Debian Stretch AMI on AWS Marketplace + Meltdown

To: cloud list <debian-cloud@lists.debian.org>
Subject: Debian Stretch AMI on AWS Marketplace + Meltdown
From: Michael Schams <debian.1517715179@2018.schams.net>
Date: Sun, 04 Feb 2018 14:55:52 +1100
Message-id: <[🔎] 1517716552.4604.5.camel@2018.schams.net>

Hi everyone,

I am trying to publish a new AMI at the AWS Marketplace [1]. My AMI is
based on the Debian Stretch ami-628ad918 [2], which includes kernel
updates for DSA 4078, addressing the Meltdown attack.

However, the AWS scan tool rejects the AMI due to the following issue:

(quote) "Vulnerabilities detected - The following vulnerabilities were
detected and must be addressed: CVE-2017-5754 [3]."

The AMI I submitted has all available Debian updates installed and
reading the description of CVE-2017-5754, this is clearly the Meltdown
attack.

Have I missed anything? Why does the AWS scan tool stumble across this
vulnerability and what can I do to address this issue?


Thanks
Michael

[1] https://aws.amazon.com/marketplace/
[2] https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch
[3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5754

Reply to:

Follow-Ups:
- Re: [debian-cloud] Debian Stretch AMI on AWS Marketplace + Meltdown
  - From: Michael Schams <debian.1517715179@2018.schams.net>
- Re: Debian Stretch AMI on AWS Marketplace + Meltdown
  - From: Noah Meyerhans <noahm@debian.org>

Prev by Date: chrony.conf file for GCE
Next by Date: Re: [debian-cloud] Debian Stretch AMI on AWS Marketplace + Meltdown
Previous by thread: chrony.conf file for GCE
Next by thread: Re: [debian-cloud] Debian Stretch AMI on AWS Marketplace + Meltdown
Index(es):
- Date
- Thread