Hi,
Our company does the "network vulnerabilities scan every week" and seems our Pi-s are the only ones left which we cannot "secure".
There were 2 main vulnerabilities found by this software:
Apache HTTP Server (Apache 2 buster version 2.4.38) - multiple vulnerabilities according to CVE-2019-10081
The recomendation is to upgrade to v 2.4.41 - This version is not included in the repository of any of kunbus raspbian versions.
When do you plan to release the Bulseye?
jQuerry (v 2.2.1) - end of life detection
I did some research and this version is used by a package "pictory" and "revpi-webstatus". As jquery-2.2.1 is not a package but a JS library I wonder if there is some better way to replace it rather than download new version and change the html file for the pictory. Will the pictory use newer jquery in the bulseye?
Unfortunately my colleague who runs this scans is not persuadable and he insist we IMMEDIATELY fix this or disconnect the Pi-s from the network.
network vulnerability in buster
Re: network vulnerability in buster
Hi,
We will check if we can provide an updated jQuery with our pictory package. Regarding the CVE-2019-10081 please check the debian security advisory: https://security-tracker.debian.org/tra ... 2019-10081. It states that the CVE is fixed with 2.4.38-3+deb10u5 / 2.4.38-3+deb10u7 which are shipped over the usual update channels.
Nicolai
We will check if we can provide an updated jQuery with our pictory package. Regarding the CVE-2019-10081 please check the debian security advisory: https://security-tracker.debian.org/tra ... 2019-10081. It states that the CVE is fixed with 2.4.38-3+deb10u5 / 2.4.38-3+deb10u7 which are shipped over the usual update channels.
Nicolai
Re: network vulnerability in buster
Ok, please let me know if the Bullseye will have updated jQuery. Do you perhaps have Bulseye release date?
Regarding apache2 - the scan was made on the Pi which was last updated in 01/2022(so I'm not sure which version was installed) - now I've updated it again and I'm waiting for another scan in friday.
Thank you
Regarding apache2 - the scan was made on the Pi which was last updated in 01/2022(so I'm not sure which version was installed) - now I've updated it again and I'm waiting for another scan in friday.
Thank you