[FOLIO-3535] Upgrade bitnami/elasticsearch:7.10.2 Created: 06/Jul/22 Updated: 18/Jan/24 |
|
| Status: | Open |
| Project: | FOLIO |
| Components: | Continuous Integration |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | P2 |
| Reporter: | Julian Ladisch | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | reviewed, security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | Kitfox: sprint 146, DevOps Requests, Kitfox: sprint 165, Kitfox: sprint 145, Kitfox: sprint 148 | ||||||||
| Story Points: | 2 | ||||||||
| Development Team: | FOLIO DevOps | ||||||||
| Description |
|
sets elasticsearch_version: 7.10.2 elasticsearch_image: docker.io/bitnami/elasticsearch The version 7.10 has reached end of life on 2022-05-11: https://www.elastic.co/support/eol Docker Hub reports that the container has the Log4Shell vulnerability: https://hub.docker.com/layers/elasticsearch/bitnami/elasticsearch/7.10.2/images/sha256-73128f92f1d370b782a32928c569772bd7563d54b39b0a11d27269ae4494c593?context=explore Snyk reports that the container has many vulnerable packages, the most severe issues are
elasticsearch 7.10 is the last version under Apache 2.0 license. Later versions have a proprietary license. The mod-search module has switched the server used to test against from elasticsearch to the fork opensearch that remains under Apache 2.0 license (
|
| Comments |
| Comment by Craig McNally [ 07/Jul/22 ] |
|
Taras Spashchenko / oleksandr_haimanov the Security team wanted to make sure this was on the Kitfox radar. If it can't be done in this sprint, that's OK, but it should be done soon |
| Comment by Julian Ladisch [ 09/Sep/22 ] |
|
As of today this is the list of search engines versions that the vendors endorse for production use:
For details see |
| Comment by Julian Ladisch [ 16/Sep/22 ] |
|
Volodymyr Kartsev wrote:
|