AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2025-06-25 · Documentation medium

File: systems-manager/latest/userguide/patch-manager-installing-patches.md

Summary

Added documentation about transitive dependency handling differences and expanded support for RHEL 10

Security assessment

The changes explain security-adjacent behaviors (transitive dependency version selection differences between Patch Manager and native package managers) and document supported severity levels. While related to security patch management, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/systems-manager/latest/userguide/patch-manager-installing-patches.md b/systems-manager/latest/userguide/patch-manager-installing-patches.md
index 0e0061c96..d4adbfa90 100644
--- a//systems-manager/latest/userguide/patch-manager-installing-patches.md
+++ b//systems-manager/latest/userguide/patch-manager-installing-patches.md
@@ -70 +70,9 @@ New packages that replace now-obsolete packages with different names are install
-###### Note
+###### Additional patching details for Amazon Linux 2022 and Amazon Linux 2023
+
+Support for severity level 'None'
+    
+
+Amazon Linux 2022 and Amazon Linux 2023 also support the patch severity level `None`, which is recognized by the DNF package manager. 
+
+Support for severity level 'Medium'
+    
@@ -76 +84,6 @@ When you query for compliance data using the API action [DescribeInstancePatches
-Amazon Linux 2022 and Amazon Linux 2023 also support the patch severity level `None`, which is recognized by the DNF package manager. 
+Transitive dependency handling for Amazon Linux 2022 and Amazon Linux 2023
+    
+
+For Amazon Linux 2022 and Amazon Linux 2023, Patch Manager might install different versions of transitive dependencies than the equivalent `dnf` commands install. Transitive dependencies are packages that are automatically installed to satisfy the requirements of other packages (dependencies of dependencies). 
+
+For example, `dnf upgrade-minimal --security` installs the _minimal_ versions of transitive dependencies needed to resolve known security issues, while Patch Manager installs the __latest available versions of the same transitive dependencies.
@@ -107,0 +121,6 @@ If nonsecurity updates are included, patches from other repositories are conside
+###### Note
+
+For CentOS, Patch Manager might install different versions of transitive dependencies than the equivalent `dnf` commands install. Transitive dependencies are packages that are automatically installed to satisfy the requirements of other packages (dependencies of dependencies). 
+
+For example, `dnf upgrade-minimal --security` installs the _minimal_ versions of transitive dependencies needed to resolve known security issues, while Patch Manager installs the _latest available versions_ of the same transitive dependencies.
+
@@ -251,0 +271,6 @@ The equivalent yum command for this workflow is:
+###### Note
+
+For Oracle Linux, Patch Manager might install different versions of transitive dependencies than the equivalent `dnf` commands install. Transitive dependencies are packages that are automatically installed to satisfy the requirements of other packages (dependencies of dependencies). 
+
+For example, `dnf upgrade-minimal --security` installs the _minimal_ versions of transitive dependencies needed to resolve known security issues, while Patch Manager installs the _latest available versions_ of the same transitive dependencies.
+
@@ -290 +315 @@ If nonsecurity updates are included, patches from other repositories are conside
-  7. The YUM update API (on RHEL 7) or the DNF update API (on AlmaLinux 8 and 9, RHEL 8 and 9, and Rocky Linux 8 and 9) is applied to approved patches according to the following rules:
+  7. The YUM update API (on RHEL 7) or the DNF update API (on AlmaLinux 8 and 9, RHEL 8, 9, and 10, and Rocky Linux 8 and 9) is applied to approved patches according to the following rules:
@@ -310,0 +336,6 @@ For AlmaLinux, RHEL 8, and Rocky Linux , the equivalent dnf commands for this wo
+###### Note
+
+For AlmaLinux, RHEL, and Rocky LinuxRocky Linux, Patch Manager might install different versions of transitive dependencies than the equivalent `dnf` commands install. Transitive dependencies are packages that are automatically installed to satisfy the requirements of other packages (dependencies of dependencies). 
+
+For example, `dnf upgrade-minimal --security` installs the _minimal_ versions of transitive dependencies needed to resolve known security issues, while Patch Manager installs the _latest available versions_ of the same transitive dependencies.
+
@@ -407 +438,9 @@ For each version of Ubuntu Server, patch candidate versions are limited to patch
-     * Ubuntu Server 23.04: `lunar-lobster`
+     * Ubuntu Server 23.04 (`lunar-security`)
+
+     * Ubuntu Server 23.10 (`mantic-security`)
+
+     * Ubuntu Server 24.04 LTS (`noble-security`)
+
+     * Ubuntu Server 24.10 (`oracular-security`)
+
+     * Ubuntu Server 25.04 (`plucky-security`)