AWS systems-manager documentation change
Summary
Added notes about transitive dependency handling for CentOS and Oracle Linux
Security assessment
Documents differences in dependency resolution that could impact security posture by installing newer versions than minimal security fixes, but does not indicate a specific security vulnerability being addressed.
Diff
diff --git a/systems-manager/latest/userguide/patch-manager-installing-patches.md b/systems-manager/latest/userguide/patch-manager-installing-patches.md index 0e0061c96..d4adbfa90 100644 --- a//systems-manager/latest/userguide/patch-manager-installing-patches.md +++ b//systems-manager/latest/userguide/patch-manager-installing-patches.md @@ -70 +70,9 @@ New packages that replace now-obsolete packages with different names are install -###### Note +###### Additional patching details for Amazon Linux 2022 and Amazon Linux 2023 + +Support for severity level 'None' + + +Amazon Linux 2022 and Amazon Linux 2023 also support the patch severity level `None`, which is recognized by the DNF package manager. + +Support for severity level 'Medium' + @@ -76 +84,6 @@ When you query for compliance data using the API action [DescribeInstancePatches -Amazon Linux 2022 and Amazon Linux 2023 also support the patch severity level `None`, which is recognized by the DNF package manager. +Transitive dependency handling for Amazon Linux 2022 and Amazon Linux 2023 + + +For Amazon Linux 2022 and Amazon Linux 2023, Patch Manager might install different versions of transitive dependencies than the equivalent `dnf` commands install. Transitive dependencies are packages that are automatically installed to satisfy the requirements of other packages (dependencies of dependencies). + +For example, `dnf upgrade-minimal --security` installs the _minimal_ versions of transitive dependencies needed to resolve known security issues, while Patch Manager installs the __latest available versions of the same transitive dependencies. @@ -107,0 +121,6 @@ If nonsecurity updates are included, patches from other repositories are conside +###### Note + +For CentOS, Patch Manager might install different versions of transitive dependencies than the equivalent `dnf` commands install. Transitive dependencies are packages that are automatically installed to satisfy the requirements of other packages (dependencies of dependencies). + +For example, `dnf upgrade-minimal --security` installs the _minimal_ versions of transitive dependencies needed to resolve known security issues, while Patch Manager installs the _latest available versions_ of the same transitive dependencies. + @@ -251,0 +271,6 @@ The equivalent yum command for this workflow is: +###### Note + +For Oracle Linux, Patch Manager might install different versions of transitive dependencies than the equivalent `dnf` commands install. Transitive dependencies are packages that are automatically installed to satisfy the requirements of other packages (dependencies of dependencies). + +For example, `dnf upgrade-minimal --security` installs the _minimal_ versions of transitive dependencies needed to resolve known security issues, while Patch Manager installs the _latest available versions_ of the same transitive dependencies. + @@ -290 +315 @@ If nonsecurity updates are included, patches from other repositories are conside - 7. The YUM update API (on RHEL 7) or the DNF update API (on AlmaLinux 8 and 9, RHEL 8 and 9, and Rocky Linux 8 and 9) is applied to approved patches according to the following rules: + 7. The YUM update API (on RHEL 7) or the DNF update API (on AlmaLinux 8 and 9, RHEL 8, 9, and 10, and Rocky Linux 8 and 9) is applied to approved patches according to the following rules: @@ -310,0 +336,6 @@ For AlmaLinux, RHEL 8, and Rocky Linux , the equivalent dnf commands for this wo +###### Note + +For AlmaLinux, RHEL, and Rocky LinuxRocky Linux, Patch Manager might install different versions of transitive dependencies than the equivalent `dnf` commands install. Transitive dependencies are packages that are automatically installed to satisfy the requirements of other packages (dependencies of dependencies). + +For example, `dnf upgrade-minimal --security` installs the _minimal_ versions of transitive dependencies needed to resolve known security issues, while Patch Manager installs the _latest available versions_ of the same transitive dependencies. + @@ -407 +438,9 @@ For each version of Ubuntu Server, patch candidate versions are limited to patch - * Ubuntu Server 23.04: `lunar-lobster` + * Ubuntu Server 23.04 (`lunar-security`) + + * Ubuntu Server 23.10 (`mantic-security`) + + * Ubuntu Server 24.04 LTS (`noble-security`) + + * Ubuntu Server 24.10 (`oracular-security`) + + * Ubuntu Server 25.04 (`plucky-security`)