archivematica and ubuntu 18

[Night Owl]

Hi all .. I think I asked this before, but didn't receive a response. We are running the latest Archivematica (1.13.2) on Ubuntu 18. Our vulnerability scans are constantly showing that ubuntu, nginx 1.14.0, jquery 1.0,2.0 and log4j 1.2 versions are obsolete. Has anyone upgraded those and/or upgraded to Ubuntu 20 successfully with Archivematica, or are there plans to release a version for Ubuntu 20 and upgraded nginx, jquery, etc? 

[gou...@wrlc.org]

Hi Owl,

Regarding log4j and Archivematica, see https://wiki.archivematica.org/Log4j

My Archivematica servers are not open to the Internet so they aren't included in vulnerability scans that we have done. But from other servers I manage I can tell you that (1) if you keep Ubuntu 18's packages up-to-date, the latest nginx (1.14.0-0ubuntu1.10) is patched against all known vulnerabilities and the solution to the false positives are to turn server_tokens off in nginx.conf; and (2) jquery is typically application specific and usually not something that upgrading Ubuntu will resolve.

Regarding Ubuntu 20, I don't know if anyone has tried, but Artefactual hasn't tested it and (from the Archivematica 1.13 release notes) are saying that "We're planning to add support for Ubuntu 20.04 in the short term."

HTH, Don

[Night Owl]

Following up on this.  Our Archivematica server is firewalled as well, and not open to the full public internet, but we still have a requirement to resolve vulnerabilities. 

Regarding log4j, the linked wiki pertains to cleaning up log4j v2, which we have cleaned long ago, but our scans are finding log4j 1.x installed (with Fits, I believe). That version was not addressed in these fixes (as it doesn't include the referenced class). Can it be removed?

And it finds other high-risk vulns related to spring framework in Fits. Is there a way (or plans) to upgrade or remove fits?

It also finds high-risk vulns related to old jquery versions .. is Archivematica using them .. or can they be upgraded? 

[Sarah Romkey]

Hi,

Regarding FITS, it can be removed, yes. The implication will be that any format without an existing rule for file characterisation with a more specific tool (Mediainfo, Exiftool, etc) will not be characterized (FITS is the "fallback"). However, a number of our users remove or disable FITS anyway because they find its verbose output is too much of a performance hit so it may be a win-win for you anyway.

The jquery question is beyond my knowledge, apologies- I'll see if someone else from our team can respond.

Cheers,

Sarah

Sarah Romkey, MAS,MLIS

Archivematica Program Manager

She/her
Artefactual Systems
604-527-2056

@archivematica / @accesstomemory

--
You received this message because you are subscribed to the Google Groups "archivematica" group.
To unsubscribe from this group and stop receiving emails from it, send an email to archivematic...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/archivematica/c51f79a9-1a75-4e4f-b139-45e9448f0657n%40googlegroups.com.

[Night Owl]

Is there a safe way to remove it without disrupting anything else? I assume it get installed with something else during the install, so can I just disable and uninstall it? And, is it fits-nailgun?

Thanks so much for the help.

[Amaya Rodrigo]

Yes, you can remove it, the name is correct.

You also need to disable FITS in the FPR (in the am web GUI).

To view this discussion on the web visit https://groups.google.com/d/msgid/archivematica/f5eb7bcf-47c2-4430-b599-13dfd9f223f4n%40googlegroups.com.

--

Amaya M Rodrigo Sastre (she/her/bofh) - sysadmin@artefactual

<arod...@artefactual.com> <https://www.artefactual.com>

| @artefactualsys   |   @archivematica   |   @accesstomemory   |

[Amaya Rodrigo]

GUI Instructions to disable FITS on archivematica:

Go to Characterization -> Rules -> Search "fits". Click on disable

Go to Characterization -> Commands -> Search "fits". Click on disable

You have disabled FITS on archivematica.

[Night Owl]

ah perfect .. thanks for the instructions to disable and also to remove the service. (We really just want to remove log4j 1.x but if that requires removing the service so be it!)

[Amaya Rodrigo]

You only need to do the GUI thing if you disable fits, log4j is an entirely different issue.

We have disabled fits in most of our clients, no issues at all!  :)

To view this discussion on the web visit https://groups.google.com/d/msgid/archivematica/7775b025-a4ed-47a3-92a5-21ef3cd14bban%40googlegroups.com.

[Night Owl]

we REALLY just want to get rid of log4j 1.x which is installed with fits .. can we just delete the log4j 1.x pieces? that is why I assumed we had to remove fits

[Amaya Rodrigo]

We have not tested actually removing log4j packages in am, but you could give it a try, after all it shouldn't be difficult to reinstall with yum or apt?

Please report your findings! :)

To view this discussion on the web visit https://groups.google.com/d/msgid/archivematica/68c59c73-a172-4396-bc73-ae1c843f49een%40googlegroups.com.