Hi,
Thanks for pointing this out Roger. I’ve rebuilt the image using the current tomcat:8.5-jdk8 container (i.e. docker build --pull etc). I’ll look into automatic it after Christmas.
Thanks,
Matthew
From: IPT ipt-bounces@lists.gbif.org on behalf of Roger W. J. Alterskjær via IPT IPT@lists.gbif.org Date: Friday, 23 December 2022 at 01:01 To: IPT@lists.gbif.org IPT@lists.gbif.org Subject: Re: [IPT] Update docker tomcat? Ugh. And now I see I overlooked where tomcat comes into play in the Dockerfile: https://github.com/gbif/ipt/blob/master/package/docker/Dockerfile Line 17: FROM tomcat:8.5-jdk8 Perhaps ‘tomcat:8.5.84-jdk8’? And I suppose it’s Matthew that will need to check this out. 😊 -Roger A
From: IPT ipt-bounces@lists.gbif.org on behalf of Roger W. J. Alterskjær via IPT ipt@lists.gbif.org Date: Thursday, 22 December 2022 at 13:44 To: IPT@lists.gbif.org IPT@lists.gbif.org Subject: [IPT] Update docker tomcat? Our university IT-security guys have noticed that our docker container for gbif/ipt is running a vulnerable version of Tomcat: Apache Tomcat 8.5.x < 8.5.83 which is vulnerable to "Request Smuggling Vulnerability" (CVE-2022-42252). They say that Tomcat 8.5.84 is the latest version of 8.5.
I see that we’re using maven:3.8-jdk-8 with hasn’t been updated for five months…
-Roger A