<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:24:16 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-2923] Drop --no-check-certificate from wget (Man-in-the-middle attack)</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-2923</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;&lt;b&gt;Overview:&lt;/b&gt;&lt;br/&gt;
FOLIO is vulnerable to man-in-the-middle attacks because some software is installed using &lt;tt&gt;wget --no-check-certificate&lt;/tt&gt;. This allows attackers to install malware.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Fix:&lt;/b&gt;&lt;br/&gt;
Don&apos;t use &lt;tt&gt;--no-check-certificate&lt;/tt&gt; command line option when running &lt;tt&gt;wget&lt;/tt&gt;.&lt;/p&gt;

&lt;p&gt;Install the ca-certificates package that wget needs for the checks:&lt;br/&gt;
&lt;tt&gt;apt-get install wget&lt;/tt&gt; automatically installs the ca-certificates package because &lt;tt&gt;wget&lt;/tt&gt; recommends &lt;tt&gt;ca-certificates&lt;/tt&gt;.&lt;br/&gt;
&lt;tt&gt;apt-get install --no-install-recommends wget&lt;/tt&gt; doesn&apos;t install ca-certificates and should be amended to &lt;tt&gt;apt-get install --no-install-recommends ca-certificates wget&lt;/tt&gt;.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Affected code&lt;/b&gt;&lt;br/&gt;
&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/error.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; = vulnerable, &lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/check.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; = fixed&lt;br/&gt;
&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/check.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; &lt;a href=&quot;https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.agent-focal-java-11&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.agent-focal-java-11&lt;/a&gt;&lt;br/&gt;
&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/check.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; &lt;a href=&quot;https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.focal-java-11&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.focal-java-11&lt;/a&gt;&lt;br/&gt;
&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/check.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; &lt;a href=&quot;https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.xenial-java-8&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.xenial-java-8&lt;/a&gt;&lt;br/&gt;
&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/check.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; &lt;a href=&quot;https://github.com/folio-org/stripes-testing/blob/master/Dockerfile&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/stripes-testing/blob/master/Dockerfile&lt;/a&gt;&lt;br/&gt;
&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/check.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; &lt;a href=&quot;https://github.com/folio-org/ui-testing/blob/master/Dockerfile&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/ui-testing/blob/master/Dockerfile&lt;/a&gt; (fixed because repository has been archived and is no longer in use)&lt;br/&gt;
&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/check.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; &lt;a href=&quot;https://github.com/folio-org/docs/blob/master/content/en/docs/Getting%20started/Installation/singleservernocontainers.md&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/docs/blob/master/content/en/docs/Getting%20started/Installation/singleservernocontainers.md&lt;/a&gt;&lt;/p&gt;</description>
                <environment></environment>
        <key id="81881">FOLIO-2923</key>
            <summary>Drop --no-check-certificate from wget (Man-in-the-middle attack)</summary>
                <type id="10001" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium">Bug</type>
                                            <priority id="10001" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p2.svg">P2</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="61cd0ca0bce5e00069e98be7">David Crossley</assignee>
                                                                <reporter accountid="5ee89462f7aa140abd82d11d">Julian Ladisch</reporter>
                                    <labels>
                            <label>security</label>
                    </labels>
                <created>Thu, 17 Dec 2020 21:38:14 +0000</created>
                <updated>Tue, 5 Jan 2021 12:54:21 +0000</updated>
                            <resolved>Tue, 22 Dec 2020 14:11:19 +0000</resolved>
                                                                    <component>Continuous Integration</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>2</watches>
                                                                <comments>
                                                            <comment id="198551" author="5ee89462f7aa140abd82d11d" created="Thu, 17 Dec 2020 21:48:16 +0000"  >&lt;p&gt;3 fixes: &lt;a href=&quot;https://github.com/folio-org/folio-tools/pull/134&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/folio-tools/pull/134&lt;/a&gt;&lt;/p&gt;</comment>
                                                            <comment id="198553" author="5ee89462f7aa140abd82d11d" created="Thu, 17 Dec 2020 22:24:48 +0000"  >&lt;p&gt;Two more fixes:&lt;br/&gt;
&lt;a href=&quot;https://github.com/folio-org/stripes-testing/pull/86&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/stripes-testing/pull/86&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://github.com/folio-org/docs/pull/2&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/docs/pull/2&lt;/a&gt;&lt;/p&gt;</comment>
                                                            <comment id="198555" author="61cd0ca0bce5e00069e98be7" created="Fri, 18 Dec 2020 04:53:31 +0000"  >&lt;p&gt;Regarding folio-tools:&lt;/p&gt;

&lt;p&gt;I merged Julian&apos;s PR, then built and deployed the new jenkins-slave-all docker build images.&lt;/p&gt;

&lt;p&gt;java-11 is tagged as 2.5.0&lt;br/&gt;
java-8 is tagged as 1.3.0&lt;/p&gt;

&lt;p&gt;Tested each via FOLIO CI.&lt;/p&gt;</comment>
                                                            <comment id="198556" author="61cd0ca0bce5e00069e98be7" created="Tue, 22 Dec 2020 02:29:03 +0000"  >&lt;p&gt;Regarding folio-tools:&lt;/p&gt;

&lt;p&gt;The java-11 (tagged as 2.3.0) is okay.&lt;/p&gt;

&lt;p&gt;The java-8 (tagged as 1.3.0) was tested with a backend module that has not yet moved to Java 11. That build was okay.&lt;/p&gt;

&lt;p&gt;However it was later discovered that there is one old environment build that still uses this image. This build failed.&lt;/p&gt;

&lt;p&gt;Inspection shows that &quot;ansible&quot; was not properly constructed in the build of the jenkins-slave-all image.&lt;/p&gt;

&lt;p&gt;So jenkins-slave-all:latest has been restored to the previous version (1.2.2).&lt;/p&gt;</comment>
                                                            <comment id="198558" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Tue, 22 Dec 2020 14:11:19 +0000"  >&lt;p&gt;Done for JDK 11 img, won&apos;t do for JDK 8 as that image is deprecated. See 
    &lt;span class=&quot;jira-issue-macro&quot; data-jira-key=&quot;FOLIO-2926&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-2926&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Deprecate JDK 8 jenkins-slave-all image&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium&quot; /&gt;
            FOLIO-2926
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-current jira-macro-single-issue-export-pdf&quot;&gt;In Code Review&lt;/span&gt;
            &lt;/span&gt;
&lt;/p&gt;</comment>
                                                            <comment id="198560" author="61cd0ca0bce5e00069e98be7" created="Tue, 5 Jan 2021 12:54:21 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt; The java8 one was deliberately marked with a cross because that docker image could no longer be built, even as-is prior to your changes. See notes in previous issue comments.&lt;/p&gt;

&lt;p&gt;So we are deprecating it as soon as possible. See 
    &lt;span class=&quot;jira-issue-macro&quot; data-jira-key=&quot;FOLIO-2926&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-2926&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Deprecate JDK 8 jenkins-slave-all image&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium&quot; /&gt;
            FOLIO-2926
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-current jira-macro-single-issue-export-pdf&quot;&gt;In Code Review&lt;/span&gt;
            &lt;/span&gt;
.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="79841">FOLIO-2926</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10155"><![CDATA[FOLIO DevOps]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i025xr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1884">DevOps: Sprint 104</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Fri, 18 Dec 2020 04:53:31 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>