← Back to team overview

observability team mailing list archive

  1. observability team
  2. Mailing list archive
  3. Message #00022

Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf

  Thread PreviousDate PreviousThread Next 


On 17/8/23 12:51, Cristovao Cordeiro wrote:
Alright, thanks. So not much. I'll leave it up to you @Emilia Torino <mailto:emilia.torino@xxxxxxxxxxxxx> whether you think partial monitoring of these images is worth it. I'd say, only if it is a no-op for you.
Adding CVEs notifications affecting ca-certificates is simple, I have just done it. For this service we dont fetch/inspect ROCKs at all so its not even resources consuming.
On Thu, Aug 17, 2023 at 4:02 PM Luca Bello <luca.bello@xxxxxxxxxxxxx <mailto:luca.bello@xxxxxxxxxxxxx>> wrote: 

    __

    Well yes, in pretty much all of our rocks we add the
    `ca-certificates` package for TLS operations:

    https://packages.ubuntu.com/search?keywords=ca-certificates
    <https://packages.ubuntu.com/search?keywords=ca-certificates>

    We technically use things like `npm`, `nodejs` and `go` for builds,
    but I think that's not particularly relevant.


    Cheers,

    Luca

    On 17/08/2023 15:28, Cristovao Cordeiro wrote:

    Well, I'd need to inspect every one of those images before making
    such a statement, *but, *I'd risk saying that these images,
    although snap-/source- based, might also have additional debs, on
    top of the base `ubuntu` image, that deserve monitoring. @Luca
    Bello <mailto:luca.bello@xxxxxxxxxxxxx> can you please confirm
    that? I.e. if any of your snap-/source-based ROCKs also has
    additional debs installed, then it's probably worth monitoring
    them nonetheless.

    On Thu, Aug 17, 2023 at 2:58 PM Emilia Torino
    <emilia.torino@xxxxxxxxxxxxx <mailto:emilia.torino@xxxxxxxxxxxxx>>
    wrote:

        Hi!

        On Thu, Aug 17, 2023 at 9:53 AM Luca Bello
        <luca.bello@xxxxxxxxxxxxx <mailto:luca.bello@xxxxxxxxxxxxx>>
        wrote:

            Hi everyone,

            that's correct, SeaweedFS is postponed :)

            On 17/08/2023 14:50, Cristovao Cordeiro wrote:

            Hi everyone,

            here's a ping just to revive this thread.

            @Emilia Torino <mailto:emilia.torino@xxxxxxxxxxxxx> you
            might have received some GH notifications from me, which
            are related to @Luca Bello
            <mailto:luca.bello@xxxxxxxxxxxxx> 's images which are now
            being prepared to be published.



        Yes, I got them and I was also going to ping you all since
        from our last discussion I said:

        "I did a search over the provided sources and only found one
        case where we have the project as a deb in the archive, which
        is alertmanager:
        https://launchpad.net/ubuntu/+source/prometheus-alertmanager
        <https://launchpad.net/ubuntu/+source/prometheus-alertmanager>.
        So unless you can confirm there are other debs in the archive
        matching the remaining upstream projects, alertmanager is the
        only one we can add to our CVEs monitoring service. I can add
        it right now."


            I'm updating the list from above with the Docker Hub
            repos that should be monitored:

