NPO Hosting en Streaming

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.
~~META:
title = C2022D13: Nginx update ivm gevonden kwetsbaarheid
~~
{{htmlmetatags>
metatag-keywords=(software update nginx)
metatag-og:title=(tussentijdse Nginx update)
metatag-og:description=(
	Vanwege een recent bekend geworden kwetsbaarheid in de nginx
	webserver is deze in de NPO hosting omgeving ge-update naar de
	nieuwste versie (1.23.2) waarin deze kwetsbaarheid verholpen is.
	Ook voor het Community Hosting Platform zijn nieuwe images
	beschikbaar. Indien u gebruik maakt van de ngx_http_mp4_module
	adviseren wij te updaten naar de nieuwe versie.
	)
}}
====== C2022D13: Nginx update ivm gevonden kwetsbaarheid ======
====== Aankondiging: Nginx update ivm gevonden kwetsbaarheid ======
Beste klant/collega,

(Is dit bericht niet goed leesbaar? Bekijk dan de [[|online versie]].)

Wij vragen aandacht voor het volgende:
  - Nginx update ivm gevonden kwetsbaarheid

==== Nginx update ivm gevonden kwetsbaarheid ====
Vanwege een recent bekend geworden kwetsbaarheid in de nginx
webserver is deze in de NPO hosting omgeving ge-update naar de
nieuwste versie (1.23.2) waarin deze kwetsbaarheid verholpen is.
Ook voor het Community Hosting Platform zijn nieuwe images
beschikbaar. Indien u gebruik maakt van de ngx_http_mp4_module
adviseren wij te updaten naar de nieuwe versie.

==== CHP ====
**Vetgedrukte** items zijn geüpdate.

^image						^alpine versie	^tags						^wat is het	^
|registry.npohosting.nl/npohosting/base	|3.16.2	|[[https://alpinelinux.org/releases/|3.16.2, 3.16, latest]]	|[[https://alpinelinux.org/|Alpine linux]]	|
|registry.npohosting.nl/npohosting/base-jre	|3.16.2	|[[https://alpinelinux.org/releases/|3.16.2, 3.16, latest]]	|[[https://alpinelinux.org/releases/|Alpine linux]] + openjdk8-jre	|
|**registry.npohosting.nl/npohosting/nginx**	|**3.16.2**		|**[[http://nginx.org/en/CHANGES|1.23.2, 1.23, latest]]**	|base + [[http://nginx.org/|nginx]] + nginx modules	|
|registry.npohosting.nl/npohosting/php-fpm	|3.16.2	|[[https://www.php.net/ChangeLog-7.php#7.4.32|7.4.32, 7.4]] [[https://www.php.net/ChangeLog-8.php#8.0.24|8.0.24, 8.0]] [[https://www.php.net/ChangeLog-8.php#8.1.11|8.1.11, 8.1, latest]]	|base + [[https://www.php.net/|php]] + extensies	|
|registry.npohosting.nl/npohosting/ruby	|3.16.0		|[[https://www.ruby-lang.org/en/news/2022/04/12/ruby-2-7-6-released/|2.7.6, 2.7, latest]]		|base + [[https://www.ruby-lang.org/en/|ruby]]	|

