Changes to Bottlerocket's security advisory publication

[ginglis13]

As part of adapting to the core kit migration (#4048) and the recent order of magnitude increase in kernel CVE assignments, the Bottlerocket project will be making the following changes:

• New GitHub Security Advisories (GHSAs) will no longer be published in the bottlerocket-os/bottlerocket repo after July 2024. For programmatic access to security advisories, you must consume updateinfo.xml instead, which is the canonical source of this data. Bottlerocket’s updateinfo.xml is published to https://advisories.bottlerocket.aws/updateinfo.xml.gz
• Bottlerocket will adopt a new package versioning strategy for application-inventory.json and per-package advisories within updateinfo.xml. These data sources will no longer remove the “bottlerocket-” prefix from package names, or replace package versions with Bottlerocket project versions. Instead, packages will reflect the names and versions from the corresponding RPM spec file.
• For backwards compatibility, as an exception to the above, if the package is sourced from the bottlerocket-core-kit, the older treatment will still apply. The “bottlerocket-” prefix will be removed from package names, and the package versions will be set to the Bottlerocket core kit version. The first published version of the Bottlerocket core kit was 2.0.0, to avoid ambiguity with any past Bottlerocket version.
• Existing advisories in updateinfo.xml will not be modified.

What is updateinfo.xml?

updateinfo.xml is a special file used by software distributions to communicate security advisories for a collection of software and what updates one can take to patch said security advisories.

What is application-inventory.json?

Bottlerocket’s application-inventory.json file is a special file listing the packages installed in a Bottlerocket image. Since Bottlerocket variants do not include a package database, this file takes the place of that database for inventory/security scanners to identify the software included on a Bottlerocket host.

What is the relationship between application-inventory.json and updateinfo.xml?

The application inventory lists packages on a Bottlerocket instance. updateinfo.xml lists advisories affecting specific packages vended by Bottlerocket across its core-kit and variants. Comparisons between application inventory and updateinfo.xml allow developers and tools to draw conclusions about security advisory applicability to Bottlerocket instances.

What does Bottlerocket updateinfo.xml look like today?

Bottlerocket provides an updateinfo.xml with each new release of Bottlerocket variants. The historical <update>s in updateinfo.xml must be preserved; it is an append-only document. Note the version of a <package> below corresponds to a Bottlerocket release version.

 <update author="yeazelm" from="yeazelm" status="final" type="security" version="1.4">
    <id>GHSA-cjc2-5r85-qmvf</id>
    <title>glibc CVE-2024-2961</title>
    <issued date="2024-05-01T23:42:08Z"/>
    <updated date="2024-05-01T23:42:08Z"/>
    <severity>important</severity>
    <description>A flaw was found in the glibc's iconv() function which may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may allow for out of bounds writes.</description>
    <references>
      <reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2961" id="CVE-2024-2961" type="cve"/>
      <reference href="https://github.com/bottlerocket-os/bottlerocket/security/advisories/GHSA-cjc2-5r85-qmvf" id="GHSA-cjc2-5r85-qmvf" type="ghsa"/>
    </references>
    <pkglist>
    <collection short="bottlerocket">
      <name>Bottlerocket</name>
       <!-- This version is the Bottlerocket release version !-->
      <package arch="x86_64" name="glibc" version="1.20.0" release="0" epoch="0"/>
      <package arch="aarch64" name="glibc" version="1.20.0" release="0" epoch="0"/>
    </collection>
    </pkglist>
</update>

The full document can be found at https://advisories.bottlerocket.aws/updateinfo.xml.gz (note: some browsers do not recognize the content-type properly. Try curl -L https://advisories.bottlerocket.aws/updateinfo.xml.gz -o updateinfo.xml.gz).

What changes are coming to Bottlerocket updateinfo.xml?

The format of the file will remain the same. Any software which consumes Bottlerocket’s application inventory and evaluates it against updateinfo.xml will continue to behave as expected.

<update author="yeazelm" from="yeazelm" status="final" type="security" version="1.4">
  <id>bottlerocket-generated-id-1234/id>
  <title>glibc CVE-2024-2961</title>
  <issued date="2024-05-01T23:42:08Z"/>
  <updated date="2024-05-01T23:42:08Z"/>
  <severity>important</severity>
  <description>A flaw was found in the glibc's iconv() function which may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may allow for out of bounds writes.</description>
  <references>
    <reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2961" id="CVE-2024-2961" type="cve"/>
    <!-- Advisories will be sourced from TOML in the bottlerocket-core-kit repo. !-->
    <reference href="https://github.com/bottlerocket-os/bottlerocket-core-kit/<blob>/develop/advisories/<BottlerocketRelease>/. <ID>.toml" id="ID" type="Bottlerocket"/>
  </references>
  <pkglist>
    <collection short="bottlerocket">
    <name>Bottlerocket</name>
    <!-- This package came from bottlerocket-core-kit
    The version is now the bottlerocket-core-kit version
    The release is the bottlerocket-core-kit commit that built this package
    !-->
    <package arch="x86_64" name="glibc" version="2.0.0" release="acd61a37d" epoch="0"/>
    <package arch="aarch64" name="glibc" version="2.0.0" release="acd61a37d" epoch="0"/>
 