            * Alertmanager
            (https://github.com/prometheus/alertmanager
            <https://github.com/prometheus/alertmanager>) ->
            https://hub.docker.com/r/ubuntu/alertmanager
            <https://hub.docker.com/r/ubuntu/alertmanager> (new)
            * Grafana Agent (https://github.com/grafana/agent
            <https://github.com/grafana/agent>) ->
            https://hub.docker.com/r/ubuntu/grafana-agent
            <https://hub.docker.com/r/ubuntu/grafana-agent> (new)
            * Grafana (https://github.com/grafana/grafana
            <https://github.com/grafana/grafana>) ->
            https://hub.docker.com/r/ubuntu/grafana
            <https://hub.docker.com/r/ubuntu/grafana>
            * Loki (https://github.com/grafana/loki
            <https://github.com/grafana/loki>) ->
            https://hub.docker.com/r/ubuntu/loki
            <https://hub.docker.com/r/ubuntu/loki>
            * Mimir (https://github.com/grafana/mimir
            <https://github.com/grafana/mimir>) ->
            https://hub.docker.com/r/ubuntu/mimir
            <https://hub.docker.com/r/ubuntu/mimir> (new)
            * SeaweedFS (https://github.com/seaweedfs/seaweedfs
            <https://github.com/seaweedfs/seaweedfs>) [1]
            * Traefik (https://github.com/traefik/traefik
            <https://github.com/traefik/traefik>) ->
            https://hub.docker.com/r/ubuntu/traefik
            <https://hub.docker.com/r/ubuntu/traefik> (new)


        So unfortunately, all others can't be monitored with the
        existing solution.



            [1] @Luca Bello <mailto:luca.bello@xxxxxxxxxxxxx> is this
            one postponed?

            On Mon, Jul 3, 2023 at 9:37 AM Luca Bello
            <luca.bello@xxxxxxxxxxxxx
            <mailto:luca.bello@xxxxxxxxxxxxx>> wrote:

                Hi Emilia,

                that's great; thanks for following through!


                Cheers,

                Luca

                On 28/06/2023 22:18, Emilia Torino wrote:

                Hi Luca,

                On Tue, Jun 27, 2023 at 5:11 AM Luca Bello
                <luca.bello@xxxxxxxxxxxxx
                <mailto:luca.bello@xxxxxxxxxxxxx>> wrote:

                    Hi Emilia,

                    I did not look into it as our short-term
                    priorities changed a little bit; if you need
                    anything else from my side please let me know!


                I did a search over the provided sources and only
                found one case where we have the project as a deb in
                the archive, which is alertmanager:
                https://launchpad.net/ubuntu/+source/prometheus-alertmanager <https://launchpad.net/ubuntu/+source/prometheus-alertmanager>

                So unless you can confirm there are other debs in
                the archive matching the remaining upstream
                projects, alertmanager is the only one we can add to
                our CVEs monitoring service. I can add it right now.

                Let me know if you have any questions.

                Emilia


                    Cheers,

                    Luca

                    On 22/06/2023 17:37, Emilia Torino wrote:

                    Hi all,

                    Following up on this issue...

                    On Fri, Jun 9, 2023 at 12:41 PM Emilia Torino
                    <emilia.torino@xxxxxxxxxxxxx
                    <mailto:emilia.torino@xxxxxxxxxxxxx>> wrote:

                        Hi all,

                        On 9/6/23 06:20, Cristovao Cordeiro wrote:
                        > Sounds good to me. @Emilia Torino
                        > <mailto:emilia.torino@xxxxxxxxxxxxx
                        <mailto:emilia.torino@xxxxxxxxxxxxx>> do
                        you need those repos to exist in
                        > Docker Hub before you can onboard these?

                        We don't. Since we don't scan the upstream
                        based ROCKs (we only need
                        this for the deb based ones).

