I use ispconfig on debian for a long time. sometimes I make an update debian and ispconfig version. Now, My versions are Debian Bullseye ISPConfig 3.2.12p1 . my bootstrap version looks 3.3.0 in the ispconfig control panel. How can i update it ? Regards
The recommended method is only by updating ISPConfig, so if ISPConfig is uptodate, there is no need to worry or do anything, as ISPConfig will take care of updating any other components that come with it.
Do you mean you want to create your own GUI with a different version of the Bootstrap framework than what ISPConfig is using? To do so, download the ISPConfig code from git.ispconfig.org as ISPConfig is OpenSource software and start coding your own theme.
No, I only want to keep the ispconfig update . my ispconfig version is uptodate 3.2.12p1 on debian11.11 But a vulnerable tool warns me about bootstrap version of ispconfig ( checked the ispconfig's web access port) says "Keep Bootstrap libraries updated to the latest version." So is the bootstrap version (3.3.0) of ispconfig in my server correct or not?
Well, i think bootstrap's version in ispconfig(/usr/local/ispconfig/interface/web) in my server seems to be old. the ispconfig version is 3.2.12p1 . How can i fix it ? i use the following instruction for ispconfig update process: wget https://www.ispconfig.org/downloads/ISPConfig-3.2.12p1.tar.gz tar xvfz ISPConfig-3.2.12p1.tar.gz cd ispconfig3_install/install php -q update.php find /usr/local/ispconfig/interface/ -name bootstrap* -exec ls -l {} \; -rwxr-x--- 1 ispconfig ispconfig 36025 Dec 25 21:55 /usr/local/ispconfig/interface/web/themes/default/assets/javascripts/bootstrap-datetimepicker.min.js -rwxr-x--- 1 ispconfig ispconfig 34653 Dec 25 21:55 /usr/local/ispconfig/interface/web/themes/default/assets/javascripts/bootstrap.min.js -rwxr-x--- 1 ispconfig ispconfig 11288 Dec 25 21:55 /usr/local/ispconfig/interface/web/themes/default/assets/stylesheets/bootstrap-datetimepicker.min.css -rwxr-x--- 1 ispconfig ispconfig 114011 Dec 25 21:55 /usr/local/ispconfig/interface/web/themes/default/assets/stylesheets/bootstrap.min.css
There is nothing wrong, so nothing that needs to be fixed. If there is an issue that affects ISPConfig, then we will fix or change it. But ISPConfig validates any data on server side only, we do not rely on js or Boostrap for that and use Bootstrap for CSS formatting of HTML elements only. We will update Bootstrap in the future when it's necessary or useful.
Ok then, but our security team uses some vulnerable test and they tell us that this version is old and should be upgraded. Regards
Your sec team then likely uses a tool that scans for a certain number in a file with boostrap in the file name instead of assessing the security of a software. I can put it on the todo list to install a newer Bootstrap version to please such tools.
Then your security team should also be able to tell you what vulnerabilities were found. To be more precise, what are the security risks you are exposed to. Just doing a version check, calling some older version a vulnerability and telling you to update is not a proper test at all.
These tools typically report based on the version number only. That's also the reason why most of these tools falsely flag Debian and Ubuntu software as insecure as Debian, and Ubuntu patches security issues in software like Apache without increasing the version number. The best 'fix' for such reports for Apache and Nginx on Debian is to hide version information. And of course, keep your system updated However, as I mentioned, I added an issue report to bump up the version of Bootstrap; it should be no big deal.
They gave me a link about vulnerable of old bootstrap versions as 5 Bootstrap Vulnerabilities | Twingate
As said by @till it is simply a css file and won't harm you and your server in any way. But if you really really need to do that, you can try editing the said css file to remove it. Note that it will be overwritten each time you run ISPConfig update.
