-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Image vulnerablities #235
Comments
4.3.9 is also running an older version of openssl (3.0.2) affected by the recent advisory |
The |
@coffee-squirrel are there plans to patch the other vulnerabilites i have shown? |
@jin-ahn I'm not with Graylog, so I don't know. It seems most/all of those are related to "Graylog the Java app" versus the container image, so you might get more traction by following the process mentioned at https://github.com/Graylog2/graylog2-server/blob/master/SECURITY.md. |
Hi! Sorry for the delay: For Graylog 5.0 (in beta right now) we are updating Jackson and Netty, which should address those issues. Unfortunately, those are quite involved to backport, so we will most likely not bump the version in 4.3. I'll leave this open until we are closing some internal issues that are pointing here. Thanks! |
Hi, just thought I'd give an update. I've checked the latest 5.0 rc2 image for vulnerabilities. and although there is an improvement the critical ones still remain. I understand that they don't necessarily apply to graylog, but if it's a low-hanging fruit, it would be great for our usage to have the libraries updated. |
Hi @kroepke, just to confirm - are their still plans to patch the remaining vulnerabilites? Or are we leaving them alone? |
@Jeffrey778 The fixed will be part of the next stable release (5.0.7) that ships beginning of May. UPDATE: We will only backport fixes for security issues that affect Graylog. |
Hi. 5.0.6 also has new vulnerablities related to org.quartz-scheduler and org.yaml:snakeyaml https://nvd.nist.gov/vuln/detail/CVE-2019-13990 |
@bernd could you comment on whether or not there are plans to patch these? |
5.1.1 still has same vulnerabilities. @bernd |
The latest (4.3.9) docker image of graylog has 6 critical and 73 high vulnerabilities related to
apache, minidev, fasterxml, netty
, etc. Can we get these patched?The text was updated successfully, but these errors were encountered: