世間はOpenSSHの脆弱性が話題のようです。
普段、EC2は使っていないのですが、Cloud9はよく使っています。
そういえば、Cloud9の環境ってどうなってたっけ?と思い、確認しました。
使用したコマンドなどはこちらのドキュメントを参考にしました。
使用可能なパッケージ更新の確認
まず、アップデートがあるかどうか確認します。
sudo dnf check-update
Last metadata expiration check: 1 day, 0:40:10 ago on Mon Jul 1 09:49:03 2024.
========================================================================================================================================================================================================================================================================
WARNING:
A newer release of "Amazon Linux" is available.
Available Versions:
Version 2023.3.20240304:
Run the following command to upgrade to 2023.3.20240304:
dnf upgrade --releasever=2023.3.20240304
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.3.20240304.html
Version 2023.3.20240312:
Run the following command to upgrade to 2023.3.20240312:
dnf upgrade --releasever=2023.3.20240312
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.3.20240312.html
Version 2023.4.20240319:
Run the following command to upgrade to 2023.4.20240319:
dnf upgrade --releasever=2023.4.20240319
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240319.html
Version 2023.4.20240401:
Run the following command to upgrade to 2023.4.20240401:
dnf upgrade --releasever=2023.4.20240401
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240401.html
Version 2023.4.20240416:
Run the following command to upgrade to 2023.4.20240416:
dnf upgrade --releasever=2023.4.20240416
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240416.html
Version 2023.4.20240429:
Run the following command to upgrade to 2023.4.20240429:
dnf upgrade --releasever=2023.4.20240429
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240429.html
Version 2023.4.20240513:
Run the following command to upgrade to 2023.4.20240513:
dnf upgrade --releasever=2023.4.20240513
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240513.html
Version 2023.4.20240528:
Run the following command to upgrade to 2023.4.20240528:
dnf upgrade --releasever=2023.4.20240528
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240528.html
Version 2023.4.20240611:
Run the following command to upgrade to 2023.4.20240611:
dnf upgrade --releasever=2023.4.20240611
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.4.20240611.html
Version 2023.5.20240624:
Run the following command to upgrade to 2023.5.20240624:
dnf upgrade --releasever=2023.5.20240624
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.5.20240624.html
Version 2023.5.20240701:
Run the following command to upgrade to 2023.5.20240701:
dnf upgrade --releasever=2023.5.20240701
Release notes:
https://docs.aws.amazon.com/linux/al2023/release-notes/relnotes-2023.5.20240701.html
========================================================================================================================================================================================================================================================================
めっちゃいっぱいある
怠っていた証拠ですね。
更新されるパッケージの確認
バージョンを「2023.3.20240304」に上げた場合に更新されるパッケージを確認します。
sudo dnf check-update --releasever=2023.3.20240304
amazon-linux-repo-s3.noarch 2023.3.20240304-0.amzn2023 amazonlinux
bind-libs.x86_64 32:9.16.48-1.amzn2023.0.1 amazonlinux
bind-license.noarch 32:9.16.48-1.amzn2023.0.1 amazonlinux
bind-utils.x86_64 32:9.16.48-1.amzn2023.0.1 amazonlinux
cpio.x86_64 2.13-13.amzn2023.0.3 amazonlinux
curl-minimal.x86_64 8.5.0-1.amzn2023.0.2 amazonlinux
docker.x86_64 25.0.3-1.amzn2023.0.1 amazonlinux
gnutls.x86_64 3.8.0-379.amzn2023.0.5 amazonlinux
grub2-common.noarch 1:2.06-61.amzn2023.0.11 amazonlinux
grub2-efi-x64-ec2.x86_64 1:2.06-61.amzn2023.0.11 amazonlinux
grub2-pc-modules.noarch 1:2.06-61.amzn2023.0.11 amazonlinux
grub2-tools.x86_64 1:2.06-61.amzn2023.0.11 amazonlinux
grub2-tools-minimal.x86_64 1:2.06-61.amzn2023.0.11 amazonlinux
kernel.x86_64 6.1.79-99.164.amzn2023 amazonlinux
kernel-devel.x86_64 6.1.79-99.164.amzn2023 amazonlinux
kernel-headers.x86_64 6.1.79-99.164.amzn2023 amazonlinux
kernel-livepatch-repo-s3.noarch 2023.3.20240304-0.amzn2023 amazonlinux
kernel-tools.x86_64 6.1.79-99.164.amzn2023 amazonlinux
libcurl-minimal.x86_64 8.5.0-1.amzn2023.0.2 amazonlinux
libuv.x86_64 1:1.47.0-1.amzn2023.0.2 amazonlinux
ncurses.x86_64 6.2-4.20200222.amzn2023.0.6 amazonlinux
ncurses-base.noarch 6.2-4.20200222.amzn2023.0.6 amazonlinux
ncurses-c++-libs.x86_64 6.2-4.20200222.amzn2023.0.6 amazonlinux
ncurses-devel.x86_64 6.2-4.20200222.amzn2023.0.6 amazonlinux
ncurses-libs.x86_64 6.2-4.20200222.amzn2023.0.6 amazonlinux
publicsuffix-list-dafsa.noarch 20240212-61.amzn2023 amazonlinux
system-release.noarch 2023.3.20240304-0.amzn2023 amazonlinux
Obsoleting Packages
grub2-tools-minimal.x86_64 1:2.06-61.amzn2023.0.10 amazonlinux
grub2-tools.x86_64 1:2.06-61.amzn2023.0.9 @System
grub2-tools-minimal.x86_64 1:2.06-61.amzn2023.0.11 amazonlinux
grub2-tools.x86_64 1:2.06-61.amzn2023.0.9 @System
パッケージを更新
バージョンを一つ更新してみます。
sudo dnf update --releasever=2023.3.20240304
省略
Upgraded:
amazon-linux-repo-s3-2023.3.20240304-0.amzn2023.noarch bind-libs-32:9.16.48-1.amzn2023.0.1.x86_64 bind-license-32:9.16.48-1.amzn2023.0.1.noarch bind-utils-32:9.16.48-1.amzn2023.0.1.x86_64 cpio-2.13-13.amzn2023.0.3.x86_64
curl-minimal-8.5.0-1.amzn2023.0.2.x86_64 docker-25.0.3-1.amzn2023.0.1.x86_64 gnutls-3.8.0-379.amzn2023.0.5.x86_64 grub2-common-1:2.06-61.amzn2023.0.11.noarch grub2-efi-x64-ec2-1:2.06-61.amzn2023.0.11.x86_64
grub2-pc-modules-1:2.06-61.amzn2023.0.11.noarch grub2-tools-1:2.06-61.amzn2023.0.11.x86_64 grub2-tools-minimal-1:2.06-61.amzn2023.0.11.x86_64 kernel-devel-6.1.79-99.164.amzn2023.x86_64 kernel-headers-6.1.79-99.164.amzn2023.x86_64
kernel-livepatch-repo-s3-2023.3.20240304-0.amzn2023.noarch kernel-tools-6.1.79-99.164.amzn2023.x86_64 libcurl-minimal-8.5.0-1.amzn2023.0.2.x86_64 libuv-1:1.47.0-1.amzn2023.0.2.x86_64 ncurses-6.2-4.20200222.amzn2023.0.6.x86_64
ncurses-base-6.2-4.20200222.amzn2023.0.6.noarch ncurses-c++-libs-6.2-4.20200222.amzn2023.0.6.x86_64 ncurses-devel-6.2-4.20200222.amzn2023.0.6.x86_64 ncurses-libs-6.2-4.20200222.amzn2023.0.6.x86_64 publicsuffix-list-dafsa-20240212-61.amzn2023.noarch
system-release-2023.3.20240304-0.amzn2023.noarch
Installed:
kernel-6.1.79-99.164.amzn2023.x86_64
Complete!