                        >
                        > On Fri, Jun 9, 2023 at 10:42 AM Luca
                        Bello <luca.bello@xxxxxxxxxxxxx
                        <mailto:luca.bello@xxxxxxxxxxxxx>
                        > <mailto:luca.bello@xxxxxxxxxxxxx
                        <mailto:luca.bello@xxxxxxxxxxxxx>>> wrote:
                        >
                        >     Hello everyone,
                        >
                        >     as mentioned before, the ROCKs we
                        have are all based on upstream
                        >     projects; the list is the following,
                        as required:
                        >
                        >     * Alertmanager
                        (https://github.com/prometheus/alertmanager
                        <https://github.com/prometheus/alertmanager>
>  <https://github.com/prometheus/alertmanager <https://github.com/prometheus/alertmanager>>) 
                        >     * Grafana Agent
                        (https://github.com/grafana/agent
                        <https://github.com/grafana/agent>
                        >     <https://github.com/grafana/agent
                        <https://github.com/grafana/agent>>)
                        >     * Grafana
                        (https://github.com/grafana/grafana
                        <https://github.com/grafana/grafana>
                        >     <https://github.com/grafana/grafana
                        <https://github.com/grafana/grafana>>)
                        >     * Loki
                        (https://github.com/grafana/loki
                        <https://github.com/grafana/loki>
                        >     <https://github.com/grafana/loki
                        <https://github.com/grafana/loki>>)
                        >     * Mimir
                        (https://github.com/grafana/mimir
                        <https://github.com/grafana/mimir>
                        >     <https://github.com/grafana/mimir
                        <https://github.com/grafana/mimir>>)
                        >     * SeaweedFS
                        (https://github.com/seaweedfs/seaweedfs
                        <https://github.com/seaweedfs/seaweedfs>
>  <https://github.com/seaweedfs/seaweedfs 
                        <https://github.com/seaweedfs/seaweedfs>>)
                        >     * Traefik
                        (https://github.com/traefik/traefik
                        <https://github.com/traefik/traefik>
                        >     <https://github.com/traefik/traefik
                        <https://github.com/traefik/traefik>>)
                        >
                        >     Please let me know if any of these
                        qualifies!

                        I am not sure how urgent is this, but if
                        you help me identify the Ubuntu
                        source packages associated we can make this
                        faster. Otherwise we can
                        work on this next week.


                    Did you have a chance to check this?


