On 16/05/2023 12:42, John Howard via ripe-atlas wrote: Hello John,
Proton hosts 3 RIPE Anchors (7120, 6847, 6854) and during routine vulnerability scanning we identified these appliances running nginx 1.20.1, which is potentially vulnerable to two CVEs (CVE-2022-41741 and CVE-2022-41742). Given the mp4 module pre-req, I doubt they are vulnerable in practice, but this highlighted that the nginx 1.20 train was deprecated 11 months ago, and 1.23/1.24 are the currently active releases.
I note the last probe firmware update 5080 (which we run already) from Nov/22 disabled auto updates on the appliances, so I assume there will be regular updates coming from RIPE going forward instead? You are referring to the software probe package. It used to ship with a crontab that kept the software probe package up to date. There was a discussion about it on this list, and a majority of users didn't like it, and preferred to update their systems (including the software probe
These RIPE Atlas anchors are running with an nginx package from Fedora EPEL. Although it is an older version, it has been patched with fixes for the CVEs you mentioned. We are currently running CentOS 7 on the anchors, and it is still receiving security fixes, which we regularly apply. Later this year, or perhaps early in 2024, we will be updating the operating system on the anchors, and that will bring in new versions of all the software we run on them. package) using their preferred update policy. That's why the crontab was removed. When new versions of the software probe package are available, users can update to it as and when they wish. Regards, Anand Buddhdev RIPE NCC