network vulnerability in buster

Topics about the Software of Revolution Pi
Post Reply
toklobuc
Posts: 10
Joined: 02 Mar 2021, 12:35

network vulnerability in buster

Post by toklobuc »

Hi,

Our company does the "network vulnerabilities scan every week" and seems our Pi-s are the only ones left which we cannot "secure".
There were 2 main vulnerabilities found by this software:

Apache HTTP Server (Apache 2 buster version 2.4.38) - multiple vulnerabilities according to CVE-2019-10081
The recomendation is to upgrade to v 2.4.41 - This version is not included in the repository of any of kunbus raspbian versions.
When do you plan to release the Bulseye?

jQuerry (v 2.2.1) - end of life detection
I did some research and this version is used by a package "pictory" and "revpi-webstatus". As jquery-2.2.1 is not a package but a JS library I wonder if there is some better way to replace it rather than download new version and change the html file for the pictory. Will the pictory use newer jquery in the bulseye?

Unfortunately my colleague who runs this scans is not persuadable and he insist we IMMEDIATELY fix this or disconnect the Pi-s from the network.
User avatar
nicolaiB
KUNBUS
Posts: 931
Joined: 21 Jun 2018, 10:33
Location: Berlin
Contact:

Re: network vulnerability in buster

Post by nicolaiB »

Hi,

We will check if we can provide an updated jQuery with our pictory package. Regarding the CVE-2019-10081 please check the debian security advisory: https://security-tracker.debian.org/tra ... 2019-10081. It states that the CVE is fixed with 2.4.38-3+deb10u5 / 2.4.38-3+deb10u7 which are shipped over the usual update channels.

Nicolai
toklobuc
Posts: 10
Joined: 02 Mar 2021, 12:35

Re: network vulnerability in buster

Post by toklobuc »

Ok, please let me know if the Bullseye will have updated jQuery. Do you perhaps have Bulseye release date?

Regarding apache2 - the scan was made on the Pi which was last updated in 01/2022(so I'm not sure which version was installed) - now I've updated it again and I'm waiting for another scan in friday.
Thank you
Post Reply