                        >
                        >
                        >     Cheers,
                        >
                        >     Luca
                        >
                        >     On 31/05/2023 18:29, Cristovao
                        Cordeiro wrote:
                        >>
                        >>         So the only change from our side
                        will be to add
                        >>         prometheus to the email
                        notification subject (or I guess we
                        >>         can just
                        >>         simple replace it with "CVEs
                        potentially affecting upstream based
                        >>         ROCKs"). Are the email
                        recipients the same ones for the other
                        >>         ones?
                        >>
                        >>
                        >>     I think that would be fine for now.
                        I'm reluctant to use the
                        >>     mailing list as a catch-all, but I
                        think we can re-design this
                        >>     once there is an event bus at
                        Canonical, so we rely less on emails.
                        >>
                        >>     As for the other 10 ROCKs, @Luca Bello
                        >>     <mailto:luca.bello@xxxxxxxxxxxxx
                        <mailto:luca.bello@xxxxxxxxxxxxx>> let's
                        first do the right due
                        >>     diligence on those, cause if a ROCK
                        is not meant to be under the
                        >>     "ubuntu" namespace, then this
                        security monitoring doesn't need to
                        >>     apply.
                        >>
                        >>     On Wed, May 31, 2023 at 3:58 PM
                        Emilia Torino
                        >>     <emilia.torino@xxxxxxxxxxxxx
                        <mailto:emilia.torino@xxxxxxxxxxxxx>
                        <mailto:emilia.torino@xxxxxxxxxxxxx
                        <mailto:emilia.torino@xxxxxxxxxxxxx>>>
                        >>     wrote:
                        >>
                        >>
                        >>         Hi all,
                        >>
                        >>         On 31/5/23 04:03, Luca Bello wrote:
                        >>         > Hi everyone,
                        >>         >
                        >>         > as said in the thread already,
                        the prometheus image is
                        >>         indeed a ROCK
                        >>         > based on the
                        *prometheus/prometheus* repository.
                        >>
                        >>         That's very convenient. But just
                        to be clear again, we are not
                        >>  "inspecting" the upstream based rocks
                        the same way we do for
                        >>         the deb
                        >>         based ones. We are only
                        monitoring new CVEs created for
                        >>         prometheus,
                        >>         protobuf and consul. So the only
                        change from our side will be
                        >>         to add
                        >>         prometheus to the email
                        notification subject (or I guess we
                        >>         can just
                        >>         simple replace it with "CVEs
                        potentially affecting upstream based
                        >>         ROCKs"). Are the email
                        recipients the same ones for the other
                        >>         ones?
                        >>
                        >>         >
                        >>         > We're in the process of
                        updating all of our ROCKs in a
                        >>         similar way,
                        >>         > meaning we want to make sure
                        we are complying with any
                        >>         guidelines you
                        >>         > might have on them.
                        >>         > We have about 10 ROCKs at the
                        moment, mostly based on
                        >>         upstream projects
                        >>         > just like this one. Should I
                        share the full list, so you can
                        >>         track them?
                        >>
                        >>         I am happy to do an analysis of
                        this list to see if we can add
                        >>         more. The
                        >>         short answer would be that if
                        the software is packaged as a
                        >>         deb in main
                        >>         or universe (which is the
                        situation for prometheus, protobuf
                        >>         and consul)
                        >>         then we can simply add them.
                        This is because the service is
                        >>         based on the
                        >>         existing CVE triage work the
                        security team does, which is
                        >>         mainly for
                        >>         debs (although now is being
                        extended to other ecosystems
                        >>         because of SOSS
                        >>         but it is still limited and
                        mainly supporting NVIDIA software).
                        >>
                        >>         A simple improvement though
                        could be to map the projects to
                        >>         the rocks so
                        >>         you dont get a general
                        notification, but one per ROCK as the
                        >>         USNs/debs
                        >>         based service does. We can work
                        on adding this for the next cycle.
                        >>
                        >>         >
                        >>         >
