Amazonlinux2 has security vulnerability in cronie1.4.11

0

Hi, We are using the amazonlinux2 as base image for one of our application and this image has security vulnerability in cronie1.4.11, so the recommended version is cronie1.5.2. I tried to update the cronie package but it says No packages marked for update. can anyone guide how to update to the recommended version or can this to be upgraded in amazonlinux2 base image itself.

Thanks, Noor Kumar

已提问 2 年前229 查看次数
1 回答
0

Hello Noor Kumar,

As I understand, you are getting a security vulnerability message for cronie1.4.11 on Amazon Linux 2, and when trying to update package to cronie1.5.2, you are seeing the following message:

No packages marked for update

The last known CVE I could find was CVE-2019-9704 that was resolved in cronie1.4.11-23 that comes with Amazon Linux 2 base image.

# rpm -qa --changelog cronie
* Wed Feb 13 2019 Marcel Plch <mplch@redhat.com> - 1.4.11-23
- Make cronie restart on failure
- Resolves: rhbz#1651730

Therefore, please share the CVE that you are trying to mitigate. Also, could you please share whether you are using a third party scanner which is marking the package as vulnerable, and if yes, which one?

Additionally, you can also open a support case with AWS Premium Support to get immediate assistance for your specific use case.

AWS
支持工程师
已回答 2 年前
  • Thanks Akshay for your reply.

    We are using the blackduck scan and CVE number is BDSA-2019-0866 CVE-2019-9704.

    Looks it is using cronie-anacron/1.4.11-17.el7/ppc64, how can I upgrade to 1.4.11-23 version ?

    Thanks.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则