OpenSSL Padding Oracle vuln. (CVE-2016-2107)

[jdddog]

The current build of this docker image is vulnerable to OpenSSL Padding Oracle vuln. CVE-2016-2107, which gives an F on SSL Labs SSL Server Test.

The latest Ubuntu security updates fixes the issue by upgrading openssl. It would be great if you could update the build on docker hubs.

[madewithyou]

Get the same F grade too. Do someone have a work around to solve this?

Thanks

[MattiSG]

This is pretty important.

It seems ckiely91/meteor-up-1@f8afc13 could have a fix, but I did not try it yet.

[dkleiman]

@MattiSG That pretty much worked. Thanks. The fork was a bit different, so I had to make a few changes. You just need to just change the <% if(typeof sslConfig === "object") { %> block in the start.sh file to the code below. Can confirm this works, got an A+ grade at SSL labs.

<% if(typeof sslConfig === "object")  { %>
# We don't need to fail the deployment because of a docker hub downtime
set +e
docker build -t meteorhacks/mup-frontend-server-secure - << EOF
FROM meteorhacks/mup-frontend-server:latest
RUN apt-get update && apt-get install --only-upgrade libssl1.0.0 openssl -y
EOF
set -e

docker run \
  -d \
  --restart=always \
  --volume=/opt/$APPNAME/config/bundle.crt:/bundle.crt \
  --volume=/opt/$APPNAME/config/private.key:/private.key \
  --link=$APPNAME:backend \
  --publish=<%= sslConfig.port %>:443 \
  --name=$APPNAME-frontend \
  meteorhacks/mup-frontend-server-secure /start.sh
<% } %>

[MattiSG]

@dkleiman The code you copied seems to be the exact code in ckiely91/meteor-up-1@f8afc13, the only difference being in the lack of apt-get update on line 20. Did I miss something?

Also, how exactly do you change the start.sh file? Do you change it directly in the global node_modules?

[madewithyou]

@MattiSG I changed the start.sh in my node_modules and it's works.
The code add some upgrade on libssl on a cache version of meteorhacks/mup-frontend-server:latest.

Just when you copy past on your code editor avoid any tabulation in first part (docker file).

Thanks Guys!

[MattiSG]

Did work for me too, applying to the file at $(dirname $(which mupx))/$(dirname $(readlink $(which mupx)))/../templates/linux/start.sh the changeset in ckiely91/meteor-up-1@f8afc13.

[dkleiman]

@MattiSG Sorry about that, I misunderstood. I didn't realize you were only talking about the changeset. I blindly copied the whole file, and that definitely did not work. I didn't use the apt-get update because that line had installAdditional which was undefined.

I also changed start.sh in that directory.

[zeroasterisk]

I went a different track to fix, and suggested the ability to config my own nginx docker image here:
zodern/meteor-up#284

But regardless, this needs to be addressed and fixed, sooner rather than later... good work guys, looks like we are close.

[zeroasterisk]

#284 was merged in, now we just need a new image to use in mup.js