セキュリティ関連の更新のみを適用する
アップデートするパッケージをセキュリティ関連のものだけに限定できます。
sudo dnf update --releasever=2023.4.20240319 --security
Amazon Linux 2023 repository 38 MB/s | 26 MB 00:00
Last metadata expiration check: 0:00:08 ago on Tue Jul 2 10:38:44 2024.
Dependencies resolved.
========================================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
========================================================================================================================================================================================================================================================================
Upgrading:
c-ares x86_64 1.19.0-1.amzn2023.0.1 amazonlinux 110 k
nodejs x86_64 1:18.18.2-1.amzn2023.0.3 amazonlinux 1.8 M
nodejs-docs noarch 1:18.18.2-1.amzn2023.0.3 amazonlinux 7.6 M
nodejs-full-i18n x86_64 1:18.18.2-1.amzn2023.0.3 amazonlinux 8.5 M
nodejs-libs x86_64 1:18.18.2-1.amzn2023.0.3 amazonlinux 14 M
nodejs-npm x86_64 1:9.8.1-1.18.18.2.1.amzn2023.0.3 amazonlinux 2.0 M
openssh x86_64 8.7p1-8.amzn2023.0.10 amazonlinux 453 k
openssh-clients x86_64 8.7p1-8.amzn2023.0.10 amazonlinux 708 k
openssh-server x86_64 8.7p1-8.amzn2023.0.10 amazonlinux 455 k
python3-rpm x86_64 4.16.1.3-29.amzn2023.0.6 amazonlinux 67 k
rpm x86_64 4.16.1.3-29.amzn2023.0.6 amazonlinux 485 k
rpm-build x86_64 4.16.1.3-29.amzn2023.0.6 amazonlinux 61 k
rpm-build-libs x86_64 4.16.1.3-29.amzn2023.0.6 amazonlinux 91 k
rpm-libs x86_64 4.16.1.3-29.amzn2023.0.6 amazonlinux 312 k
rpm-plugin-selinux x86_64 4.16.1.3-29.amzn2023.0.6 amazonlinux 18 k
rpm-plugin-systemd-inhibit x86_64 4.16.1.3-29.amzn2023.0.6 amazonlinux 18 k
rpm-sign x86_64 4.16.1.3-29.amzn2023.0.6 amazonlinux 19 k
rpm-sign-libs x86_64 4.16.1.3-29.amzn2023.0.6 amazonlinux 21 k
Installing dependencies:
debugedit x86_64 5.0-2.amzn2023.0.2 amazonlinux 77 k
Transaction Summary
========================================================================================================================================================================================================================================================================
Install 1 Package
Upgrade 18 Packages
Total download size: 37 M
Is this ok [y/N]:
セキュリティに絞らなかった場合
Transaction Summary
========================================================================================================================================================================================================================================================================
Install 5 Packages
Upgrade 72 Packages
Total download size: 195 M
更新されるパッケージの数が違いますね。
バージョン指定せずに最新にしたい
とにかく最新化したい場合は--releaseverに「latest」を指定します。
sudo dnf update --releasever=latest
OpenSSHが更新されたことを確認します。
rpm -q openssh
openssh-8.7p1-8.amzn2023.0.11.x86_64
無事更新されました。
どうしてこんな仕組みなの?
Amazon Linux 2023の説明ページには以下の記載があります。これまでは、最新(latest)に更新することが多かったですが、「特定のバージョンに更新する」といったことが可能です。環境を揃えたい場合は、次のバージョンの検証環境を構築するような作業が、より確実にできるようになりました。
バージョン管理されたリポジトリで決定論的なアップグレードを行う
Amazon Linux 2023 を使用すると、お客様は、更新を選択する方法とタイミングを制御でき、Amazon Linux リポジトリの特定のバージョンだけでなく、メジャーバージョンとマイナーバージョンもロックできます。これにより、環境全体でパッケージバージョンと更新の一貫性を確保できます。