                        >>         > Cheers,
                        >>         >
                        >>         > Luca
                        >>         >
                        >>         >
                        >>         > On 31/05/2023 08:12, Cristovao
                        Cordeiro wrote:
                        >>         >> Thank you for the swift
                        action, Emilia!
                        >>         >>
                        >>         >> > Does this
                        >>         >> > relate to a question being
                        asked some hours ago in
                        >>         >> > ~Security
                        >>         >>
                        >>
                        https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo> <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>>?
                        >>         >>
                        >>         >> Yes, precisely. @Luca Bello
                        >>         <mailto:luca.bello@xxxxxxxxxxxxx
                        <mailto:luca.bello@xxxxxxxxxxxxx>
                        >>         <mailto:luca.bello@xxxxxxxxxxxxx
                        <mailto:luca.bello@xxxxxxxxxxxxx>>> is in
                        >>         >> the process of updating that
                        image and we're re-doing our
                        >>         due diligence.
                        >>         >> Luca can confirm, but this
                        seems to be a ROCK based
                        >>         precisely on that
                        >>         >> upstream Prometheus
                        repository that you are already monitoring
                        >>         >>
>>  (https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19> <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19>>). 
                        >>         >>
                        >>         >> Can we then add this image to
                        your list of tracked ROCKs?
                        >>         >>
                        >>         >>
                        >>         >> On Tue, May 30, 2023 at
                        9:45 PM Emilia Torino
                        >>         >> <emilia.torino@xxxxxxxxxxxxx
                        <mailto:emilia.torino@xxxxxxxxxxxxx>
>>  <mailto:emilia.torino@xxxxxxxxxxxxx 
                        <mailto:emilia.torino@xxxxxxxxxxxxx>>> wrote:
                        >>         >>
                        >>         >>  Hey all,
                        >>         >>
                        >>         >>  On 30/5/23 13:14, Emilia
                        Torino wrote:
                        >>         >>  > Hi Cristovao,
                        >>         >>  >
                        >>         >>  > On 30/5/23 09:41,
                        Cristovao Cordeiro wrote:
                        >>         >>  >> Hi Emilia,
                        >>         >>  >>
                        >>         >>  >> could you please confirm
                        the `prometheus` container
                        >>         image is being
                        >>         >>  >> monitored?
                        >>         >>  >
                        >>         >>  > I don't see prometheus
                        being monitored by our
                        >>         services (not as a
                        >>         >>  rock
                        >>         >>  > based on upstream source
                        code nor as a rock based on
                        >>         debs). Does
                        >>         >>  this
                        >>         >>  > relate to a question being
                        asked some hours ago in
                        >>         >>  > ~Security
                        >>         >>
                        >>
                        https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo> <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>>?
                        >>         >>  >
                        >>         >>  >
                        >>         >>  > These emails' subject only
                        mentions cortex and
                        >>         telegraf, but
                        >>         >>  >> I can see
                        "https://github.com/prometheus/prometheus
                        <https://github.com/prometheus/prometheus>
>>  <https://github.com/prometheus/prometheus 
                        <https://github.com/prometheus/prometheus>>
                        >>         >>  >>
                        <https://github.com/prometheus/prometheus
                        <https://github.com/prometheus/prometheus>
>>  <https://github.com/prometheus/prometheus 
                        <https://github.com/prometheus/prometheus>>>" in the body of the
                        >>         >>  email.
                        >>         >>  >
                        >>         >>  > Apologize for the
                        confusion, this sounds like a bug
                        >>         in the email
                        >>         >>  content
                        >>         >>  > generator code. I will
                        take a look at it later.
                        >>         >>
                        >>         >>  I investigated this bug and
                        it should be solved
                        >>         already. There was an
                        >>         >>  issue in the past, but we
                        fixed it already. I thought
                        >>         it could be
                        >>         >>  related but I see this
                        notification you are asking is
                        >>         from March.
                        >>         >>  If you
                        >>         >>  check the last notification
                        sent on Thu, May 4, 2:03 AM
                        >>         is correctly
                        >>         >>  reporting about a single
                        package (cortex only).
                        >>         >>
                        >>         >>  Let me know if you have any
                        further question.
                        >>         >>
                        >>         >>    In this case, only a new