==== Appcluster ====
/* Dingen die deze ronde niet meedoen zijn uit ge-comment */
^wat			^impact	^op	^van		^ naar		^
/*|keepalived		|0	|W	|2.2.4		|[[http://www.keepalived.org/changelog.html|2.2.7]]|*/
/*|icecast		|0	|W	|2.4.0-kh15	|[[https://github.com/karlheyes/icecast-kh|2.4.0-kh15]] |*/
/*^ ^^^^^*/
/*|dhcp			|0	|D1	|4.4.3		|[[https://downloads.isc.org/isc/dhcp/4.4.3/dhcp-4.4.3-RELNOTES|4.4.3]] |*/
/*|freeipmi		|0	|D1	|1.6.9		|[[https://www.gnu.org/software/freeipmi/NEWS|1.6.10]] |*/
/*|nrpe			|0	|D1	|4.1.0		|[[https://github.com/NagiosEnterprises/nrpe/blob/master/CHANGELOG.md|4.1.0]] |*/
/*|cacti			|0	|D1	|1.2.21		|[[https://www.cacti.net/changelog.php|1.2.22]]	|*/
/*|cacti-spine		|0	|D1	|1.2.21		|[[https://www.cacti.net/spine_changelog.php|1.2.22]] |*/
/*|phpmyadmin		|0	|D1	|5.1.3		|[[https://www.phpmyadmin.net/files/5.2.0/|5.2.0]]|*/
/*|vsftpd			|1	|D1	|3.0.5		|[[https://security.appspot.com/vsftpd/Changelog.txt|3.0.5]]	|*/
/*|openssh		|0	|D1	|8.9p1		|[[https://www.openssh.com/releasenotes.html|9.0p1]] |*/
/*|GeoIP		|0	|D1	|1.6.12		|1.6.12 | */
/*|geoipupdate		|0	|D1	|4.8.0		|[[https://github.com/maxmind/geoipupdate/blob/master/CHANGELOG.md|4.9.0]] |*/
/*|fcron		|0	|D1	|3.2.1		|[[http://fcron.free.fr/doc/en/changes.html|3.2.1]] |*/
/*|chrony		|0	|D1	|4.2		|[[https://chrony.tuxfamily.org/news.html|4.3]] |*/
/*|openldap		|1	|D1	|2.6.2		|[[https://www.openldap.org/software/release/changes.html|2.6.3]] |*/
/*|dovecot		|1	|D1	|2.3.18		|[[https://www.dovecot.org/|2.3.19.1]] |*/
/*|mailman		|1	|D1	|2.1.37		|[[https://launchpad.net/mailman/2.1/2.1.39|2.1.39]] |*/
/*|influxdb		|1	|D1	|1.8.9		|[[https://docs.influxdata.com/influxdb/v1.8/reference/release-notes/influxdb/|1.8.10]] |*/
/*|influxdb2		|1	|D1	|2.0.8		|[[https://docs.influxdata.com/influxdb/v2.0/reference/release-notes/influxdb/|2.0.9]] |*/*/
/*|grafana		|1	|D1	|9.0.6		|[[https://github.com/grafana/grafana/blob/master/CHANGELOG.md|9.1.6]] |*/
/*|postgresql10 		|1	|D1	|10.21		|[[https://www.postgresql.org/docs/10/static/release.html|10.22]]|*/
/*|postgresql13 		|1	|D1	|13.7		|[[https://www.postgresql.org/docs/13/static/release.html|13.8]]|*/
/*|redis7			|1	|D1	|7.0.4		|[[https://raw.githubusercontent.com/antirez/redis/7.0/00-RELEASENOTES|7.0.5]] |*/
/*|alsa-utils		|0	|D1	|1.2.5.1		|[[https://www.alsa-project.org/wiki/Main_Page|1.2.7]] |*/
/*|mp4split		|0	|D1	|1.11.9		|[[https://docs.unified-streaming.com/installation/distributions.html|1.11.17]]	|*/
/*|mod_smooth_streaming	|0	|D1	|1.11.9		|[[https://docs.unified-streaming.com/installation/distributions.html|1.11.17]]	|*/
/*|atop			|0	|D1	|2.7.0		|[[https://www.atoptool.nl/downloadatop.php|2.7.1]]	|*/
/*|iptables		|0	|D1	|1.8.7		|[[https://www.netfilter.org/projects/iptables/files/changes-iptables-1.8.8.txt|1.8.8]]	|*/
