-
Notifications
You must be signed in to change notification settings - Fork 576
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Container Versions for the Release Docker config.env #3069
Comments
Fair point. Are you aware of any specific vulnerability that can be exploited in the current Timesketch default set-up? Have you tried a setup with the latest nginx container version? Would be interested if you experienced any breakage. |
No not that I am aware of. Took a look at the NGINX website and according to them the following items could be problems: They honestly don't sound like large enough problems to force an emergency update.
From a first glance at Dockerhub (this is not What is more interesting to look at is the underlying Alpine base image. OpenSSL has 4 CVEs, of which only one sounded somewhat relevant to me. Apparently an I would not call this mission critical, nor do I have a PoC, but it might be worth taking a look at.
Our Timesketch setup (and by extension Nginx Config) is modified quite a bit. Not sure if we are representative of everyone, but I will try deploying an updated NGINX and report back how things are going. Might take some time, since I'm fixing some other stuff first. |
Note: I have quickly tested a setup with nginx:1.25.5-alpine-slim and did not run into any issues with booting up the system and some basic activity. Needs some additional testing, but can probably moved to this version with the next release. |
Describe the bug
The versions listed in the
config.env
file of the release Docker are in most cases three years old. It would make sense to update these, especially considering that there are quite a few vulnerabilities that impact these. I don't know enough about Postgres, Redis and OpenSearch to make a qualified statement about whether updates break anything, but at the very minimum, it would make sense to bump the NGINX version, considering its ports are exposed.To Reproduce
n/a
Expected behavior
n/a
Links
Desktop (please complete the following information):
n/a
The text was updated successfully, but these errors were encountered: