[IPT] Update docker tomcat?
Matthew Blissett
mblissett at gbif.org
Fri Dec 23 09:43:40 UTC 2022
Hi,
Thanks for pointing this out Roger. I’ve rebuilt the image using the current tomcat:8.5-jdk8 container (i.e. docker build --pull etc). I’ll look into automatic it after Christmas.
Thanks,
Matthew
From: IPT <ipt-bounces at lists.gbif.org> on behalf of Roger W. J. Alterskjær via IPT <IPT at lists.gbif.org>
Date: Friday, 23 December 2022 at 01:01
To: IPT at lists.gbif.org <IPT at lists.gbif.org>
Subject: Re: [IPT] Update docker tomcat?
Ugh. And now I see I overlooked where tomcat comes into play in the Dockerfile:
https://github.com/gbif/ipt/blob/master/package/docker/Dockerfile
Line 17: FROM tomcat:8.5-jdk8
Perhaps ‘tomcat:8.5.84-jdk8’?
And I suppose it’s Matthew that will need to check this out. 😊
-Roger A
From: IPT <ipt-bounces at lists.gbif.org> on behalf of Roger W. J. Alterskjær via IPT <ipt at lists.gbif.org>
Date: Thursday, 22 December 2022 at 13:44
To: IPT at lists.gbif.org <IPT at lists.gbif.org>
Subject: [IPT] Update docker tomcat?
Our university IT-security guys have noticed that our docker container for gbif/ipt is running a vulnerable version of Tomcat: Apache Tomcat 8.5.x < 8.5.83 which is vulnerable to "Request Smuggling Vulnerability" (CVE-2022-42252). They say that Tomcat 8.5.84 is the latest version of 8.5.
I see that we’re using maven:3.8-jdk-8 with hasn’t been updated for five months…
-Roger A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gbif.org/pipermail/ipt/attachments/20221223/8d17b271/attachment.html>
More information about the IPT
mailing list