The latest version of nginx available on Amazon Linux Extras is 1.20.0 which is vulnerable to 1-Byte Memory Overwrite RCE (CVE-2021-23017).
nginx version 1.20.0 is also end-of-life since 24 May 2022
In a separate elastic beanstalk thread, someone mentioned that CVE-2021-23017 was fixed in 1.20.0-2.amzn2.0.3, but there's no supporting documentation, and nginx version 1.20.0 is also end-of-life since 24 May 2022.
Is there an expected release update to Amazon Linux Extras to bring nginx to latest version, and if not, a way to manually force update an existing nginx 1.20.0 installation from Extras?
I realized that it was 1.2.0 which is vulnerable to CVE-2021-23017, not 1.20.0 oops
The question remains for how does the update cycle generally work for Amazon Linux Extras packages