observability team mailing list archive
-
observability team
-
Mailing list archive
-
Message #00023
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
Thank you for the information @David Lane <david.lane@xxxxxxxxxxxxx>.
I think this is a good summary that could be registered somewhere (like a
doc) so that our image maintainers can read it before making requests for
new images. Up to now, I've been using
https://docs.google.com/document/d/1kV4SQqKG-5zkSYdlNIhIHXMmDcjfXoIlX-8KSi3xBCg/edit#heading=h.z1vggsp50vj8
as a reference. I think @Emilia Torino <emilia.torino@xxxxxxxxxxxxx> has
access to this doc, so maybe it could be updated with that great summary?
Btw, are you planning on starting to publish said notifications via the
Event Bus? That would be a nice step towards automating image rebuilds...
On Fri, Aug 18, 2023 at 2:52 AM David Lane <david.lane@xxxxxxxxxxxxx> wrote:
> Hi Cristovao, Luca and co,
>
> I thought it might be useful if I provide just a brief high-level overview
> of how our ROCK notification service works so you can understand the
> limitations we have, particularly around ROCKS built from upstream repos
> rather than debs.
>
> - All of the ROCKS notification services are based on USNs we publish
> or CVEs in the Ubuntu CVE Tracker (UCT).
> - Important: USNs and UCT are focused purely on deb packages in the
> Ubuntu archives. Therefore if it's not a deb, we have no information about
> it.
> - Some ROCKS are built with a manifest specifying which deb
> packages they are composed of.
> - For a subset[1] of these, we alert if the package version in that
> ROCK needs to be updated because a USN has been published for it.
> - Separate from that, we have a list of some specific projects[2]
> which we know are used to build some ROCKS, *AND *(coincidently *but
> importantly*) for which a deb package exists in the Ubuntu archives.
> - Because we have a package in the archive for representing some
> version of these upstream projects, information about CVEs affecting them
> is available to us.
> - If we identify a CVE in one of those deb packages that represents
> the 'upstream' project used to build a ROCK, we notify you that we've seen
> a CVE.
> - *Note / limitation:* We have no information about these upstream
> repos or what exact version of upstream goes into the ROCKS. We only know
> that you're interested in that project and we have some information about
> it because there is a deb for it in the archive and therefore we get CVE
> information and pass that directly onto yourselves.
>
> [1]: ROCKS built with debs that we can alert for when a USN affects them:
> - apache2, bind9, charmed-opensearch, kafka, memcached, mlflow, nginx,
> postres, redis, squid, zookeeper
> [2]: 'upstream' packages that have also have debs and therefore CVE
> information in UCT:
> - consul, golang-gogoprotobuf, prometheus, prometheus-alertmanager, (and
> now also) ca-certificates
>
> David.
>
> On Fri, Aug 18, 2023 at 3:14 AM Emilia Torino <emilia.torino@xxxxxxxxxxxxx>
> wrote:
>
>>
>>
>> On 17/8/23 12:51, Cristovao Cordeiro wrote:
>> > Alright, thanks. So not much. I'll leave it up to you @Emilia Torino
>> > <mailto:emilia.torino@xxxxxxxxxxxxx> whether you think partial
>> > monitoring of these images is worth it. I'd say, only if it is a no-op
>> > for you.
>>
>> Adding CVEs notifications affecting ca-certificates is simple, I have
>> just done it. For this service we dont fetch/inspect ROCKs at all so its
>> not even resources consuming.
>>
>> >
>> > On Thu, Aug 17, 2023 at 4:02 PM Luca Bello <luca.bello@xxxxxxxxxxxxx
>> > <mailto:luca.bello@xxxxxxxxxxxxx>> wrote:
>> >
>> > __
>> >
>> > Well yes, in pretty much all of our rocks we add the
>> > `ca-certificates` package for TLS operations:
>> >
>> > https://packages.ubuntu.com/search?keywords=ca-certificates
>> > <https://packages.ubuntu.com/search?keywords=ca-certificates>
>> >
>> > We technically use things like `npm`, `nodejs` and `go` for builds,
>> > but I think that's not particularly relevant.
>> >
>> >
>> > Cheers,
>> >
>> > Luca
>> >
>> > On 17/08/2023 15:28, Cristovao Cordeiro wrote:
>> >> Well, I'd need to inspect every one of those images before making
>> >> such a statement, *but, *I'd risk saying that these images,
>> >> although snap-/source- based, might also have additional debs, on
>> >> top of the base `ubuntu` image, that deserve monitoring. @Luca
>> >> Bello <mailto:luca.bello@xxxxxxxxxxxxx> can you please confirm
>> >> that? I.e. if any of your snap-/source-based ROCKs also has
>> >> additional debs installed, then it's probably worth monitoring
>> >> them nonetheless.
>> >>
>> >> On Thu, Aug 17, 2023 at 2:58 PM Emilia Torino
>> >> <emilia.torino@xxxxxxxxxxxxx <mailto:emilia.torino@xxxxxxxxxxxxx>>
>> >> wrote:
>> >>
>> >> Hi!
