Upgrade Java version to patch 1:17.0.7+7-1.amzn2.1

[jwalsh2me]

Thank you for taking the time to help improve Corretto.

If your request concerns a security vulnerability then please report it by email to [email protected] instead of here.
(You can find more information regarding security issues at https://aws.amazon.com/security/vulnerability-reporting/.)

If your proposal is specific to Corretto docker images,
then you are in the right place.
Please proceed with the following.

Is your feature request related to a problem?

Please provide a clear and concise description of what the problem is.

Using the Public ECR release of Corretto Java 17 with this directive in the Dockerfile:

FROM public.ecr.aws/amazoncorretto/amazoncorretto:17

The Corretto 17 image has not been updated to include the patch for a high vulnerability. I am not able to update it in the dockerfile due to repository priority protections being enabled.

Step 12/22 : RUN yum update -y java-17-amazon-corretto
--
232 | ---> Running in 3a4668419221
233 | Loaded plugins: ovl, priorities
234 | 9 packages excluded due to repository priority protections
235 | Package(s) java-17-amazon-corretto available, but not installed.
236 | No packages marked for update

I would like to be able to get this patched or know when AWS will be updating the base image. Is there another workaround other than changing this echo "priority=9" >> /etc/yum.repos.d/corretto.repo

Any ideas or suggestions are welcome.

Describe a solution you would like

Please provide a clear and concise description of what you want to happen.

Describe alternatives you have considered

Please provide a clear and concise description
of any alternative solutions or features you have considered.

Additional context

Add any other context or screenshots about the feature request here.

[lutkerd]

The public.ecr.aws/amazoncorretto/amazoncorretto:17 contains the latest version of Corretto 17 available. We currently do not use the package from the AmazonLinux YUM repository but a generic Linux RPM to ensure we can get our updated docker images out prior to the YUM repository update propagation.

$ docker run -it public.ecr.aws/amazoncorretto/amazoncorretto:17 java -version
openjdk version "17.0.7" 2023-04-18 LTS
OpenJDK Runtime Environment Corretto-17.0.7.7.1 (build 17.0.7+7-LTS)
OpenJDK 64-Bit Server VM Corretto-17.0.7.7.1 (build 17.0.7+7-LTS, mixed mode, sharing)

[jwalsh2me]

OK, that makes sense @lutkerd. What is the plan when it comes to security patches and advisories, e.g. https://alas.aws.amazon.com/AL2/ALAS-2023-2025.html

Would that just be rolled into the next latest version above Corretto-17.0.7.7.1 (build 17.0.7+7-LTS)

[lutkerd]

#114 is the next step. We are planning to provide images with the AL2 packages so that the scanners are clean.

[aavileli]

could this be pushed upstream faster to https://yum.corretto.aws as the official tomcat correto images are all failing security scans

The yum repo AmazonCorretto has higher priority than the amzn2-core-debuginfo repo which has the updated package but fails to update due to priority restrictions.