RIPE Anchor updates?
Hi folks, Proton hosts 3 RIPE Anchors (7120, 6847, 6854) and during routine vulnerability scanning we identified these appliances running nginx 1.20.1, which is potentially vulnerable to two CVEs (CVE-2022-41741 and CVE-2022-41742). Given the mp4 module pre-req, I doubt they are vulnerable in practice, but this highlighted that the nginx 1.20 train was deprecated 11 months ago, and 1.23/1.24 are the currently active releases. I note the last probe firmware update 5080 (which we run already) from Nov/22 disabled auto updates on the appliances, so I assume there will be regular updates coming from RIPE going forward instead? Thanks John -- John Howard Head of Network Infrastructure Proton AG Sent with Proton Mail secure email.
On 16/05/2023 12:42, John Howard via ripe-atlas wrote: Hello John,
Proton hosts 3 RIPE Anchors (7120, 6847, 6854) and during routine vulnerability scanning we identified these appliances running nginx 1.20.1, which is potentially vulnerable to two CVEs (CVE-2022-41741 and CVE-2022-41742). Given the mp4 module pre-req, I doubt they are vulnerable in practice, but this highlighted that the nginx 1.20 train was deprecated 11 months ago, and 1.23/1.24 are the currently active releases.
I note the last probe firmware update 5080 (which we run already) from Nov/22 disabled auto updates on the appliances, so I assume there will be regular updates coming from RIPE going forward instead? You are referring to the software probe package. It used to ship with a crontab that kept the software probe package up to date. There was a discussion about it on this list, and a majority of users didn't like it, and preferred to update their systems (including the software probe
These RIPE Atlas anchors are running with an nginx package from Fedora EPEL. Although it is an older version, it has been patched with fixes for the CVEs you mentioned. We are currently running CentOS 7 on the anchors, and it is still receiving security fixes, which we regularly apply. Later this year, or perhaps early in 2024, we will be updating the operating system on the anchors, and that will bring in new versions of all the software we run on them. package) using their preferred update policy. That's why the crontab was removed. When new versions of the software probe package are available, users can update to it as and when they wish. Regards, Anand Buddhdev RIPE NCC
Hi Anand, Thanks for the response. I regularly despair with the RHEL ecosystem and its back ported fixes, Long live Debian! I was not on-list for the previous discussions you mention, but I think the release note might be a little ambiguous, and I also searched the docs for update/upgrade and I don't see how I would do that either? Did I miss something obvious? Thanks John -- John Howard Head of Network Infrastructure Proton AG Sent with Proton Mail secure email. ------- Original Message ------- On Tuesday, May 16th, 2023 at 14:20, Anand Buddhdev <anandb@ripe.net> wrote:
On 16/05/2023 12:42, John Howard via ripe-atlas wrote:
Hello John,
Proton hosts 3 RIPE Anchors (7120, 6847, 6854) and during routine vulnerability scanning we identified these appliances running nginx 1.20.1, which is potentially vulnerable to two CVEs (CVE-2022-41741 and CVE-2022-41742). Given the mp4 module pre-req, I doubt they are vulnerable in practice, but this highlighted that the nginx 1.20 train was deprecated 11 months ago, and 1.23/1.24 are the currently active releases.
These RIPE Atlas anchors are running with an nginx package from Fedora EPEL. Although it is an older version, it has been patched with fixes for the CVEs you mentioned. We are currently running CentOS 7 on the anchors, and it is still receiving security fixes, which we regularly apply.
Later this year, or perhaps early in 2024, we will be updating the operating system on the anchors, and that will bring in new versions of all the software we run on them.
I note the last probe firmware update 5080 (which we run already) from Nov/22 disabled auto updates on the appliances, so I assume there will be regular updates coming from RIPE going forward instead?
You are referring to the software probe package. It used to ship with a crontab that kept the software probe package up to date. There was a discussion about it on this list, and a majority of users didn't like it, and preferred to update their systems (including the software probe package) using their preferred update policy. That's why the crontab was removed. When new versions of the software probe package are available, users can update to it as and when they wish.
Regards, Anand Buddhdev RIPE NCC
On 16/05/2023 14:36, John Howard wrote: Hello John,
Thanks for the response. I regularly despair with the RHEL ecosystem and its back ported fixes, Long live Debian!
That's a different discussion, and not appropriate to this thread :)
I was not on-list for the previous discussions you mention, but I think the release note might be a little ambiguous, and I also searched the docs for update/upgrade and I don't see how I would do that either?
Detailed instructions are available here: https://atlas.ripe.net/docs/howtos/software-probes.html Once you have the repository set up, and the "atlasswprobe" package installed, you can keep it up to date by periodically running: yum update atlasswprobe or even just: yum update This latter command will update all packages to their latest available versions. Regards, Anand Buddhdev RIPE NCC
participants (2)
-
Anand Buddhdev -
John Howard