search

mediagis / nominatim-docker

100% working container for Nominatim
Creative Commons Zero v1.0 Universal
1.03k stars 434 forks source link

漏洞 #547

Closed userStarlight closed 2 months ago

userStarlight commented 3 months ago

描述错误 在docker的mediagis/nominatim:4.1镜像

漏洞 Apache HTTP Server : CVE-2023-25690,CVE-2023-27522,CVE-2023-31122,CVE-2022-23943,CVE-2022-22721,CVE-2022-26377,CVE-2022-22720,CVE-2022-28615,CVE-2022-29404,CVE-2022-30556,CVE-2022-31813,CVE-2006-20001,CVE-2022-22719,CVE-2022-36760

Expected behavior 请问目前有版本,解决的这些漏洞吗?

mtmail commented 3 months ago

Each of the CVE describes which version of Apache provides a patch. You can upgrade your Apache software inside the docker container, or try installing the latest image (4.4) and rerun your report.

userStarlight commented 3 months ago

每个 CVE 都描述了哪个版本的 Apache 提供了补丁。您可以在 docker 容器中升级 Apache 软件,或尝试安装最新映像 (4.4) 并重新运行报表。

是在docker中运行的mediagis/nominatim容器内部升级Apache软件吗?

mtmail commented 3 months ago

For benefit of other readers let's use english language in this issue tracker.

userStarlight commented 3 months ago

为了其他读者的利益,让我们在本期跟踪器中使用英语。

Okay, sorry, my question is: Is it upgrading Apache software inside the media/nominatim container running in Docker?

userStarlight commented 3 months ago

为了其他读者的利益,让我们在本期跟踪器中使用英语。

Or if I use Dockerfile to build an image, how can I modify the version of Apache 2?

mtmail commented 3 months ago

It's an Ubuntu operating system, so usually

docker exec -it $name-of-your-container /bin/bash

then inside the VM

apache2 -v
Server version: Apache/2.4.52 (Ubuntu)
Server built:   2023-03-08T17:32:01
apt-get update
apt-get install --only-upgrade apache2
apache2 -v
Server version: Apache/2.4.52 (Ubuntu)
Server built:   2024-01-17T03:00:18

On https://httpd.apache.org/download.cgi I see the current latest release is 2.4.58 so it's a bit more work. Following the steps on https://www.linuxcapable.com/upgrade-apache-on-ubuntu-linux/ worked:

apache2 -v
Server version: Apache/2.4.58 (Ubuntu)
Server built:   2023-10-25T05:39:09
userStarlight commented 3 months ago

它是一个 Ubuntu 操作系统,所以通常

docker exec -it $name-of-your-container /bin/bash

然后在 VM 中

apache2 -v
Server version: Apache/2.4.52 (Ubuntu)
Server built:   2023-03-08T17:32:01
apt-get update
apt-get install --only-upgrade apache2
apache2 -v
Server version: Apache/2.4.52 (Ubuntu)
Server built:   2024-01-17T03:00:18

在 https://httpd.apache.org/download.cgi 上,我看到当前的最新版本是 2.4.58,所以它需要更多的工作。按照 https://www.linuxcapable.com/upgrade-apache-on-ubuntu-linux/ 的步骤工作:

apache2 -v
Server version: Apache/2.4.58 (Ubuntu)
Server built:   2023-10-25T05:39:09

非常感谢您的回复,但是我这边的环境有点不太乐观。可以不可以在构建镜像的时候就升级apacle2的版本为2.4.58

它是一个 Ubuntu 操作系统,所以通常

docker exec -it $name-of-your-container /bin/bash

然后在 VM 中

apache2 -v
Server version: Apache/2.4.52 (Ubuntu)
Server built:   2023-03-08T17:32:01
apt-get update
apt-get install --only-upgrade apache2
apache2 -v
Server version: Apache/2.4.52 (Ubuntu)
Server built:   2024-01-17T03:00:18

在 https://httpd.apache.org/download.cgi 上,我看到当前的最新版本是 2.4.58,所以它需要更多的工作。按照 https://www.linuxcapable.com/upgrade-apache-on-ubuntu-linux/ 的步骤工作:

apache2 -v
Server version: Apache/2.4.58 (Ubuntu)
Server built:   2023-10-25T05:39:09

Thank you very much for your reply, but the environment here is not very optimistic. Can we upgrade the version of Apacle2 to 2.4.58 when building the image

leonardehrenfried commented 3 months ago

You appear to be using version 4.1. The latest versions of the image have newer versions of apache.

userStarlight commented 3 months ago

您似乎使用的是版本 4.1。最新版本的映像具有较新版本的 apache。

I tried 4.4 and entered apache2- v into the container after running it Still prompt: Server version: Apache/2.4.52 (Ubuntu) Server build: 2023-03-08T17:32:01 Apt-get update

philipkozeny commented 2 months ago

AFAIK the Ubuntu security team also backports those into the 22.04 release (see https://answers.launchpad.net/ubuntu/+source/apache2/+question/809178 as an example) and we run an update & upgrade command for every release.