mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-06-29 23:41:12 +08:00
85caad5558
## Summary - Bump pinned nginx in `Dockerfile` from `1.29.5-1~noble` (vulnerable) to `1.31.0-1~noble` to remediate **CVE-2026-42945**. ## Root Cause `Dockerfile:58` pinned `ARG NGINX_VERSION=1.29.5-1~noble`. Per the official nginx security advisory, **CVE-2026-42945** is a buffer overflow in `ngx_http_rewrite_module` triggered via the `rewrite` and `set` directives, affecting nginx **0.6.27 through 1.30.0**. `1.29.5` falls inside that range, so the shipped image is vulnerable. References: - nginx security advisories: https://nginx.org/en/security_advisories.html - Vendor advisory: https://my.f5.com/manage/s/article/K000161019 - Fixed versions: `1.31.0` (mainline) and `1.30.1` (stable) ## Fix Single-line change in `Dockerfile:58`: ```diff -ARG NGINX_VERSION=1.29.5-1~noble +ARG NGINX_VERSION=1.31.0-1~noble
8.8 KiB
8.8 KiB