So the only change from our side will be to add
prometheus to the email notification subject (or I guess we
can just
simple replace it with "CVEs potentially affecting upstream based
ROCKs"). Are the email recipients the same ones for the other
ones?
I think that would be fine for now. I'm reluctant to use the
mailing list as a catch-all, but I think we can re-design this
once there is an event bus at Canonical, so we rely less on emails.
As for the other 10 ROCKs, @Luca Bello
<mailto:luca.bello@xxxxxxxxxxxxx> let's first do the right due
diligence on those, cause if a ROCK is not meant to be under the
"ubuntu" namespace, then this security monitoring doesn't need to
apply.
On Wed, May 31, 2023 at 3:58 PM Emilia Torino
<emilia.torino@xxxxxxxxxxxxx <mailto:emilia.torino@xxxxxxxxxxxxx>>
wrote:
Hi all,
On 31/5/23 04:03, Luca Bello wrote:
> Hi everyone,
>
> as said in the thread already, the prometheus image is
indeed a ROCK
> based on the *prometheus/prometheus* repository.
That's very convenient. But just to be clear again, we are not
"inspecting" the upstream based rocks the same way we do for
the deb
based ones. We are only monitoring new CVEs created for
prometheus,
protobuf and consul. So the only change from our side will be
to add
prometheus to the email notification subject (or I guess we
can just
simple replace it with "CVEs potentially affecting upstream based
ROCKs"). Are the email recipients the same ones for the other
ones?
>
> We're in the process of updating all of our ROCKs in a
similar way,
> meaning we want to make sure we are complying with any
guidelines you
> might have on them.
> We have about 10 ROCKs at the moment, mostly based on
upstream projects
> just like this one. Should I share the full list, so you can
track them?
I am happy to do an analysis of this list to see if we can add
more. The
short answer would be that if the software is packaged as a
deb in main
or universe (which is the situation for prometheus, protobuf
and consul)
then we can simply add them. This is because the service is
based on the
existing CVE triage work the security team does, which is
mainly for
debs (although now is being extended to other ecosystems
because of SOSS
but it is still limited and mainly supporting NVIDIA software).
A simple improvement though could be to map the projects to
the rocks so
you dont get a general notification, but one per ROCK as the
USNs/debs
based service does. We can work on adding this for the next cycle.
>
>
> Cheers,
>
> Luca
>
>
> On 31/05/2023 08:12, Cristovao Cordeiro wrote:
>> Thank you for the swift action, Emilia!
>>
>> > Does this
>> > relate to a question being asked some hours ago in
>> > ~Security
>>
https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>?
>>
>> Yes, precisely. @Luca Bello
<mailto:luca.bello@xxxxxxxxxxxxx
<mailto:luca.bello@xxxxxxxxxxxxx>> is in
>> the process of updating that image and we're re-doing our
due diligence.
>> Luca can confirm, but this seems to be a ROCK based
precisely on that
>> upstream Prometheus repository that you are already monitoring
>>
(https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19>).
>>
>> Can we then add this image to your list of tracked ROCKs?
>>
>>
>> On Tue, May 30, 2023 at 9:45 PM Emilia Torino
>> <emilia.torino@xxxxxxxxxxxxx
<mailto:emilia.torino@xxxxxxxxxxxxx>> wrote:
>>
>> Hey all,
>>
>> On 30/5/23 13:14, Emilia Torino wrote:
>> > Hi Cristovao,
>> >
>> > On 30/5/23 09:41, Cristovao Cordeiro wrote:
>> >> Hi Emilia,
>> >>
>> >> could you please confirm the `prometheus` container
image is being
>> >> monitored?
>> >
>> > I don't see prometheus being monitored by our
services (not as a
>> rock
>> > based on upstream source code nor as a rock based on
debs). Does
>> this
>> > relate to a question being asked some hours ago in
>> > ~Security
>>
https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>?
>> >
>> >
>> > These emails' subject only mentions cortex and
telegraf, but
>> >> I can see "https://github.com/prometheus/prometheus
<https://github.com/prometheus/prometheus>
>> >> <https://github.com/prometheus/prometheus
<https://github.com/prometheus/prometheus>>" in the body of the
>> email.
>> >
>> > Apologize for the confusion, this sounds like a bug
in the email
>> content
>> > generator code. I will take a look at it later.
>>
>> I investigated this bug and it should be solved
already. There was an
>> issue in the past, but we fixed it already. I thought
it could be
>> related but I see this notification you are asking is
from March.
>> If you
>> check the last notification sent on Thu, May 4, 2:03 AM
is correctly
>> reporting about a single package (cortex only).
>>
>> Let me know if you have any further question.
