Hi, Thanks for pointing this out Roger. I’ve rebuilt the image using the current tomcat:8.5-jdk8 container (i.e. docker build --pull etc). I’ll look into automatic it after Christmas.
Thanks, Matthew From: IPT <[email protected]> on behalf of Roger W. J. Alterskjær via IPT <[email protected]> Date: Friday, 23 December 2022 at 01:01 To: [email protected] <[email protected]> Subject: Re: [IPT] Update docker tomcat? Ugh. And now I see I overlooked where tomcat comes into play in the Dockerfile: https://github.com/gbif/ipt/blob/master/package/docker/Dockerfile Line 17: FROM tomcat:8.5-jdk8 Perhaps ‘tomcat:8.5.84-jdk8’? And I suppose it’s Matthew that will need to check this out. 😊 -Roger A From: IPT <[email protected]> on behalf of Roger W. J. Alterskjær via IPT <[email protected]> Date: Thursday, 22 December 2022 at 13:44 To: [email protected] <[email protected]> Subject: [IPT] Update docker tomcat? Our university IT-security guys have noticed that our docker container for gbif/ipt is running a vulnerable version of Tomcat: Apache Tomcat 8.5.x < 8.5.83 which is vulnerable to "Request Smuggling Vulnerability" (CVE-2022-42252). They say that Tomcat 8.5.84 is the latest version of 8.5. I see that we’re using maven:3.8-jdk-8 with hasn’t been updated for five months… -Roger A
_______________________________________________ IPT mailing list [email protected] https://lists.gbif.org/mailman/listinfo/ipt