/*|sudo			|0	|D1	|1.9.9		|[[https://www.sudo.ws/changes.html|1.9.11p2]]	|*/
/*|apache			|0	|D1	|2.4.53		|[[http://www.apache.org/dist/httpd/CHANGES_2.4.54|2.4.54]] |*/
/*|keycloak		|1	|D1	|19.0.1		|[[https://www.keycloak.org/docs/latest/release_notes/index.html|19.0.2]] |*/
/*|Elastic Search 	|0	|D1	|7.17.5		|[[https://www.elastic.co/guide/en/elasticsearch/reference/7.17/es-release-notes.html|7.17.6]] |*/
/*|syslog-ng		|0	|D1	|3.37.1		|[[https://github.com/balabit/syslog-ng/blob/master/NEWS.md|3.38.1]]	|*/
|nginx			|0	|D1	|1.23.1		|[[http://nginx.org/en/CHANGES|1.23.2]]|
/*|php 7.4		|0	|D1	|7.4.30		|[[https://www.php.net/ChangeLog-7.php#7.4.32|7.4.32]]	|*/
/*|php 8.0		|0	|D1	|8.0.21		|[[https://www.php.net/ChangeLog-8.php#8.0.21|8.0.24]]	|*/
/*|passenger		|0	|D1	|6.0.14		|[[https://github.com/phusion/passenger/blob/stable-6.0/CHANGELOG|6.0.15]] |*/
/*|ruby 2.7		|0	|D1	|2.7.5		|[[https://www.ruby-lang.org/en/news/2022/04/12/ruby-2-7-6-released/|2.7.6]] |*/
/*|python		|0	|D1	|2.7.17		|[[https://www.python.org/downloads/release/python-2717/|2.7.17]]	|*/
/*|python			|0	|D1	|3.8.13		|[[https://docs.python.org/3.8/whatsnew/changelog.html|3.8.14]] |*/
/*|node 14		|0	|D1	|14.20.0	|[[https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md|14.20.1]]	|*/
/*|node 16		|0	|D1	|16.16.0	|[[https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md|16.17.1]]	|*/
/*|yarn			|0	|D1	|1.22.19	|[[https://github.com/yarnpkg/yarn/blob/master/CHANGELOG.md|1.22.19]]|*/
/*|perl			|0	|D1	|5.34.1		|[[https://perldoc.perl.org/index-history.html|5.36.0]]	|*/
/*|tomcat-native		|0	|D1	|1.2.35		|[[http://tomcat.apache.org/native-doc/miscellaneous/changelog.html|1.2.35]] |*/
/*|memcached		|1	|D1	|1.6.15		|[[https://github.com/memcached/memcached/wiki/ReleaseNotes1617|1.6.17]]|*/
/*|ImageMagick 		|0	|D1	|7.1.0-45	|[[https://www.imagemagick.org/script/changelog.php|7.1.0-49]] |*/
/*|goaccess		|0	|D1	|1.6.2		|[[https://goaccess.io/release-notes|1.6.3]] |*/
/*|gzip			|0	|D1	|1.12		|[[https://www.gnu.org/software/gzip/|1.12]] |*/
/*|rclone			|0	|D1	|1.58.1		|[[https://rclone.org/changelog/|1.59.0]] |
/*|ts			|0	|D1	|0.7.3		|[[http://freshmeat.sourceforge.net/projects/taskspooler|1.0.2]] |*/
/*|ffmpeg4		|0	|D1	|4.4.1		|[[https://www.ffmpeg.org/download.html#releases|4.4.2]] |*/
/*|ffmpeg5		|0	|D1	|5.1		|[[https://www.ffmpeg.org/download.html#releases|5.1.2]] |*/
/*|sox			|0	|D1	|14.4.2		|[[http://sox.sourceforge.net/|14.4.2]] |*/
/*|git			|0	|D1	|2.37.1		|[[https://git-scm.com/|2.37.3]] |*/
/*|netperf		|0	|D1	|2.7.0		|[[https://github.com/HewlettPackard/netperf/blob/master/Release_Notes|2.7.0]] |*/
/*|id3v2			|0	|D1	|0.1.12		|[[https://sourceforge.net/projects/id3v2/|0.1.12]] |*/
/*|httperf		|0	|D1	|2020-12-06	|[[https://github.com/httperf/httperf|2020-12-06]]	|*/
/*|wkhtmltox		|0	|D1	|0.12.6		|[[https://github.com/wkhtmltopdf/wkhtmltopdf/blob/master/CHANGELOG.md|0.12.6]] |*/
