Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade Java version to patch 1:17.0.7+7-1.amzn2.1 #160

Open
jwalsh2me opened this issue Jun 1, 2023 · 4 comments
Open

Upgrade Java version to patch 1:17.0.7+7-1.amzn2.1 #160

jwalsh2me opened this issue Jun 1, 2023 · 4 comments
Labels
enhancement New feature or request

Comments

@jwalsh2me
Copy link

Thank you for taking the time to help improve Corretto.

If your request concerns a security vulnerability then please report it by email to aws-security@amazon.com instead of here.
(You can find more information regarding security issues at https://aws.amazon.com/security/vulnerability-reporting/.)

If your proposal is specific to Corretto docker images,
then you are in the right place.
Please proceed with the following.

Is your feature request related to a problem?

Please provide a clear and concise description of what the problem is.

Using the Public ECR release of Corretto Java 17 with this directive in the Dockerfile:

FROM public.ecr.aws/amazoncorretto/amazoncorretto:17

The Corretto 17 image has not been updated to include the patch for a high vulnerability. I am not able to update it in the dockerfile due to repository priority protections being enabled.

Step 12/22 : RUN yum update -y java-17-amazon-corretto
--
232 | ---> Running in 3a4668419221
233 | Loaded plugins: ovl, priorities
234 | 9 packages excluded due to repository priority protections
235 | Package(s) java-17-amazon-corretto available, but not installed.
236 | No packages marked for update

I would like to be able to get this patched or know when AWS will be updating the base image. Is there another workaround other than changing this echo "priority=9" >> /etc/yum.repos.d/corretto.repo

Any ideas or suggestions are welcome.

Describe a solution you would like

Please provide a clear and concise description of what you want to happen.

Describe alternatives you have considered

Please provide a clear and concise description
of any alternative solutions or features you have considered.

Additional context

Add any other context or screenshots about the feature request here.

@jwalsh2me jwalsh2me added the enhancement New feature or request label Jun 1, 2023
@lutkerd
Copy link
Contributor

lutkerd commented Jun 1, 2023

The public.ecr.aws/amazoncorretto/amazoncorretto:17 contains the latest version of Corretto 17 available. We currently do not use the package from the AmazonLinux YUM repository but a generic Linux RPM to ensure we can get our updated docker images out prior to the YUM repository update propagation.

$ docker run -it public.ecr.aws/amazoncorretto/amazoncorretto:17 java -version
openjdk version "17.0.7" 2023-04-18 LTS
OpenJDK Runtime Environment Corretto-17.0.7.7.1 (build 17.0.7+7-LTS)
OpenJDK 64-Bit Server VM Corretto-17.0.7.7.1 (build 17.0.7+7-LTS, mixed mode, sharing)

@jwalsh2me
Copy link
Author

OK, that makes sense @lutkerd. What is the plan when it comes to security patches and advisories, e.g. https://alas.aws.amazon.com/AL2/ALAS-2023-2025.html

Would that just be rolled into the next latest version above Corretto-17.0.7.7.1 (build 17.0.7+7-LTS)

@lutkerd
Copy link
Contributor

lutkerd commented Jun 1, 2023

#114 is the next step. We are planning to provide images with the AL2 packages so that the scanners are clean.

@aavileli
Copy link

aavileli commented Jun 23, 2023

could this be pushed upstream faster to https://yum.corretto.aws as the official tomcat correto images are all failing security scans

The yum repo AmazonCorretto has higher priority than the amzn2-core-debuginfo repo which has the updated package but fails to update due to priority restrictions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants