Update nginx to mitigate CVE-2021-23017 #7164
Comments
|
Hello. I tested to upgrade nginx to v1.21.0 by updating images/nginx/rootfs/build.sh (line 21 and 124), build the base image, publish to an alternative registry path, and then modify the BASE_IMAGE variable in the Makefile and build the controller. I've tested it and it works in my setup. However it will take time to get our legal advisor to approve the CLA, so don't wait for that, but the changes I've made is just references to dependencies, no new code, so you should end up with the same result if you're going for nginx v1.21.0. Hope my test will be of value, even if you're not able to merge directly due to the missing CLA. (A question is whether to stay on nginx mainline or to go for nginx stable, now that a new stable branch has been made. But I tested with mainline as that was previously used.) |
|
Nice to see useful info.
There is a lot going on that is related and non-trivial so maybe wait
till someone updates I guess.
Thanks,
; Long
…On 27/05/21 1:09 pm, Christian Skarby wrote:
Hello. I tested to upgrade nginx to v1.21.0 by updating
images/nginx/rootfs/build.sh (line 21 and 124), build the base image,
publish to an alternative registry path, and then modify the
BASE_IMAGE variable in the Makefile and build the controller. I've
tested it and it works in my setup. However it will take time to get
our legal advisor to approve the CLA, so don't wait for that, but the
changes I've made is just references to dependencies, no new code, so
you should end up with the same result if you're going for nginx
v1.21.0. Hope my test will be of value, even if you're not able to
merge directly due to the missing CLA.
(A question is whether to stay on nginx mainline or to go for nginx
stable, now that a new stable branch has been made. But I tested with
mainline as that was previously used.)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#7164 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGZVWX44AFJLAZK5MWKD6DTPXZJ3ANCNFSM45RN2PKQ>.
|
NGINX Ingress controller version: 0.46.0
Kubernetes version: 1.20.5
Environment: (not relevant)
What happened:
Nginx published a blog post that they fixed a security vulnerability in Nginx that might also affect the ingress-nginx controller.
What you expected to happen:
Update of the nginx base image to at least
1.20.1or1.21.0.How to reproduce it:
Find out current used version of nginx:
docker run --rm k8s.gcr.io/ingress-nginx/controller:v0.46.0 nginx -versionnginx/1.19.6which is affected, according to thisFind out if "resolver" directive is present in the configuration:
kubectl exec -it -n infrastructure <ingress-pod-name> cat nginx.conf | grep resolverresolver 100.64.0.10 valid=30s ipv6=off;Anything else we need to know:
/kind bug
The text was updated successfully, but these errors were encountered: