fix: remove 11 more OS CVEs now resolved by --releasever latest

junpuf · junpuf · commit 0c1933f09d71 · 2026-03-11T16:39:02.000-07:00
With --releasever latest, dnf upgrade --security now picks up fixes
for libxml2, glib2, expat, libarchive, gnupg2, openssl, and libxslt
CVEs. Reduces allowlist from 25 to 14 entries.

Remaining entries are Python stdlib (tarfile), bundled setuptools/
urllib3, NVIDIA CUDA base image Go tooling, and unpublished CVEs
that cannot be resolved via OS package updates.

Signed-off-by: Junpu Fan &lt;junpu@amazon.com&gt;
diff --git a/test/security/data/ecr_scan_allowlist/lambda/framework_allowlist.json b/test/security/data/ecr_scan_allowlist/lambda/framework_allowlist.json
@@ -34,61 +34,11 @@
         "reason": "Go net/url insufficient validation of bracketed IPv6 hostnames; present in NVIDIA CUDA base image Go tooling, not exposed by Lambda runtime.",
         "review_by": "2026-03-24"
     },
-    {
-        "vulnerability_id": "CVE-2025-49794",
-        "reason": "libxml2 heap use-after-free DoS; fix not yet available in AL2023 repo.",
-        "review_by": "2026-03-24"
-    },
-    {
-        "vulnerability_id": "CVE-2025-49795",
-        "reason": "libxml2 null pointer dereference DoS; fix not yet available in AL2023 repo.",
-        "review_by": "2026-03-24"
-    },
-    {
-        "vulnerability_id": "CVE-2025-49796",
-        "reason": "libxml2 type confusion DoS; fix not yet available in AL2023 repo.",
-        "review_by": "2026-03-24"
-    },
     {
         "vulnerability_id": "CVE-2025-58188",
         "reason": "Go crypto/x509 panic on DSA public key certificates; present in NVIDIA CUDA base image Go tooling, not exposed by Lambda runtime.",
         "review_by": "2026-03-24"
     },
-    {
-        "vulnerability_id": "CVE-2025-5914",
-        "reason": "libarchive out-of-bounds read in RAR seek; Lambda images do not extract untrusted RAR archives.",
-        "review_by": "2026-03-24"
-    },
-    {
-        "vulnerability_id": "CVE-2025-59375",
-        "reason": "libexpat large dynamic allocation via small document; fix requires expat >= 2.7.2 not yet available in AL2023 repo.",
-        "review_by": "2026-03-24"
-    },
-    {
-        "vulnerability_id": "CVE-2025-6021",
-        "reason": "libxml2 integer overflow in xmlBuildQName; fix not yet available in AL2023 repo.",
-        "review_by": "2026-03-24"
-    },
-    {
-        "vulnerability_id": "CVE-2025-6052",
-        "reason": "glib GString memory management flaw on very large strings; fix not yet available in AL2023 repo.",
-        "review_by": "2026-03-24"
-    },
-    {
-        "vulnerability_id": "CVE-2025-68973",
-        "reason": "GnuPG armor_filter double-increment OOB; fix requires GnuPG >= 2.4.9 not yet available in AL2023 repo.",
-        "review_by": "2026-03-24"
-    },
-    {
-        "vulnerability_id": "CVE-2025-69421",
-        "reason": "OpenSSL PKCS#12 null pointer dereference; fix not yet available in AL2023 repo.",
-        "review_by": "2026-03-24"
-    },
-    {
-        "vulnerability_id": "CVE-2025-7425",
-        "reason": "libxslt attribute type flag corruption; fix not yet available in AL2023 repo.",
-        "review_by": "2026-03-24"
-    },
     {
         "vulnerability_id": "CVE-2025-8194",
         "reason": "Python tarfile extraction API defect (stdlib); cannot be patched via pip. Lambda images do not extract untrusted tar archives at runtime.",
@@ -99,11 +49,6 @@
         "reason": "urllib3 decompression bomb on redirect responses; pinned to urllib3==2.6.3 in requirements files but ECR scan may still report against bundled copies in transitive deps.",
         "review_by": "2026-03-24"
     },
-    {
-        "vulnerability_id": "CVE-2026-22796",
-        "reason": "OpenSSL ASN1_TYPE type confusion in PKCS7_digest_from_attributes; fix not yet available in AL2023 repo.",
-        "review_by": "2026-03-24"
-    },
     {
         "vulnerability_id": "CVE-2026-23949",
         "reason": "CVE details not yet published; present in NVIDIA CUDA base image, no fix available in AL2023 repo.",
