observability team mailing list archive

[Cristovao Cordeiro <cristovao.cordeiro@xxxxxxxxxxxxx>]

Thank you for the swift action, Emilia!

> Does this
> relate to a question being asked some hours ago in
> ~Security
https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo?

Yes, precisely. @Luca Bello <luca.bello@xxxxxxxxxxxxx> is in the process of
updating that image and we're re-doing our due diligence.
Luca can confirm, but this seems to be a ROCK based precisely on that
upstream Prometheus repository that you are already monitoring (
https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19).

Can we then add this image to your list of tracked ROCKs?


On Tue, May 30, 2023 at 9:45 PM Emilia Torino <emilia.torino@xxxxxxxxxxxxx>
wrote:

> Hey all,
>
> On 30/5/23 13:14, Emilia Torino wrote:
> > Hi Cristovao,
> >
> > On 30/5/23 09:41, Cristovao Cordeiro wrote:
> >> Hi Emilia,
> >>
> >> could you please confirm the `prometheus` container image is being
> >> monitored?
> >
> > I don't see prometheus being monitored by our services (not as a rock
> > based on upstream source code nor as a rock based on debs). Does this
> > relate to a question being asked some hours ago in
> > ~Security
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo?
> >
> >
> > These emails' subject only mentions cortex and telegraf, but
> >> I can see "https://github.com/prometheus/prometheus
> >> <https://github.com/prometheus/prometheus>" in the body of the email.
> >
> > Apologize for the confusion, this sounds like a bug in the email content
> > generator code. I will take a look at it later.
>
> I investigated this bug and it should be solved already. There was an
> issue in the past, but we fixed it already. I thought it could be
> related but I see this notification you are asking is from March. If you
> check the last notification sent on Thu, May 4, 2:03 AM is correctly
> reporting about a single package (cortex only).
>
> Let me know if you have any further question.
>
>   In this case, only a new
> > CVE affecting consul has been created in our tracker
> > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845.
> >
> > Still, this does not mean cortex and telegraf are affected, since this
> > needs triage (i.e. understand if the code/version present in the rocks
> > are indeed vulnerable).
> >
> > FYI the reason why https://github.com/prometheus/prometheus (and also
> > https://github.com/gogo/protobuf) are listed in this email, is because
> > these 3 are the *only* upstream projects we are monitoring (because of
> > the bug the 3 are incorrectly listed in the email, only consul should
> > be). In other words, we are not scanning every upstream source project
> > which is used to build cortex and telegraf.
> >
> > There are reasons why this service is very limited, and I hope this
> > is/was clear. Let me know if you need more information.
> >
> > Emilia
> >
> >
> >>
> >> ---------- Forwarded message ---------
> >> From: <security-team-toolbox-bot@xxxxxxxxxxxxx
> >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>
> >> Date: Sat, Mar 11, 2023 at 6:03 AM
> >> Subject: [Ubuntu-docker-images] CVEs potentially affecting cortex and
> >> telegraf
> >> To: <ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>,
> >> <sergio.durigan@xxxxxxxxxxxxx <mailto:sergio.durigan@xxxxxxxxxxxxx>>,
> >> <emilia.torino@xxxxxxxxxxxxx <mailto:emilia.torino@xxxxxxxxxxxxx>>,
> >> <alex.murray@xxxxxxxxxxxxx <mailto:alex.murray@xxxxxxxxxxxxx>>,
> >> <simon.aronsson@xxxxxxxxxxxxx <mailto:simon.aronsson@xxxxxxxxxxxxx>>,
> >> <dylan.stephano-shachter@xxxxxxxxxxxxx
> >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>
> >>
> >>
> >> New CVEs affecting packages used to build upstream based rocks have been
> >> created in the Ubuntu CVE tracker:
> >>
> >> * https://github.com/gogo/protobuf <https://github.com/gogo/protobuf>:
> >> * https://github.com/hashicorp/consul
> >> <https://github.com/hashicorp/consul>: CVE-2023-0845
> >> * https://github.com/prometheus/prometheus
> >> <https://github.com/prometheus/prometheus>:
> >>
> >> Please review your rock to understand if it is affected by these CVEs.
> >>
> >> Thank you for your rock and for attending to this matter.
> >>
> >> References:
> >> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845
> >> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845
> >
> >>
> >>
> >>
> >> --
> >> Mailing list: https://launchpad.net/~ubuntu-docker-images
> >> <https://launchpad.net/~ubuntu-docker-images>
> >> Post to     : ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
> >> Unsubscribe : https://launchpad.net/~ubuntu-docker-images
> >> <https://launchpad.net/~ubuntu-docker-images>
> >> More help   : https://help.launchpad.net/ListHelp
> >> <https://help.launchpad.net/ListHelp>
> >>
> >>
> >> --
> >> Cris
>


-- 
Cris