[FR] Dependency updates #2342
Description
Is your feature request related to a problem? Please describe.
My request is related to some lately found critical (remote execution) security issues on Nginx.
It also is related to security in general and updatablility of dependencies.
In general unneeded and outdated packages are potential security issues and should actually be taken care of. Makes the image smaller, if unneeded ones are found, more secure and probably also more performant - even though performance is not a problem.
ㅤ
ㅤ
Describe the solution you'd like
Temp solution: update manually
Long term solution:
- update all 'other' required dependencies in the image.
- update Nginx as a main dependency more often as
:latestis currently running on1.19.9.1 - update openssl (
1.1.1n) to at least the newest openssl v1 version, or even v3. - remove unneeded dependencies in the image
ㅤ
ㅤ
Describe alternatives you've considered
Updating and cleaning the image manually to bring it up to the newest state and ensuring security once.
ㅤ
Thanks in advance!
I am open for discussions, on how to do this the best way.
ㅤ
ㅤ
P.S.: here the issues:
All: https://support.f5.com/csp/article/K30425568
- https://support.f5.com/csp/article/K28112382
- https://support.f5.com/csp/article/K81926432
- https://support.f5.com/csp/article/K01112063
which all affects Nginx (two of it's modules)
To check if your installation is affected you can run:
nginx -V 2>&1 | tr ' ' '\n' | egrep -i 'mp4|hls'
If it throws back any module name AND you are running any version below 1.23.1 or 1.22.0, you're installation is affected.
This image does have one of the two affected modules. The modules are:
ngx_http_mp4_module(installed)ngx_http_hls_module