observability team mailing list archive

[Emilia Torino <emilia.torino@xxxxxxxxxxxxx>]

Hi Cristovao,

On 30/5/23 09:41, Cristovao Cordeiro wrote:
> Hi Emilia,
>
> could you please confirm the `prometheus` container image is being 
> monitored? 

I don't see prometheus being monitored by our services (not as a rock 
based on upstream source code nor as a rock based on debs). Does this 
relate to a question being asked some hours ago in 
~Security https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo? 



These emails' subject only mentions cortex and telegraf, but
> I can see "https://github.com/prometheus/prometheus 
> <https://github.com/prometheus/prometheus>" in the body of the email.

Apologize for the confusion, this sounds like a bug in the email content 
generator code. I will take a look at it later. In this case, only a new 
CVE affecting consul has been created in our tracker 
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845.

Still, this does not mean cortex and telegraf are affected, since this 
needs triage (i.e. understand if the code/version present in the rocks 
are indeed vulnerable).

FYI the reason why https://github.com/prometheus/prometheus (and also 
https://github.com/gogo/protobuf) are listed in this email, is because 
these 3 are the *only* upstream projects we are monitoring (because of 
the bug the 3 are incorrectly listed in the email, only consul should 
be). In other words, we are not scanning every upstream source project 
which is used to build cortex and telegraf.

There are reasons why this service is very limited, and I hope this 
is/was clear. Let me know if you need more information.

Emilia


> ---------- Forwarded message ---------
> From: <security-team-toolbox-bot@xxxxxxxxxxxxx 
> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>
> Date: Sat, Mar 11, 2023 at 6:03 AM
> Subject: [Ubuntu-docker-images] CVEs potentially affecting cortex and 
> telegraf
> To: <ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx 
> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>, 
> <sergio.durigan@xxxxxxxxxxxxx <mailto:sergio.durigan@xxxxxxxxxxxxx>>, 
> <emilia.torino@xxxxxxxxxxxxx <mailto:emilia.torino@xxxxxxxxxxxxx>>, 
> <alex.murray@xxxxxxxxxxxxx <mailto:alex.murray@xxxxxxxxxxxxx>>, 
> <simon.aronsson@xxxxxxxxxxxxx <mailto:simon.aronsson@xxxxxxxxxxxxx>>, 
> <dylan.stephano-shachter@xxxxxxxxxxxxx 
> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>
>
>
> New CVEs affecting packages used to build upstream based rocks have been
> created in the Ubuntu CVE tracker:
>
> * https://github.com/gogo/protobuf <https://github.com/gogo/protobuf>:
> * https://github.com/hashicorp/consul 
> <https://github.com/hashicorp/consul>: CVE-2023-0845
> * https://github.com/prometheus/prometheus 
> <https://github.com/prometheus/prometheus>:
>
> Please review your rock to understand if it is affected by these CVEs.
>
> Thank you for your rock and for attending to this matter.
>
> References:
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 
> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>
>
>
>
> --
> Mailing list: https://launchpad.net/~ubuntu-docker-images 
> <https://launchpad.net/~ubuntu-docker-images>
> Post to     : ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx 
> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
> Unsubscribe : https://launchpad.net/~ubuntu-docker-images 
> <https://launchpad.net/~ubuntu-docker-images>
> More help   : https://help.launchpad.net/ListHelp 
> <https://help.launchpad.net/ListHelp>
>
>
> --
> Cris

Attachment: OpenPGP_signature
Description: OpenPGP digital signature