    <!-- This package was built from a non-core-kit package.
    The package name and version match what is defined in the spec. 
    The release is in the form
     <unix time epoch in ms of latest commit>.<git short sha of project release>.br1
    !-->
    <package arch="x86_64" name="bottlerocket-settings-plugin" version="0.0" release="0.11167171.fcf71a47c.br1" epoch="0"/>
    <package arch="aarch64" name="bottlerocket-settings-plugin" version="0.0" release="0.11167171.fcf71a47c.br1" epoch="0"/>
  </collection>
  </pkglist>
</update>

What does Bottlerocket’s application-inventory.json look like today?

{
  "Content": 
  [
    {
      "Name": "glibc",
      "Publisher": "Bottlerocket",
      # Bottlerocket release version
      "Version": "1.20.0",
      # This is the git commit short sha that built Bottlerocket
      "Release": "fcf71a47c",
      "InstalledTime": "2024-05-09T14:13:10Z",
      "ApplicationType": "Unspecified",
      "Architecture": "x86_64",
      "Url": "http://www.gnu.org/software/glibc/",
      "Summary": "The GNU libc libraries"
    },
    ...
  ]
}

What changes are coming to Bottlerocket application inventory?

The format of the file will remain the same. Any software which consumes Bottlerocket’s application inventory and evaluates it against updateinfo.xml will continue to behave as expected.

{
  "Content": 
  [
    {
      "Name": "glibc",
      "Publisher": "Bottlerocket",
      # bottlerocket-core-kit release version
      "Version": "2.0.0",
      # bottlerocket-core-kit commit that built this package
      "Release": "acd61a37d",
      "InstalledTime": "2024-05-09T14:13:10Z",
      "ApplicationType": "Unspecified",
      "Architecture": "x86_64",
      "Url": "http://www.gnu.org/software/glibc/",
      "Summary": "The GNU libc libraries"
    },
     {
      # The package name retains the prefix defined in the spec.
      "Name": "bottlerocket-settings-plugins",
      "Publisher": "Bottlerocket",
      # The package version matches what is defined in the spec.
      "Version": "0.0",
      # <unix time epoch in ms of latest commit>.<git short sha of project release>.br1
      "Release": "0.11167171.fcf71a47c.br1",
      "InstalledTime": "2024-05-09T14:13:10Z",
      "ApplicationType": "Unspecified",
      "Architecture": "x86_64",
      "Url": "https://github.com/bottlerocket-os/bottlerocket",
      "Summary": "Settings plugins for Bottlerocket"
    },
    ...
  ]
}

[ginglis13]

We have made a very minor modification to Bottlerocket updateinfo.xml. Using the example provided above, note the subtle difference - now, release fields specify the commit from which this Bottlerocket release was built.

 <update author="yeazelm" from="yeazelm" status="final" type="security" version="1.4">
    <id>GHSA-cjc2-5r85-qmvf</id>
    <title>glibc CVE-2024-2961</title>
    <issued date="2024-05-01T23:42:08Z"/>
    <updated date="2024-05-01T23:42:08Z"/>
    <severity>important</severity>
    <description>A flaw was found in the glibc's iconv() function which may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may allow for out of bounds writes.</description>
    <references>
      <reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2961" id="CVE-2024-2961" type="cve"/>
      <reference href="https://github.com/bottlerocket-os/bottlerocket/security/advisories/GHSA-cjc2-5r85-qmvf" id="GHSA-cjc2-5r85-qmvf" type="ghsa"/>
    </references>
    <pkglist>
    <collection short="bottlerocket">
      <name>Bottlerocket</name>
       <!-- This version is the Bottlerocket release version !-->
       <!-- Release is the commit from which this Bottlerocket release was built !-->
      <package arch="x86_64" name="glibc" version="1.20.0" release="fcf71a47" epoch="0"/>
      <package arch="aarch64" name="glibc" version="1.20.0" release="fcf71a47" epoch="0"/>
    </collection>
    </pkglist>
</update>

For the 1.21.x releases and onwards, refer to the original communication of this issue in section "What changes are coming to Bottlerocket updateinfo.xml?"

