Listing applicable Advisories - Amazon Linux 2023
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Listing applicable Advisories

The dnf package manager has access to metadata describing what Advisories are fixed in what package versions. It can thus list what Advisories are applicable to an instance or container image.

Note

Tools such as Amazon EC2 Systems Manager can use this functionality to show what updates are relevant across a fleet rather than just a single instance.

When listing updates, you can instruct dnf to look at the metadata of a particular AL2023 release, or the metadata from the latest release.

Note

Once an AL2023 release is made, it is immutable. Thus, new or updated advisories on the Amazon Linux Security Center are only added to the metadata of new releases of AL2023

We will now go through examples of looking at what advisories apply to some AL2023 container images. These commands all work on non-containerized environments such as instances.

Listing advisories in a specific version

In this example we are going to look at what advisories in the 2023.1.20230628 release are relevant in a container image of the 2023.0.20230315 release.

Note

This example uses the 2023.0.20230315 and 2023.1.20230628 releases, and these are not the latest release of AL2023 See the AL2023 Release Notes for the latest releases, which contain the latest security updates.

In this example we will be starting with a container image for the 2023.0.20230315 release.

First, we fetch this container image from the container registry. The .0 at the end indicates the version of the image for a particular release; this image version is usually zero. 

$ docker pull public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
	  2023.0.20230315.0: Pulling from amazonlinux/amazonlinux
b76f3b09316a: Pull complete
Digest: sha256:94e7183b0739140dbd5b639fb7600f0a2299cec5df8780c26d9cb409da5315a9
Status: Downloaded newer image for public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0

We can now spawn a shell inside the container, from which we will ask dnf to list what advisories are relevant to the packages installed in the container. 

$ docker run -it public.ecr.aws/amazonlinux/amazonlinux:2023.0.20230315.0
	  bash-5.2#

The dnf updateinfo command is now used to display a summary of what advisories in the 2023.1.20230628 release are relevant to our installed packages. 

$ dnf updateinfo --releasever=2023.1.20230628
Amazon Linux 2023 repository                     42 MB/s |  15 MB     00:00
Last metadata expiration check: 0:00:02 ago on Mon Jul 22 20:24:24 2024.
Updates Information Summary: available
    8 Security notice(s)
        1 Important Security notice(s)
        5 Medium Security notice(s)
        2 Low Security notice(s)

To get a list of the advisories, the --list option can be given to dnf updateinfo. 

$ dnf updateinfo --releasever=2023.1.20230628 --list
Last metadata expiration check: 0:01:22 ago on Mon Jul 22 20:24:24 2024.
ALAS2023-2023-193 Medium/Sec.    curl-minimal-8.0.1-1.amzn2023.x86_64
ALAS2023-2023-225 Medium/Sec.    glib2-2.74.7-688.amzn2023.0.1.x86_64
ALAS2023-2023-195 Low/Sec.       libcap-2.48-2.amzn2023.0.3.x86_64
ALAS2023-2023-193 Medium/Sec.    libcurl-minimal-8.0.1-1.amzn2023.x86_64
ALAS2023-2023-145 Low/Sec.       libgcc-11.3.1-4.amzn2023.0.3.x86_64
ALAS2023-2023-145 Low/Sec.       libgomp-11.3.1-4.amzn2023.0.3.x86_64
ALAS2023-2023-145 Low/Sec.       libstdc++-11.3.1-4.amzn2023.0.3.x86_64
ALAS2023-2023-163 Medium/Sec.    libxml2-2.10.4-1.amzn2023.0.1.x86_64
ALAS2023-2023-220 Important/Sec. ncurses-base-6.2-4.20200222.amzn2023.0.4.noarch
ALAS2023-2023-220 Important/Sec. ncurses-libs-6.2-4.20200222.amzn2023.0.4.x86_64
ALAS2023-2023-181 Medium/Sec.    openssl-libs-1:3.0.8-1.amzn2023.0.2.x86_64
ALAS2023-2023-222 Medium/Sec.    openssl-libs-1:3.0.8-1.amzn2023.0.3.x86_64
Listing advisories in the latest version

In this example we are going to look at what updates are available in the latest version of AL2023 if we launched a container of the 2023.4.20240319 release. At the time of writing, the latest release is 2023.5.20240708, so the listed updates in this example will be as of that release.

