Wow ... thank you! I was scratching my head, and you really helped me out. Indeed, 10 minutes is perfectly doable, and moving ahead with a container-based solution also seems viable now.
Reinier On Tue, Sep 17, 2024 at 5:06 PM Nick Couchman <vn...@apache.org> wrote: > On Tue, Sep 17, 2024 at 10:46 AM Reinier Post <rp4...@gmail.com> wrote: > >> On 2024/09/08 11:36:56 "Agranov, Andrey" wrote: >> > Hello >> > guacamole/guacamole:1.5.5 Docker image uses Tomcat 8.5.98, which has >> several vulnerabilities, particularly CVE-2024-23672 and CVE-2024-24549 >> > Both of vulnerabilities were fixed in Tomcat 8.5.99 >> > What is the recommended way to get stable and tested image, with latest >> Tomcat 8.5.X ? >> > a. Wait for official guacamole 1.5.X release? When is it planned? >> > b. Build an image based on 1.5.5 locally and upgrade Tomcat? >> > c. Use guacamole/guacamole:latest ? Is it stable and suitable for >> production? >> > Thanks >> > Andrey >> >> I just researched this issue (prompted by our security team) and found >> this thread on the mailing list. >> >> It would be great to see this addressed. >> >> Tomcat 8.5.* went EOL on March 31: >> >> https://tomcat.apache.org/tomcat-85-eol.html >> >> The latest 8.5.* release, 8.5.100, was released before that. >> So we should be using Tomcat 9.0.* now. >> >> > Yes, agreed. > > >> I am trying to deploy Guacamole in a supported manner. >> The documentation offers two options: >> >> 1. compiling everything manually >> 2. using the Docker image supplied >> >> Clearly, 1 is a no go in production environments. >> > > Compiling everything manually is perfectly valid in production > environments. You may not want to go that route, and that's fine, but > there's nothing wrong with installing Guacamole that way. > > >> We need to be able to remedy security issues swiftly. >> We can't afford the time to manually recompile Guacamole for every >> Guacamole server whenever needed. >> >> > Compiling from source does not take very long - both client and server can > be compiled in under 10 minutes on reasonable, modern hardware: > > guacd configure: 13s > guacd make: 1m0s > guacamole-client clean + build: 2m25s > > (VMware VM running Rocky 8 with 4 cores and 32GB of RAM) > > >> 2 seems viable in principle, but it depends on everything being updated >> to keep ahead of vulnerabilities. >> Tomcat 8.5 is no longer receiving any. >> >> So we need an image with Tomcat 9.0. >> I have looked at the existing image here >> >> >> https://hub.docker.com/layers/guacamole/guacamole/latest/images/sha256-edd266c56accc3f432064ac409fb85c9e68c377a670f5cb150817189b0b024bf?context=explore >> >> and it is unclear where it gets its Tomcat from, let alone how to change >> it. >> >> Please supply an image based on Tomcat 9. Better still, publish your >> image definition in full so we can tweak it as desired. >> >> > The "image definitions" (Dockerfile) are available as part of the source > code in our public git repositories. Here's the Dockerfile for 1.5.5: > > https://github.com/apache/guacamole-client/blob/1.5.5/Dockerfile > > The next release, 1.6.0, will contain Tomcat 9: > > https://github.com/apache/guacamole-client/blob/staging/1.6.0/Dockerfile > > We'll supply the image containing Tomcat 9 when we release 1.6.0, > hopefully in the next week or two. > > -Nick >