The full updateinfo document can be retrieved via curl -L https://advisories.bottlerocket.aws/updateinfo.xml.gz -o updateinfo.xml.gz.

[ginglis13]

With Out of Tree Builds, Bottlerocket variants can be built by anyone. Variant repos may not necessarily follow the exact historical versioning of Bottlerocket, or the bottlerocket-core-kit. To avoid confusion with package versions, and to ensure consistency and produce an updateinfo.xml that may be applicable across different variant sources of Bottlerocket, the application inventory generated in Bottlerocket variant builds will be updated to use actual package versions.

Feature request in Twoliter: bottlerocket-os/twoliter#364

With this, the data included in updateinfo.xml and application inventory will be modified. RPM version comparisons will still hold due to plans to set an Epoch: 1 for each package.

What changes are coming to Bottlerocket updateinfo.xml?

The format of the file will remain the same. Any software which consumes Bottlerocket’s application inventory and evaluates it against updateinfo.xml will continue to behave as expected. The advisories in updateinfo.xml will now describe packages by their package version and an epoch of 1.

<update author="yeazelm" from="yeazelm" status="final" type="security" version="1.4">
  <id>bottlerocket-generated-id-1234/id>
  <title>glibc CVE-2024-2961</title>
  <issued date="2024-05-01T23:42:08Z"/>
  <updated date="2024-05-01T23:42:08Z"/>
  <severity>important</severity>
  <description>A flaw was found in the glibc's iconv() function which may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may allow for out of bounds writes.</description>
  <references>
    <reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2961" id="CVE-2024-2961" type="cve"/>
    <!-- Advisories will be sourced from TOML in the bottlerocket-core-kit repo. !-->
    <reference href="https://github.com/bottlerocket-os/bottlerocket-core-kit/<blob>/develop/advisories/<BottlerocketRelease>/. <ID>.toml" id="ID" type="Bottlerocket"/>
  </references>
  <pkglist>
    <collection short="bottlerocket">
    <name>Bottlerocket</name>
    <!-- The package name and version match what is defined in the spec. 
    The release is in the form
     <unix time epoch in ms of latest commit>.<git short sha of project release>.br1
    epoch is now 1
    !-->
    <package arch="x86_64" name="glibc" version="2.38" release="0.11167171.fcf71a47c.br1" epoch="1"/>
    <package arch="aarch64" name="glibc" version="2.38" release="0.11167171.fcf71a47c.br1" epoch="1"/>
 
    <!-- The package name and version match what is defined in the spec. 
    The release is in the form
     <unix time epoch in ms of latest commit>.<git short sha of project release>.br1
    epoch is now 1
    !-->
    <package arch="x86_64" name="bottlerocket-settings-plugin" version="0.0" release="0.11167171.fcf71a47c.br1" epoch="1"/>
    <package arch="aarch64" name="bottlerocket-settings-plugin" version="0.0" release="0.11167171.fcf71a47c.br1" epoch="1"/>
  </collection>
  </pkglist>
</update>

What changes are coming to Bottlerocket application inventory?

The format of the file will remain the same. Any software which consumes Bottlerocket’s application inventory and evaluates it against updateinfo.xml will continue to behave as expected.

{
  "Content": 
  [
    {
      "Name": "glibc",
      "Publisher": "Bottlerocket",
      # The package version matches what is defined in the spec.
      "Version": "2.38",
      # <unix time epoch in ms of latest commit>.<git short sha of project release>.br1
      "Release": "0.11167171.fcf71a47c.br1",
      "Epoch": "1",
      "InstalledTime": "2024-05-09T14:13:10Z",
      "ApplicationType": "Unspecified",
      "Architecture": "x86_64",
      "Url": "http://www.gnu.org/software/glibc/",
      "Summary": "The GNU libc libraries"
    },
     {
      # The package name retains the prefix defined in the spec.
      "Name": "bottlerocket-settings-plugins",
      "Publisher": "Bottlerocket",
      # The package version matches what is defined in the spec.
      "Version": "0.0",
      # <unix time epoch in ms of latest commit>.<git short sha of project release>.br1
      "Release": "0.11167171.fcf71a47c.br1",
      "Epoch": "1",
      "InstalledTime": "2024-05-09T14:13:10Z",
      "ApplicationType": "Unspecified",
      "Architecture": "x86_64",
      "Url": "https://github.com/bottlerocket-os/bottlerocket",
      "Summary": "Settings plugins for Bottlerocket"
    },
    ...
  ]
}