ["x86_64", "aarch64"] +version = "staging" diff --git a/advisories/staging/BRSA-jsc9uatb4znj.toml b/advisories/staging/BRSA-jsc9uatb4znj.toml new file mode 100644 index 000000000..ef66b3533 --- /dev/null +++ b/advisories/staging/BRSA-jsc9uatb4znj.toml @@ -0,0 +1,18 @@ +[advisory] +id = "BRSA-jsc9uatb4znj" +title = "amazon-ssm-agent CVE-2023-45288" +cve = "CVE-2023-45288" +severity = "moderate" +description = "A flaw was found in amazon-ssm-agent that could cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This could cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected." + +[[advisory.products]] +package-name = "amazon-ssm-agent" +patched-version = "3.3.987.0" +patched-release = "0" +patched-epoch = "0" + +[updateinfo] +author = "kushupad" +issue-date = 2024-10-07T18:33:08Z +arches = ["x86_64", "aarch64"] +version = "staging"