Test System Security

cancel
Showing results for 
Search instead for 
Did you mean: 

Packages updates and security for targets running LinuxRT

Hi,
Here is a thread that was started into the LV Champions forums : https://forums.ni.com/t5/LabVIEW-Champion-Discussions/Software-Feed-Security/m-p/4337693/highlight/...

For the ones who do not have acces, it started when James McNally discovered that packages was served through a http (no encrytion, no security) link.
I then recalled that I contacted the security team about vulnerabilities in packages exposed by the feeds in March 2022.
At that time the cybersec team answered that packages would be updated soon.

So I restarted my exercise today, here are my findings :
------------------

I just updated a LinuxRT VM today and install RT image 2023.3 on it.

And I checked for the current version of the tools I spoke about earlier : pgSQL and Samba.

 

pgSQL is now in version 13.5 => this version was released in 11/2021. So it is outdated (2 years old ; current version is 16).

Samba is now in version 4.10.18 => this version was released in 09/2020. So it is outdated (3 years old ; current version is 4.19.2).

 

Now if I look CVE details (https://www.cvedetails.com/) :

 

These vulnerabilities implies files access with elevated rights, code execution or data corruption.
------------------

How comes that in the newest image given for NI LinuxRT, packages can be that deprecated and expose that many security issues ?

CLA, CTA, LV Champion
View Cyril Gambini's profile on LinkedIn
This post is made under CC BY 4.0 DEED licensing
0 Kudos
Message 1 of 1
(60 Views)