AWS systems-manager documentation change
Summary
Added documentation explaining Patch Manager's behavior regarding obsolete packages and alignment with YUM/DNF's security-focused update-minimal command
Security assessment
The change clarifies security-conscious patch selection behavior (prioritizing security updates over feature upgrades) but does not address a specific vulnerability. It enhances documentation of existing security practices rather than fixing an issue.
Diff
diff --git a/systems-manager/latest/userguide/patch-manager-selecting-patches.md b/systems-manager/latest/userguide/patch-manager-selecting-patches.md index b2c49fa53..5572478b8 100644 --- a//systems-manager/latest/userguide/patch-manager-selecting-patches.md +++ b//systems-manager/latest/userguide/patch-manager-selecting-patches.md @@ -8,0 +9,4 @@ The primary focus of Patch Manager, a tool in AWS Systems Manager, is on install +By default, Patch Manager doesn't replace a package that has been marked as obsolete in a package repository with any differently named replacement packages unless this replacement is required by the installation of another package update. Instead, for commands that update a package, Patch Manager only reports and installs missing updates for the package that is installed but obsolete. This is because replacing an obsolete package typically requires uninstalling an existing package and installing its replacement. Replacing the obsolete package could introduce breaking changes or additional functionality that you didn't intend. + +This behavior is consistent with YUM and DNF's `update-minimal` command, which focuses on security updates rather than feature upgrades. For more information, see [How patches are installed](./patch-manager-installing-patches.html). +