Description
Ran into this issue trying to upgrade dependencies with published vulnerabilities.
This is not an issue if I was using the latest release of AL2023 minimal container image, as it points to the updated package repo.
However, I am using the public.ecr.aws/lambda/nodejs:20 image, and it has not been updated to the latest version of AL2023, it is still version 2023.6.20241031.
Regardless I believe the bug is present in all versions of the minimal container image.
An example vulnerability is https://alas.aws.amazon.com/AL2023/ALAS-2024-759.html
The correction is to run dnf update expat --releasever 2023.6.20241111
But on minimal container images which use microdnf this is not working.
Resulting in a nothing to do status, see output attached below.
I have found a workaround to update the packages, and that is to manually set the release version in the repo file.
sed -i 's/$releasever/2023.6.20241121/g' /etc/yum.repos.d/amazonlinux.repo
I suspect that something is wrong with how microdnf is setting the release version in /etc/yum.repos.d/amazonlinux.repo.
To Reproduce
Steps to reproduce the behavior:
- run docker image
public.ecr.aws/amazonlinux/amazonlinux:2023.6.20241031.0-minimal - run
dnf install expat -y - see that dnf installs expat-2.5.0-1.amzn2023.0.4.x86_64
- run
dnf upgrade expat -y --releasever=2023.6.20241121 --refresh - see that there is nothing to do
- run
sed -i 's/$releasever/2023.6.20241121/g' /etc/yum.repos.d/amazonlinux.repo - run
dnf upgrade expat -y --refresh - see that dnf upgrades to expat-2.6.3-1.amzn2023.0.1.x86_64
Expected behavior
I would expect that on step 4 that dnf would upgrade expat to 2.6.3
Screenshots
If applicable, add screenshots to help explain your problem.
