[SAC] [abuse #31856] CISA Security issues with OSGEO hosts
Regina Obe
lr at pcorp.us
Mon Oct 18 15:48:42 PDT 2021
Okay will take a look at these later this week.
Weird I thought upgrading nginx on Ubuntu to 1.18 would do the trick. Guess the goal post has moved to 1.20.
Osgeo3 is running nginx on debian and though it is an older nginx, it looked like Debian had patched these for lower versions.
But I'll upgrade that to latest.
Osgeo6.osgeo.osuosl.org -- sslabs says the cert is fine - says A+ for https://osgeo6.osgeo.osuosl.org
You think this is just a false positive because of issues with LetsEncrypt old root cert or is it complaining about a different cert?
Thanks,
Regina
> -----Original Message-----
> From: Sac [mailto:sac-bounces at lists.osgeo.org] On Behalf Of Lance Albertson
> via RT
> Sent: Monday, October 18, 2021 4:11 PM
> To: sac at lists.osgeo.org
> Cc: rootmail-students at osuosl.org
> Subject: [SAC] [abuse #31856] CISA Security issues with OSGEO hosts
>
> On Tue Oct 12 09:34:28 2021, lr at pcorp.us wrote:
> > > Looks like the TLS issue has been resolved. Here's the report from
> > > last week (I'm still waiting for the one for this week). Can you
> > > please verify that the version of nginx you have installed on your
> > > Ubuntu machines is at least or newer than the version described here [1]?
> > >
> > > [1] https://ubuntu.com/security/CVE-2019-20372
> > >
> > [Regina Obe]
> > Looks like they are lower. I'll try to upgrade them this coming week.
>
> Looks like it resolved some of them but we have a new CVE [1] that needs
> addressed. I've attached the report so you can see all of the issues. It also
> seems you might be using the expired LetsEncrypt CA in some places.
>
> [1] https://ubuntu.com/security/CVE-2021-23017
>
> --
> Lance Albertson
> Director
> Oregon State University | Open Source Lab
More information about the Sac
mailing list