                        >>         >>  > CVE affecting consul has
                        been created in our tracker
                        >>         >>  >
                        >>         >>
                        >>
                        https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>.
                        >>         >>  >
                        >>         >>  > Still, this does not mean
                        cortex and telegraf are
                        >>         affected,
                        >>         >>  since this
                        >>         >>  > needs triage (i.e.
                        understand if the code/version
                        >>         present in the
                        >>         >>  rocks
                        >>         >>  > are indeed vulnerable).
                        >>         >>  >
                        >>         >>  > FYI the reason why
                        >> https://github.com/prometheus/prometheus
                        <https://github.com/prometheus/prometheus>
>>  <https://github.com/prometheus/prometheus 
                        <https://github.com/prometheus/prometheus>>
                        (and
                        >>         >>  also
                        >>         >>  >
                        https://github.com/gogo/protobuf
                        <https://github.com/gogo/protobuf>
>>  <https://github.com/gogo/protobuf 
                        <https://github.com/gogo/protobuf>>) are
                        listed in this email, is
                        >>         >>  because
                        >>         >>  > these 3 are the *only*
                        upstream projects we are
                        >>         monitoring
                        >>         >>  (because of
                        >>         >>  > the bug the 3 are
                        incorrectly listed in the email,
                        >>         only consul
                        >>         >>  should
                        >>         >>  > be). In other words, we
                        are not scanning every
                        >>         upstream source
                        >>         >>  project
                        >>         >>  > which is used to build
                        cortex and telegraf.
                        >>         >>  >
                        >>         >>  > There are reasons why this
                        service is very limited,
                        >>         and I hope this
                        >>         >>  > is/was clear. Let me know
                        if you need more information.
                        >>         >>  >
                        >>         >>  > Emilia
                        >>         >>  >
                        >>         >>  >
                        >>         >>  >>
                        >>         >>  >> ---------- Forwarded
                        message ---------
                        >>         >>  >> From:
                        <security-team-toolbox-bot@xxxxxxxxxxxxx
                        <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
>>  <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>> 
                        >>         >>  >>
                        <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
>>  <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>>> 
                        >>         >>  >> Date: Sat, Mar 11, 2023
                        at 6:03 AM
                        >>         >>  >> Subject:
                        [Ubuntu-docker-images] CVEs potentially
                        >>         affecting
                        >>         >>  cortex and
                        >>         >>  >> telegraf
                        >>         >>  >> To:
                        <ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
                        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>>  <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>> 
                        >>         >>  >>
                        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>>  <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>>, 
                        >>         >>  >>
                        <sergio.durigan@xxxxxxxxxxxxx
                        <mailto:sergio.durigan@xxxxxxxxxxxxx>
>>  <mailto:sergio.durigan@xxxxxxxxxxxxx 
                        <mailto:sergio.durigan@xxxxxxxxxxxxx>>
                        >>         >>
                         <mailto:sergio.durigan@xxxxxxxxxxxxx
                        <mailto:sergio.durigan@xxxxxxxxxxxxx>
>>  <mailto:sergio.durigan@xxxxxxxxxxxxx 
                        <mailto:sergio.durigan@xxxxxxxxxxxxx>>>>,
                        >>         >>  >>
                        <emilia.torino@xxxxxxxxxxxxx
                        <mailto:emilia.torino@xxxxxxxxxxxxx>
>>  <mailto:emilia.torino@xxxxxxxxxxxxx 
                        <mailto:emilia.torino@xxxxxxxxxxxxx>>
                        >>         >>
                         <mailto:emilia.torino@xxxxxxxxxxxxx
                        <mailto:emilia.torino@xxxxxxxxxxxxx>
>>  <mailto:emilia.torino@xxxxxxxxxxxxx 
                        <mailto:emilia.torino@xxxxxxxxxxxxx>>>>,
                        >>         >>  >>
                        <alex.murray@xxxxxxxxxxxxx
                        <mailto:alex.murray@xxxxxxxxxxxxx>
>>  <mailto:alex.murray@xxxxxxxxxxxxx 
                        <mailto:alex.murray@xxxxxxxxxxxxx>>
>>  <mailto:alex.murray@xxxxxxxxxxxxx 
                        <mailto:alex.murray@xxxxxxxxxxxxx>
>>  <mailto:alex.murray@xxxxxxxxxxxxx 
                        <mailto:alex.murray@xxxxxxxxxxxxx>>>>,
                        >>         >>  >>
                        <simon.aronsson@xxxxxxxxxxxxx
                        <mailto:simon.aronsson@xxxxxxxxxxxxx>
>>  <mailto:simon.aronsson@xxxxxxxxxxxxx 
                        <mailto:simon.aronsson@xxxxxxxxxxxxx>>
                        >>         >>
                         <mailto:simon.aronsson@xxxxxxxxxxxxx
                        <mailto:simon.aronsson@xxxxxxxxxxxxx>
>>  <mailto:simon.aronsson@xxxxxxxxxxxxx 
                        <mailto:simon.aronsson@xxxxxxxxxxxxx>>>>,
                        >>         >>  >>
                        <dylan.stephano-shachter@xxxxxxxxxxxxx
