16 May
2023
16 May
'23
12:42 p.m.
Hi folks, Proton hosts 3 RIPE Anchors (7120, 6847, 6854) and during routine vulnerability scanning we identified these appliances running nginx 1.20.1, which is potentially vulnerable to two CVEs (CVE-2022-41741 and CVE-2022-41742). Given the mp4 module pre-req, I doubt they are vulnerable in practice, but this highlighted that the nginx 1.20 train was deprecated 11 months ago, and 1.23/1.24 are the currently active releases. I note the last probe firmware update 5080 (which we run already) from Nov/22 disabled auto updates on the appliances, so I assume there will be regular updates coming from RIPE going forward instead? Thanks John -- John Howard Head of Network Infrastructure Proton AG Sent with Proton Mail secure email.