<div style="font-family: Arial, sans-serif; font-size: 14px;">Hi folks, </div><div style="font-family: Arial, sans-serif; font-size: 14px;"><br></div><div><font face="Arial, sans-serif">Proton hosts 3 RIPE Anchors (7120, 6847, 6854) and during routine vulnerability scanning we identified these appliances running nginx 1.20.1, which is potentially vulnerable to two CVEs (</font><span style="font-family: system-ui, sans-serif; font-size: 10.5pt;">CVE-2022-41741 and </span><font face="Arial, sans-serif"><span style="font-size: 10.5pt;">CVE-2022-41742). Given the mp4 module pre-req, </span>I<span style="font-size: 10.5pt;"> </span>doubt they are vulnerable in practice, but this highlighted that the nginx 1.20 train was deprecated 11 months ago, and 1.23/1.24 are the currently active releases. </font></div><div style="font-family: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0);"><br></div><div style="font-family: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0);">I note the last probe firmware update 5080 (which we run already) from Nov/22 disabled auto updates on the appliances, so I assume there will be regular updates coming from RIPE going forward instead?</div><div style="font-family: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0);"><br></div><div style="font-family: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0);">Thanks</div><div style="font-family: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0);">John </div>
<div class="protonmail_signature_block" style="font-family: Arial, sans-serif; font-size: 14px;">
<div class="protonmail_signature_block-user">
<div>-- <br></div><div>John Howard <br></div><div>Head of Network Infrastructure<br></div><div>Proton AG<br></div>
</div>
<div style="font-family: Arial, sans-serif; font-size: 14px;"><br></div>
<div class="protonmail_signature_block-proton">
Sent with <a target="_blank" href="https://proton.me/" rel="noopener noreferrer">Proton Mail</a> secure email.
</div>
</div>