Security Vulnerabilities

[Lewiscowles1986]

According to AWS ECR these vulnerabilities are present within the :latest tag you are directing users to download

Details of Vulnerabilities

CVE	Component	Severity
CVE-2016-6301	busybox:1.24.1-r7	HIGH
CVE-2016-8859	musl:1.1.12-r5	HIGH
CVE-2016-6304	openssl:1.0.2h-r1	HIGH
CVE-2016-2182	openssl:1.0.2h-r1	HIGH
CVE-2016-6303	openssl:1.0.2h-r1	HIGH
CVE-2016-9843	zlib:1.2.8-r2	HIGH
CVE-2016-9841	zlib:1.2.8-r2	HIGH
CVE-2017-15873	busybox:1.24.1-r7	MEDIUM
CVE-2017-16544	busybox:1.24.1-r7	MEDIUM
CVE-2017-15650	musl:1.1.12-r5	MEDIUM
CVE-2017-3736	openssl:1.0.2h-r1	MEDIUM
CVE-2016-2183	openssl:1.0.2h-r1	MEDIUM
CVE-2016-6302	openssl:1.0.2h-r1	MEDIUM
CVE-2016-2181	openssl:1.0.2h-r1	MEDIUM
CVE-2016-6306	openssl:1.0.2h-r1	MEDIUM
CVE-2016-2179	openssl:1.0.2h-r1	MEDIUM
CVE-2017-3731	openssl:1.0.2h-r1	MEDIUM
CVE-2017-3732	openssl:1.0.2h-r1	MEDIUM
CVE-2016-2180	openssl:1.0.2h-r1	MEDIUM
CVE-2017-3735	openssl:1.0.2h-r1	MEDIUM
CVE-2016-7052	openssl:1.0.2h-r1	MEDIUM
CVE-2016-9840	zlib:1.2.8-r2	MEDIUM
CVE-2016-9842	zlib:1.2.8-r2	MEDIUM
CVE-2016-7055	openssl:1.0.2h-r1	LOW

[hbrunn]

I think it's safe to assume that this project is unsupported, and everyone should look for alternatives, like the nextcloud addon by the same developers or their commercial solution.

For the record I feel okay by now running this docker file until our alternative is as stable as this:

FROM ubuntu:16.04

RUN apt-get update &&\
apt-get install -y software-properties-common &&\
apt-add-repository ppa:strukturag/spreed-webrtc-unstable &&\
apt-get update &&\
apt-get install -y spreed-webrtc &&\
sed -i /etc/spreed/webrtc.conf -e 's/^\(listen = \).*/\1:8080/' &&\
sed -i /etc/spreed/webrtc.conf -e 's/^\(sessionSecret = \).*/\1secret/' &&\
sed -i /etc/spreed/webrtc.conf -e 's/^\(encryptionSecret = \).*/\1secret/' &&\
sed -i /etc/spreed/webrtc.conf -e 's/^\(serverToken = \).*/\1secret/' &&\
sed -i /etc/spreed/webrtc.conf -e 's/^;\(title = \).*/\1title/' &&\
sed -i /etc/spreed/webrtc.conf -e 's/^;\(turnURIs = \).*/\1turn:host:port?transport=udp turn:host:port?transport=tcp/' &&\
sed -i /etc/spreed/webrtc.conf -e 's/^;\(turnSecret = \).*/\1secret/'

CMD spreed-webrtc-server

but of course I suffer a lot of sweat when rebuilding this and hoping that no update breaks the software.

[Lewiscowles1986]

Interesting. I took a different approach running the rebuild here and publishing on 18.04 to make all the notices go away. I feel like the issue should live as it's not fixed though. There is a wontfix label which perfectly describes the situation as an unresolved issue, which can explicitly signal to users the state.

[hbrunn]

and none of us has the permission to set that, so I think this point is quite moot.

[Tokarak]

I was looking for alternatives, and I think this may be the best:
holtwick/briefing which also has a public instance at https://brie.fi/ng.
The plusses are a good UI and good encryption; all the components are lightweight and can easily be self-hosted; there are native mobile clients, too. The negatives: the developer is under-funded and unmotivated; no client-side configuration that I can see; the connection to the signalling server isn't quite E2EE; it took me ages to find the documentation (in the Github wiki).

I found it using alternativeto.net.