search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
23.32k stars 2.7k forks source link

Feature Request: Bump OpenResty to 1.27.1.1 #4113

Open Zenjir0 opened 1 month ago

Zenjir0 commented 1 month ago

Is your feature request related to a problem? Please describe.

Currently, the NPM image from jc21/nginx-proxy-manager:latest is at version 1.25.3.2, which is end-of-life for security support on May 29, 2024 and no longer receiving security updates upstream, to my knowledge.

image

image

Describe the solution you'd like

Requesting that the docker image have its NGINX version bumped to an actively supported security NGINX version.

Also I noticed that the Image is 1.1GB in size. Would it also be possible to shrink the image?

Describe alternatives you've considered

N/A

Additional context

Thank you for considering this request! And much appreciated on such a well developed product.

Zenjir0 commented 1 month ago

Just an update.

I don't think the version bump is super urgent as from what I can tell on NGINX's official CVE Advisory Page

If you are using NGINX version 1.25.3.2, you are vulnerable to the following CVEs:

    CVE-2024-24989: NULL pointer dereference in HTTP/3 (Severity: Major)
    CVE-2024-24990: Use-after-free in HTTP/3 (Severity: Major)
    CVE-2024-32760: Buffer overwrite in HTTP/3 (Severity: Medium)
    CVE-2024-31079: Stack overflow and use-after-free in HTTP/3 (Severity: Medium)
    CVE-2024-35200: NULL pointer dereference in HTTP/3 (Severity: Medium)
    CVE-2024-34161: Memory disclosure in HTTP/3 (Severity: Medium)

Which all are HTTP/3 related, and I would assume that if that is not being used then there is no immediate danger. To my knowledge best practice is still HTTP/2.

JBlond commented 3 weeks ago

It isn't nginx, but openresty

/usr/sbin/nginx -version nginx version: openresty/1.25.3.2

Zenjir0 commented 3 weeks ago

@JBlond Thanks for that clarification. Do you know if OpenResty's versioning scheme follows NGINX? I can't find anything concrete on their website, and just by going off of the versioning alone, it does appear that they mimic NGINX's with a tailing number at the end for their own patching increment.

Version: 1.25.3.2
  1   .   25  .   3   .   2
  │       │       │       │
  │       │       │       └─────── OpenResty Build/Patch
  │       │       └─────────────── NGINX Patch
  │       └─────────────────────── NGINX Minor
  └─────────────────────────────── NGINX Major

As I was typing I think I found my answer. It looks like they do as in their recent blog post for OpenResty 1.27.1.1: image

The main core of OpenResty is NGINX 1.27.1 and the one before that was 1.25.3.2 which was NGINX 1.25.3.

Looking forward to the next release with 1.27.1.X

Also some information on NGINX's versioning scheme for those you might read this post. image

JBlond commented 2 weeks ago

@Zenjir0 I found on https://openresty.org/en/faq.html that they use the nginx base including the version numbering and the addotional number is the Openresty patch number.

JBlond commented 1 week ago

@ Zenjir0 the version is upstream. See https://github.com/NginxProxyManager/docker-nginx-full/blob/master/local-build.sh#L12 and https://github.com/NginxProxyManager/docker-nginx-full/blob/master/local-buildx.sh#L12