Release Notes and Announcements

Expand all | Collapse all

Jama 8.36.1 and nginx

  • 1.  Jama 8.36.1 and nginx

    Posted 09-13-2019 15:14

    So, our Jama server running CentOS 7 was just flagged for a security issue due to the an older version of nginx.  According to CVE-2019-9511, CVE-2019-9513, CVE-2019-9516, we need to have nginx > 1.16.1 and < 1.17.3.  Our version of nginx is 1.14.0.  

    The problem is that Jama comes pre-bundled with nginx 1.14.0.  I tried to update in docker, but the container that houses nginx does not contain yum or rpm.  I reinstalled Jama 8.36.1 using replicated replicated_ui and replicated_operator of 2.32.2, but I was still left with nginx 1.14.0.

    Is there a way to get an updated version of nginx in our Jama 8.36.1 installation?  I have a one month waiver before the system loses network connectivity due to this security issue.



    ------------------------------
    Ted Ying
    NASA GSFC
    Greenbelt MD
    ted.ying@nasa.gov
    ------------------------------


  • 2.  RE: Jama 8.36.1 and nginx

    Posted 09-13-2019 18:18
    @Ted:

    Sounds like something we need to check in the backend, please make a ticket with our Support team.

    Thank you,​

    ------------------------------
    Chloe Elliott
    Jama Software
    Portland OR
    ------------------------------



  • 3.  RE: Jama 8.36.1 and nginx

    Posted 09-16-2019 05:04
    Thank you for bringing this to our attention.
    @Chloe, please keep us updated about the actions Jama is going to take, as we are affected as well.

    Thank you,
    Anna
    ​​

    ------------------------------
    Anna Henke
    MeVis BreastCare GmbH & Co. KG
    ------------------------------



  • 4.  RE: Jama 8.36.1 and nginx

    Posted 09-26-2019 06:00
    Hi @Anna,

    Looks like 8.42 is shipped with NGINX_VERSION: 1.16.1-1.el7.ngx

    Best,
    Janis​

    ------------------------------
    Janis V
    ------------------------------