- Newest
- Most votes
- Most comments
The Elastic Beanstalk AL2023 Node.js 18 platform installs Node.js from the Amazon Linux package repository. See the following FAQ for more information on Amazon Linux backports: https://aws.amazon.com/linux/amazon-linux-2023/faqs/
Q: Why does a security scanner report an unfixed CVE in an Amazon Linux package when an Amazon Linux Security Advisory claims the CVE to be fixed in that version?
A: Amazon Linux, like most Linux distributions, routinely backports security fixes to stable package versions vended in its repositories. When these packages are updated with a backport, the Amazon Linux security bulletin for the particular issue will list the specific package version(s) in which the issue is fixed for Amazon Linux. Security scanners that rely on versioning from a project’s authors sometimes won’t pick up that a given CVE fix has been applied in an older version. Customers can refer to Amazon Linux Security Center (ALAS) for updates regarding security issues and fixes.
You can find more information pertaining to the May 1, 2024, Elastic Beanstalk Node.js AL2023 platform release in the following bulletin from the Amazon Linux Security Center: https://alas.aws.amazon.com/AL2023/ALAS-2024-593.html. You can find more bulletins for security or privacy events pertaining to Amazon Linux 2023 here: https://alas.aws.amazon.com/alas2023.html
Relevant content
- asked 4 years ago
Thanks, helpful. But can you explain why Node.js 18 on AL2 is running a newer version of Node.js 18 than on AL2023 on EB? Shouldn't EB have them versioned identically? I understand AL2 package repos don't include node, unlike AL2023, but shouldn't the AL2023 repo be updated then? Or EB AL2 kept at the same version until it is? In effect Amazon is saying that upgrading EB to AL2023 (with AL2 EOL) means a downgrade of Node.js version. We recently upgraded our stacks to AL2023, hence the question.