Hi Anand, Thanks for the response. I regularly despair with the RHEL ecosystem and its back ported fixes, Long live Debian! I was not on-list for the previous discussions you mention, but I think the release note might be a little ambiguous, and I also searched the docs for update/upgrade and I don't see how I would do that either? Did I miss something obvious? Thanks John -- John Howard Head of Network Infrastructure Proton AG Sent with Proton Mail secure email. ------- Original Message ------- On Tuesday, May 16th, 2023 at 14:20, Anand Buddhdev <anandb@ripe.net> wrote:
On 16/05/2023 12:42, John Howard via ripe-atlas wrote:
Hello John,
Proton hosts 3 RIPE Anchors (7120, 6847, 6854) and during routine vulnerability scanning we identified these appliances running nginx 1.20.1, which is potentially vulnerable to two CVEs (CVE-2022-41741 and CVE-2022-41742). Given the mp4 module pre-req, I doubt they are vulnerable in practice, but this highlighted that the nginx 1.20 train was deprecated 11 months ago, and 1.23/1.24 are the currently active releases.
These RIPE Atlas anchors are running with an nginx package from Fedora EPEL. Although it is an older version, it has been patched with fixes for the CVEs you mentioned. We are currently running CentOS 7 on the anchors, and it is still receiving security fixes, which we regularly apply.
Later this year, or perhaps early in 2024, we will be updating the operating system on the anchors, and that will bring in new versions of all the software we run on them.
I note the last probe firmware update 5080 (which we run already) from Nov/22 disabled auto updates on the appliances, so I assume there will be regular updates coming from RIPE going forward instead?
You are referring to the software probe package. It used to ship with a crontab that kept the software probe package up to date. There was a discussion about it on this list, and a majority of users didn't like it, and preferred to update their systems (including the software probe package) using their preferred update policy. That's why the crontab was removed. When new versions of the software probe package are available, users can update to it as and when they wish.
Regards, Anand Buddhdev RIPE NCC