Hi Anand,
Thanks for the response. I regularly despair with the RHEL ecosystem and its back ported fixes, Long live Debian! I was not on-list for the previous discussions you mention, but I think the release note might be a little ambiguous, and I also searched the docs for update/upgrade and I don't see how I would do that either? Did I miss something obvious? Thanks John -- John Howard Head of Network Infrastructure Proton AG Sent with Proton Mail secure email. ------- Original Message ------- On Tuesday, May 16th, 2023 at 14:20, Anand Buddhdev <ana...@ripe.net> wrote: > On 16/05/2023 12:42, John Howard via ripe-atlas wrote: > > Hello John, > > > Proton hosts 3 RIPE Anchors (7120, 6847, 6854) and during routine > > vulnerability scanning we identified these appliances running nginx > > 1.20.1, which is potentially vulnerable to two CVEs (CVE-2022-41741 > > and CVE-2022-41742). Given the mp4 module pre-req, I doubt they are > > vulnerable in practice, but this highlighted that the nginx 1.20 > > train was deprecated 11 months ago, and 1.23/1.24 are the currently > > active releases. > > > These RIPE Atlas anchors are running with an nginx package from Fedora > EPEL. Although it is an older version, it has been patched with fixes > for the CVEs you mentioned. We are currently running CentOS 7 on the > anchors, and it is still receiving security fixes, which we regularly apply. > > Later this year, or perhaps early in 2024, we will be updating the > operating system on the anchors, and that will bring in new versions of > all the software we run on them. > > > I note the last probe firmware update 5080 (which we run already) > > from Nov/22 disabled auto updates on the appliances, so I assume > > there will be regular updates coming from RIPE going forward > > instead? > > You are referring to the software probe package. It used to ship with a > crontab that kept the software probe package up to date. There was a > discussion about it on this list, and a majority of users didn't like > it, and preferred to update their systems (including the software probe > package) using their preferred update policy. That's why the crontab was > removed. When new versions of the software probe package are available, > users can update to it as and when they wish. > > Regards, > Anand Buddhdev > RIPE NCC
publickey - john.howard@proton.ch - 0x90E7CFE6.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
-- ripe-atlas mailing list ripe-atlas@ripe.net https://lists.ripe.net/mailman/listinfo/ripe-atlas