Note

This example uses the 2023.4.20240319 and 2023.5.20240708 releases, the latter being the latest release at the time of writing. For more information on the latest releases, see the AL2023 Release Notes.

In this example we will be starting with a container image for the 2023.4.20240319 release.

First, we fetch this container image from the container registry. The .1 at the end indicates the version of the image for a particular release. While the image version is typically zero, this example uses a release where the image version is one. 

$ docker pull public.ecr.aws/amazonlinux/amazonlinux:2023.4.20240319.1
	  2023.4.20240319.1: Pulling from amazonlinux/amazonlinux
6de065fda9a2: Pull complete
Digest: sha256:b4838c4cc9211d966b6ea158dacc9eda7433a16ba94436508c2d9f01f7658b4e
Status: Downloaded newer image for public.ecr.aws/amazonlinux/amazonlinux:2023.4.20240319.1
public.ecr.aws/amazonlinux/amazonlinux:2023.4.20240319.1

We can now spawn a shell inside the container, from which we will check for updates. 

$ docker run -it public.ecr.aws/amazonlinux/amazonlinux:2023.4.20240319.1
	  bash-5.2#

The dnf updateinfo command is now used to display a summary of what advisories in the latest release are relevant to our installed packages. At the time of writing, 2023.1.20230628 was the latest release. 

$ dnf --releasever=latest updateinfo
Amazon Linux 2023 repository                     76 MB/s |  25 MB     00:00
Last metadata expiration check: 0:00:04 ago on Mon Jul 22 20:59:54 2024.
Updates Information Summary: available
    9 Security notice(s)
        4 Important Security notice(s)
        4 Medium Security notice(s)
        1 Low Security notice(s)

To get a list of the advisories, the --list option can be given to dnf updateinfo. 

$ dnf updateinfo --releasever=latest --list
Last metadata expiration check: 0:00:58 ago on Mon Jul 22 20:59:54 2024.
ALAS2023-2024-581 Low/Sec.       curl-minimal-8.5.0-1.amzn2023.0.3.x86_64
ALAS2023-2024-596 Medium/Sec.    curl-minimal-8.5.0-1.amzn2023.0.4.x86_64
ALAS2023-2024-576 Important/Sec. expat-2.5.0-1.amzn2023.0.4.x86_64
ALAS2023-2024-589 Important/Sec. glibc-2.34-52.amzn2023.0.10.x86_64
ALAS2023-2024-589 Important/Sec. glibc-common-2.34-52.amzn2023.0.10.x86_64
ALAS2023-2024-589 Important/Sec. glibc-minimal-langpack-2.34-52.amzn2023.0.10.x86_64
ALAS2023-2024-586 Medium/Sec.    krb5-libs-1.21-3.amzn2023.0.4.x86_64
ALAS2023-2024-581 Low/Sec.       libcurl-minimal-8.5.0-1.amzn2023.0.3.x86_64
ALAS2023-2024-596 Medium/Sec.    libcurl-minimal-8.5.0-1.amzn2023.0.4.x86_64
ALAS2023-2024-592 Important/Sec. libnghttp2-1.59.0-3.amzn2023.0.1.x86_64
ALAS2023-2024-640 Medium/Sec.    openssl-libs-1:3.0.8-1.amzn2023.0.12.x86_64
ALAS2023-2024-605 Medium/Sec.    python3-3.9.16-1.amzn2023.0.7.x86_64
ALAS2023-2024-616 Important/Sec. python3-3.9.16-1.amzn2023.0.8.x86_64
ALAS2023-2024-605 Medium/Sec.    python3-libs-3.9.16-1.amzn2023.0.7.x86_64
ALAS2023-2024-616 Important/Sec. python3-libs-3.9.16-1.amzn2023.0.8.x86_64