AWS systems-manager documentation change
Summary
Restructured documentation about patch application rules for RHEL-based systems, adding detailed scenarios for security/non-security updates and repo availability considerations
Security assessment
Clarifies security update handling mechanics but doesn't address a specific vulnerability. Enhances documentation about security update filtering in patch baselines.
Diff
diff --git a/systems-manager/latest/userguide/patch-manager-installing-patches.md b/systems-manager/latest/userguide/patch-manager-installing-patches.md index 6dea5c218..825173c7f 100644 --- a//systems-manager/latest/userguide/patch-manager-installing-patches.md +++ b//systems-manager/latest/userguide/patch-manager-installing-patches.md @@ -278 +278 @@ If nonsecurity updates are included, patches from other repositories are conside - 7. The YUM update API (on RHEL 7) or the DNF update API (on AlmaLinux 8 and 9, RHEL 8 and 9, and Rocky Linux 8 and 9) is applied to approved patches as follows: + 7. The YUM update API (on RHEL 7) or the DNF update API (on AlmaLinux 8 and 9, RHEL 8 and 9, and Rocky Linux 8 and 9) is applied to approved patches according to the following rules: @@ -280 +280,9 @@ If nonsecurity updates are included, patches from other repositories are conside - * For predefined default patch baselines provided by AWS, and for custom patch baselines where the **Include non-security updates** check box is _not_ selected, only patches specified in `updateinfo.xml` are applied (security updates only). +###### Scenario 1: Non-security updates excluded + + * **Applies to** : Predefined default patch baselines provided by AWS and custom patch baselines. + + * **Include non-security updates** check box: _Not_ selected. + + * **Patches applied** : Patches specified in `updateinfo.xml` (security updates only) are applied _only_ if they both match the patch baseline configuration and are found in the configured repos. + +In some cases, a patch specified in `updateinfo.xml` might no longer be available in a configured repo. Configured repos usually have only the latest version of a patch, which is a cumulative roll-up of all prior updates, but the latest version might not match the patch baseline rules and is omitted from the patching operation. @@ -282 +290 @@ If nonsecurity updates are included, patches from other repositories are conside -For RHEL 7, the equivalent yum command for this workflow is: + * **Commands** : For RHEL 7, the equivalent yum command for this workflow is: @@ -291 +299,7 @@ For AlmaLinux, RHEL 8, and Rocky Linux , the equivalent dnf commands for this wo - * For custom patch baselines where the **Include non-security updates** check box _is_ selected, both patches in `updateinfo.xml` and those not in `updateinfo.xml` are applied (security and nonsecurity updates). +###### Scenario 2: Non-security updates included + + * **Apples to** : Custom patch baselines. + + * **Include non-security updates** check box: Selected. + + * **Patches applied** : Patches in `updateinfo.xml` _and_ those not in `updateinfo.xml` are applied (security and nonsecurity updates). @@ -293 +307 @@ For AlmaLinux, RHEL 8, and Rocky Linux , the equivalent dnf commands for this wo -For RHEL 7, the equivalent yum command for this workflow is: + * **Commands** : For RHEL 7, the equivalent yum command for this workflow is: