On 16/05/2023 12:42, John Howard via ripe-atlas wrote:
Hello John,
Proton hosts 3 RIPE Anchors (7120, 6847, 6854) and during routine
vulnerability scanning we identified these appliances running nginx
1.20.1, which is potentially vulnerable to two CVEs (CVE-2022-41741
and CVE-2022-41742). Given the mp4 module pre-req, I doubt they are
vulnerable in practice, but this highlighted that the nginx 1.20
train was deprecated 11 months ago, and 1.23/1.24 are the currently
active releases.
These RIPE Atlas anchors are running with an nginx package from Fedora
EPEL. Although it is an older version, it has been patched with fixes
for the CVEs you mentioned. We are currently running CentOS 7 on the
anchors, and it is still receiving security fixes, which we regularly apply.
Later this year, or perhaps early in 2024, we will be updating the
operating system on the anchors, and that will bring in new versions of
all the software we run on them.
I note the last probe firmware update 5080 (which we run already)
from Nov/22 disabled auto updates on the appliances, so I assume
there will be regular updates coming from RIPE going forward
instead?
You are referring to the software probe package. It used to ship with a
crontab that kept the software probe package up to date. There was a
discussion about it on this list, and a majority of users didn't like
it, and preferred to update their systems (including the software probe
package) using their preferred update policy. That's why the crontab was
removed. When new versions of the software probe package are available,
users can update to it as and when they wish.
Regards,
Anand Buddhdev
RIPE NCC
--
ripe-atlas mailing list
ripe-atlas@ripe.net
https://lists.ripe.net/mailman/listinfo/ripe-atlas