/*|postfix		|0	|D1	|3.7.2		|[[http://www.postfix.org/announcements/postfix-3.7.2.html|3.7.2]] |*/
/*|amavisd		|0	|D1	|2.11.1		|[[https://www.amavis.org/release-notes.txt|2.11.1]] |*/
/*|clamav			|0	|D1	|0.105.1	|[[https://blog.clamav.net/|0.105.1]] |*/
/*|p0f			|0	|D1	|3.09b		|[[https://lcamtuf.coredump.cx/p0f3/|3.09b]] |*/
/*|postgrey		|0	|D1	|1.37		|[[https://github.com/schweikert/postgrey/blob/master/Changes|1.37]] |*/
/*|spamassassin		|0	|D1	|3.4.6		|[[https://spamassassin.apache.org/news.html|3.4.6]] |*/
/*|unrar			|0	|D1	|6.1.7		|[[http://www.linuxfromscratch.org/blfs/view/svn/general/unrar.html|6.1.7]] |*/
/*|bind			|0	|D1	|9.16.31	|[[https://ftp.isc.org/isc/bind9/9.16.33/CHANGES|9.16.33]] |*/
/*|unbound		|0	|D1	|1.16.2		|[[http://www.unbound.net/download.html|1.16.3]]	|*/
/*^ ^^^^^*/
/*|OpenJDK8U-jre		|2	|N3	|8u332b09 	|[[https://adoptopenjdk.net/release_notes.html|8u342b07]]	|*/
/*|OpenJDK11U-jre		|2	|N3	|11.0.16+8	|[[https://adoptopenjdk.net/release_notes.html|11.0.16.1+1]]	|*/
/*|OpenJDK11U-jdk		|2	|N3	|11.0.16+8	|[[https://adoptopenjdk.net/release_notes.html|11.0.16.1+1]]	|*/
/*|tomcat 8		|2	|N3	|8.5.81		|[[https://tomcat.apache.org/tomcat-8.5-doc/changelog.html|8.5.82]] |*/
/*|tomcat 9		|1	|D1	|9.0.64		|[[https://tomcat.apache.org/tomcat-9.0-doc/RELEASE-NOTES.txt|9.0.65]] |*/
/*|mysql-connector-java	|2	|N3	|8.0.30		|[[https://dev.mysql.com/doc/relnotes/connector-j/8.0/en/|8.0.30]] |*/
/*|ActiveMQ		|2	|N3	|5.17.1		|[[https://activemq.apache.org/activemq-5017002-release|5.17.2]] |*/
/*|mariadb 10.5 		|1	|N3	|10.5.16	|[[https://mariadb.com/kb/en/mariadb-10517-release-notes/|10.5.17]] |*/
/*|mariadb 10.6 		|1	|N3	|10.6.8		|[[https://mariadb.com/kb/en/mariadb-10610-release-notes/|10.6.10]] |*/
/*|mysql			|1	|N3	|5.7.39		|[[https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-39.html|5.7.39]] |*/
^ ^^^^^

==== Legenda ====
Veel software kan zonder, of met heel weinig impact ge-update worden.
Voor deze zaken
kiezen we ervoor om zo'n update overdag uit te voeren. Bij een aantal
andere componenten is er iets meer impact merkbaar. Die voeren we
uit in een nachtelijks change window. Hieronder is
de impact genummerd van 0 (geen impact) via 1 (korte onderbreking van
enkele seconden) tot 2 (onderbreking van enkele minuten op de
dienstverlening).
De tijdstippen zijn als volgt:
^code	^tijdstip	^
|D1	|woensdag 19 oktober 16:00--17:00	|
/*|D2	|dinsdag 11 oktober 8:00--12:00	|*/
/*|N3	|woensdag 12 oktober 1:00--6:00 AM	|8/
/*|D3	|woensdag 12 oktober 8:00--17:00	|*/
/*|W	|10--13 oktober 8:00--17:00		|*/
/*|tbd	|te bepalen in overleg met de gebruikers	|*/

==== Bereikbaarheid ====
Team Hosting&Streaming is gedurende al het onderhoud via de normale
kanalen bereikbaar. Zie de [[:contact|contact pagina]].