                        <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
>>  <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>> 
                        >>         >>  >>
                        <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
>>  <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>>> 
                        >>         >>  >>
                        >>         >>  >>
                        >>         >>  >> New CVEs affecting
                        packages used to build upstream
                        >>         based rocks
                        >>         >>  have been
                        >>         >>  >> created in the Ubuntu CVE
                        tracker:
                        >>         >>  >>
                        >>         >>  >> *
                        https://github.com/gogo/protobuf
                        <https://github.com/gogo/protobuf>
>>  <https://github.com/gogo/protobuf 
                        <https://github.com/gogo/protobuf>>
                        >>         >>
                         <https://github.com/gogo/protobuf
                        <https://github.com/gogo/protobuf>
>>  <https://github.com/gogo/protobuf 
                        <https://github.com/gogo/protobuf>>>:
                        >>         >>  >> *
                        https://github.com/hashicorp/consul
                        <https://github.com/hashicorp/consul>
>>  <https://github.com/hashicorp/consul 
                        <https://github.com/hashicorp/consul>>
                        >>         >>  >>
                        <https://github.com/hashicorp/consul
                        <https://github.com/hashicorp/consul>
>>  <https://github.com/hashicorp/consul 
                        <https://github.com/hashicorp/consul>>>:
                        CVE-2023-0845
                        >>         >>  >> *
                        https://github.com/prometheus/prometheus
                        <https://github.com/prometheus/prometheus>
>>  <https://github.com/prometheus/prometheus 
                        <https://github.com/prometheus/prometheus>>
                        >>         >>  >>
                        <https://github.com/prometheus/prometheus
                        <https://github.com/prometheus/prometheus>
>>  <https://github.com/prometheus/prometheus 
                        <https://github.com/prometheus/prometheus>>>:
                        >>         >>  >>
                        >>         >>  >> Please review your rock
                        to understand if it is
                        >>         affected by
                        >>         >>  these CVEs.
                        >>         >>  >>
                        >>         >>  >> Thank you for your rock
                        and for attending to this
                        >>         matter.
                        >>         >>  >>
                        >>         >>  >> References:
                        >>         >>  >>
                        >>         >>
                        >>
                        https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>
                        >>         >>  >>
                        >>         >>
>>   <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>> 
                        >>         >>  >>
                        >>         >>  >>
                        >>         >>  >>
                        >>         >>  >> --
                        >>         >>  >> Mailing list:
                        >>
                        https://launchpad.net/~ubuntu-docker-images
                        <https://launchpad.net/~ubuntu-docker-images>
>>  <https://launchpad.net/~ubuntu-docker-images <https://launchpad.net/~ubuntu-docker-images>> 
                        >>         >>  >>
                        <https://launchpad.net/~ubuntu-docker-images <https://launchpad.net/~ubuntu-docker-images>
>>  <https://launchpad.net/~ubuntu-docker-images <https://launchpad.net/~ubuntu-docker-images>>> 
                        >>         >>  >> Post to     :
                        >> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
                        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>>  <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>> 
                        >>         >>  >>
                        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>>  <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>> 
                        >>         >>  >> Unsubscribe :
                        >>
                        https://launchpad.net/~ubuntu-docker-images
                        <https://launchpad.net/~ubuntu-docker-images>
>>  <https://launchpad.net/~ubuntu-docker-images <https://launchpad.net/~ubuntu-docker-images>> 
                        >>         >>  >>
                        <https://launchpad.net/~ubuntu-docker-images <https://launchpad.net/~ubuntu-docker-images>
>>  <https://launchpad.net/~ubuntu-docker-images <https://launchpad.net/~ubuntu-docker-images>>> 
                        >>         >>  >> More help   :
                        https://help.launchpad.net/ListHelp
                        <https://help.launchpad.net/ListHelp>
>>  <https://help.launchpad.net/ListHelp 
                        <https://help.launchpad.net/ListHelp>>
                        >>         >>  >>
                        <https://help.launchpad.net/ListHelp
                        <https://help.launchpad.net/ListHelp>
>>  <https://help.launchpad.net/ListHelp 
                        <https://help.launchpad.net/ListHelp>>>
                        >>         >>  >>
                        >>         >>  >>
                        >>         >>  >> --
                        >>         >>  >> Cris
                        >>         >>
                        >>         >>
                        >>         >>
                        >>         >> --
                        >>         >> Cris
                        >>
                        >>
                        >>
                        >>     --
                        >>     Cris
                        >     ____
                        >
                        >
                        >
                        > --
                        > Cris
-- Cris
-- Cris 



--
Cris

Follow ups

References

  Thread PreviousDate PreviousThread Next