Ran into this issue trying to upgrade dependencies with published vulnerabilities.
This is not an issue if I was using the latest release of AL2023 minimal container image, as it points to the updated package repo.
However, I am using the public.ecr.aws/lambda/nodejs:20 image, and it has not been updated to the latest version of AL2023, it is still version 2023.6.20241031.
Regardless I believe the bug is present in all versions of the minimal container image.
An example vulnerability is https://alas.aws.amazon.com/AL2023/ALAS-2024-759.html
The correction is to run dnf update expat --releasever 2023.6.20241111
But on minimal container images which use microdnf this is not working.
Resulting in a nothing to do status, see output attached below.
I have found a workaround to update the packages, and that is to manually set the release version in the repo file.
sed -i 's/$releasever/2023.6.20241121/g' /etc/yum.repos.d/amazonlinux.repo
I suspect that something is wrong with how microdnf is setting the release version in /etc/yum.repos.d/amazonlinux.repo.
To Reproduce
Steps to reproduce the behavior:
- run docker image
public.ecr.aws/amazonlinux/amazonlinux:2023.6.20241031.0-minimal
- run
dnf install expat -y
- see that dnf installs expat-2.5.0-1.amzn2023.0.4.x86_64
- run
dnf upgrade expat -y --releasever=2023.6.20241121 --refresh
- see that there is nothing to do
- run
sed -i 's/$releasever/2023.6.20241121/g' /etc/yum.repos.d/amazonlinux.repo
- run
dnf upgrade expat -y --refresh
- see that dnf upgrades to expat-2.6.3-1.amzn2023.0.1.x86_64
Expected behavior
I would expect that on step 4 that dnf would upgrade expat to 2.6.3
Screenshots
If applicable, add screenshots to help explain your problem.
Ran into this issue trying to upgrade dependencies with published vulnerabilities.
This is not an issue if I was using the latest release of AL2023 minimal container image, as it points to the updated package repo.
However, I am using the
public.ecr.aws/lambda/nodejs:20image, and it has not been updated to the latest version of AL2023, it is still version 2023.6.20241031.Regardless I believe the bug is present in all versions of the minimal container image.
An example vulnerability is https://alas.aws.amazon.com/AL2023/ALAS-2024-759.html
The correction is to run
dnf update expat --releasever 2023.6.20241111But on minimal container images which use microdnf this is not working.
Resulting in a nothing to do status, see output attached below.
I have found a workaround to update the packages, and that is to manually set the release version in the repo file.
sed -i 's/$releasever/2023.6.20241121/g' /etc/yum.repos.d/amazonlinux.repoI suspect that something is wrong with how microdnf is setting the release version in
/etc/yum.repos.d/amazonlinux.repo.To Reproduce
Steps to reproduce the behavior:
public.ecr.aws/amazonlinux/amazonlinux:2023.6.20241031.0-minimaldnf install expat -ydnf upgrade expat -y --releasever=2023.6.20241121 --refreshsed -i 's/$releasever/2023.6.20241121/g' /etc/yum.repos.d/amazonlinux.repodnf upgrade expat -y --refreshExpected behavior
I would expect that on step 4 that dnf would upgrade expat to 2.6.3
Screenshots
If applicable, add screenshots to help explain your problem.