Exploitable Vulnerabilities in the Current Image

[sidssn]

CVE ID | Package | Link -- | -- | --

CVE‑2025‑13601 | glib2 | https://nvd.nist.gov/vuln/detail/CVE-2025-13601 (NVD)

CVE‑2025‑47912 | libcap | https://nvd.nist.gov/vuln/detail/CVE-2025-47912 (NVD)

CVE‑2025‑58186 | libcap / Go net/http | https://wiz.io/vulnerability-database/cve/cve-2025-58186 (Wiz) (wiz.io)

CVE‑2025‑61729 | stdlib (Go) | https://nvd.nist.gov/vuln/detail/CVE-2025-61729 (NVD)

According to our scan, these vulnerabilities appear to be fixed in later package versions, but running dnf update inside the image does not seem to install any updates.

The base image (public.ecr.aws/shelf/lambda-libreoffice-base:25.2-node22-x86_64) was last pushed over 2 months ago, which raises concerns about whether high-severity security patches are being published promptly.

Request / Question:

Can the maintainers confirm whether these CVEs have been addressed in a newer image version?

Is there a recommended way to keep the base image up-to-date with security patches for Amazon Linux 2023 and included packages like glib2, libcap, and Go stdlib?

[vladholubiev]

• Upgraded to 25.8.4;
• Added Python 3.14 and Node 24 runtimes;

New layer versions available.