>>
>> In this case, only a new
>> > CVE affecting consul has been created in our tracker
>> >
>>
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>.
>> >
>> > Still, this does not mean cortex and telegraf are
affected,
>> since this
>> > needs triage (i.e. understand if the code/version
present in the
>> rocks
>> > are indeed vulnerable).
>> >
>> > FYI the reason why
https://github.com/prometheus/prometheus
<https://github.com/prometheus/prometheus> (and
>> also
>> > https://github.com/gogo/protobuf
<https://github.com/gogo/protobuf>) are listed in this email, is
>> because
>> > these 3 are the *only* upstream projects we are
monitoring
>> (because of
>> > the bug the 3 are incorrectly listed in the email,
only consul
>> should
>> > be). In other words, we are not scanning every
upstream source
>> project
>> > which is used to build cortex and telegraf.
>> >
>> > There are reasons why this service is very limited,
and I hope this
>> > is/was clear. Let me know if you need more information.
>> >
>> > Emilia
>> >
>> >
>> >>
>> >> ---------- Forwarded message ---------
>> >> From: <security-team-toolbox-bot@xxxxxxxxxxxxx
<mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
>> >> <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
<mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>>
>> >> Date: Sat, Mar 11, 2023 at 6:03 AM
>> >> Subject: [Ubuntu-docker-images] CVEs potentially
affecting
>> cortex and
>> >> telegraf
>> >> To: <ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
<mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
<mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>,
>> >> <sergio.durigan@xxxxxxxxxxxxx
<mailto:sergio.durigan@xxxxxxxxxxxxx>
>> <mailto:sergio.durigan@xxxxxxxxxxxxx
<mailto:sergio.durigan@xxxxxxxxxxxxx>>>,
>> >> <emilia.torino@xxxxxxxxxxxxx
<mailto:emilia.torino@xxxxxxxxxxxxx>
>> <mailto:emilia.torino@xxxxxxxxxxxxx
<mailto:emilia.torino@xxxxxxxxxxxxx>>>,
>> >> <alex.murray@xxxxxxxxxxxxx
<mailto:alex.murray@xxxxxxxxxxxxx>
<mailto:alex.murray@xxxxxxxxxxxxx
<mailto:alex.murray@xxxxxxxxxxxxx>>>,
>> >> <simon.aronsson@xxxxxxxxxxxxx
<mailto:simon.aronsson@xxxxxxxxxxxxx>
>> <mailto:simon.aronsson@xxxxxxxxxxxxx
<mailto:simon.aronsson@xxxxxxxxxxxxx>>>,
>> >> <dylan.stephano-shachter@xxxxxxxxxxxxx
<mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
>> >> <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
<mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>>
>> >>
>> >>
>> >> New CVEs affecting packages used to build upstream
based rocks
>> have been
>> >> created in the Ubuntu CVE tracker:
>> >>
>> >> * https://github.com/gogo/protobuf
<https://github.com/gogo/protobuf>
>> <https://github.com/gogo/protobuf
<https://github.com/gogo/protobuf>>:
>> >> * https://github.com/hashicorp/consul
<https://github.com/hashicorp/consul>
>> >> <https://github.com/hashicorp/consul
<https://github.com/hashicorp/consul>>: CVE-2023-0845
>> >> * https://github.com/prometheus/prometheus
<https://github.com/prometheus/prometheus>
>> >> <https://github.com/prometheus/prometheus
<https://github.com/prometheus/prometheus>>:
>> >>
>> >> Please review your rock to understand if it is
affected by
>> these CVEs.
>> >>
>> >> Thank you for your rock and for attending to this
matter.
>> >>
>> >> References:
>> >>
>>
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>
>> >>
>>
<https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>
>> >>
>> >>
>> >>
>> >> --
>> >> Mailing list:
https://launchpad.net/~ubuntu-docker-images
<https://launchpad.net/~ubuntu-docker-images>
>> >> <https://launchpad.net/~ubuntu-docker-images
<https://launchpad.net/~ubuntu-docker-images>>
>> >> Post to :
ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
<mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>> >> <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
<mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
>> >> Unsubscribe :
https://launchpad.net/~ubuntu-docker-images
<https://launchpad.net/~ubuntu-docker-images>
>> >> <https://launchpad.net/~ubuntu-docker-images
<https://launchpad.net/~ubuntu-docker-images>>
>> >> More help : https://help.launchpad.net/ListHelp
<https://help.launchpad.net/ListHelp>
>> >> <https://help.launchpad.net/ListHelp
<https://help.launchpad.net/ListHelp>>
>> >>
>> >>
>> >> --
>> >> Cris
>>
>>
>>
>> --
>> Cris
--
Cris
