Patch NSS vulnerability for Python3.9 base image

[smithb2723]

When using Lambda/Python3.9 as a base image for ECR images, vulnerabilities have been discovered by ECR image scans stating:

" Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2023-7104: A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999. NOTE: https://sqlite.org/forum/forumpost/5bcbf4571c NOTE: Fixed by: https://sqlite.org/src/info/0e4e7a05c4204b47 "

The recommended fix is to run: "yum update nss": https://alas.aws.amazon.com/AL2/ALAS-2024-2442.html

However, permissions are set to not allow yum updates/installs. Reached out to AWS support to try a few different options to resolve from my end however none were successfully and I believe this requires a fix/rebuild in the base image.

[smithb2723]

[andres-mendez-procore]

Bump! Any timelines on an update? Our X-Ray scanner's also blocking deployments due to this

[mastamark]

+1 on the nodejs:18 flavor. (public.ecr.aws/lambda/nodejs:18)

[smithb2723]

@andres-mendez-procore unfortunately none that I've heard yet. The communications from AWS were to create the Issue here in the GitHub to socialize communications and get some movement however no response yet. Hoping to get a response soon to get a better idea on timeline

[avyas1995]

Bumping this. Doesn't seem like any patches/updates were issued as the vulnerabilities are still there.