>> >>
>> >> On Thu, Aug 17, 2023 at 9:53 AM Luca Bello
>> >> <luca.bello@xxxxxxxxxxxxx <mailto:luca.bello@xxxxxxxxxxxxx>>
>> >> wrote:
>> >>
>> >> Hi everyone,
>> >>
>> >> that's correct, SeaweedFS is postponed :)
>> >>
>> >> On 17/08/2023 14:50, Cristovao Cordeiro wrote:
>> >>> Hi everyone,
>> >>>
>> >>> here's a ping just to revive this thread.
>> >>>
>> >>> @Emilia Torino <mailto:emilia.torino@xxxxxxxxxxxxx> you
>> >>> might have received some GH notifications from me, which
>> >>> are related to @Luca Bello
>> >>> <mailto:luca.bello@xxxxxxxxxxxxx> 's images which are now
>> >>> being prepared to be published.
>> >>
>> >>
>> >> Yes, I got them and I was also going to ping you all since
>> >> from our last discussion I said:
>> >>
>> >> "I did a search over the provided sources and only found one
>> >> case where we have the project as a deb in the archive, which
>> >> is alertmanager:
>> >> https://launchpad.net/ubuntu/+source/prometheus-alertmanager
>> >> <https://launchpad.net/ubuntu/+source/prometheus-alertmanager
>> >.
>> >> So unless you can confirm there are other debs in the archive
>> >> matching the remaining upstream projects, alertmanager is the
>> >> only one we can add to our CVEs monitoring service. I can add
>> >> it right now."
>> >>
>> >>> I'm updating the list from above with the Docker Hub
>> >>> repos that should be monitored:
>> >>>
>> >>> * Alertmanager
>> >>> (https://github.com/prometheus/alertmanager
>> >>> <https://github.com/prometheus/alertmanager>) ->
>> >>> https://hub.docker.com/r/ubuntu/alertmanager
>> >>> <https://hub.docker.com/r/ubuntu/alertmanager> (new)
>> >>> * Grafana Agent (https://github.com/grafana/agent
>> >>> <https://github.com/grafana/agent>) ->
>> >>> https://hub.docker.com/r/ubuntu/grafana-agent
>> >>> <https://hub.docker.com/r/ubuntu/grafana-agent> (new)
>> >>> * Grafana (https://github.com/grafana/grafana
>> >>> <https://github.com/grafana/grafana>) ->
>> >>> https://hub.docker.com/r/ubuntu/grafana
>> >>> <https://hub.docker.com/r/ubuntu/grafana>
>> >>> * Loki (https://github.com/grafana/loki
>> >>> <https://github.com/grafana/loki>) ->
>> >>> https://hub.docker.com/r/ubuntu/loki
>> >>> <https://hub.docker.com/r/ubuntu/loki>
>> >>> * Mimir (https://github.com/grafana/mimir
>> >>> <https://github.com/grafana/mimir>) ->
>> >>> https://hub.docker.com/r/ubuntu/mimir
>> >>> <https://hub.docker.com/r/ubuntu/mimir> (new)
>> >>> * SeaweedFS (https://github.com/seaweedfs/seaweedfs
>> >>> <https://github.com/seaweedfs/seaweedfs>) [1]
>> >>> * Traefik (https://github.com/traefik/traefik
>> >>> <https://github.com/traefik/traefik>) ->
>> >>> https://hub.docker.com/r/ubuntu/traefik
>> >>> <https://hub.docker.com/r/ubuntu/traefik> (new)
>> >>
>> >> So unfortunately, all others can't be monitored with the
>> >> existing solution.
>> >>
>> >>>
>> >>> [1] @Luca Bello <mailto:luca.bello@xxxxxxxxxxxxx> is this
>> >>> one postponed?
>> >>>
>> >>> On Mon, Jul 3, 2023 at 9:37 AM Luca Bello
>> >>> <luca.bello@xxxxxxxxxxxxx
>> >>> <mailto:luca.bello@xxxxxxxxxxxxx>> wrote:
>> >>>
>> >>> Hi Emilia,
>> >>>
>> >>> that's great; thanks for following through!
>> >>>
>> >>>
>> >>> Cheers,
>> >>>
>> >>> Luca
>> >>>
>> >>> On 28/06/2023 22:18, Emilia Torino wrote:
>> >>>> Hi Luca,
>> >>>>
>> >>>> On Tue, Jun 27, 2023 at 5:11 AM Luca Bello
>> >>>> <luca.bello@xxxxxxxxxxxxx
>> >>>> <mailto:luca.bello@xxxxxxxxxxxxx>> wrote:
>> >>>>
>> >>>> Hi Emilia,
>> >>>>
>> >>>> I did not look into it as our short-term
>> >>>> priorities changed a little bit; if you need
>> >>>> anything else from my side please let me know!
>> >>>>
>> >>>>
>> >>>> I did a search over the provided sources and only
>> >>>> found one case where we have the project as a deb in
>> >>>> the archive, which is alertmanager:
>> >>>>
>> https://launchpad.net/ubuntu/+source/prometheus-alertmanager <
>> https://launchpad.net/ubuntu/+source/prometheus-alertmanager>
>> >>>>
>> >>>> So unless you can confirm there are other debs in
>> >>>> the archive matching the remaining upstream
>> >>>> projects, alertmanager is the only one we can add to
>> >>>> our CVEs monitoring service. I can add it right now.
>> >>>>
>> >>>> Let me know if you have any questions.
>> >>>>
>> >>>> Emilia
>> >>>>
>> >>>>
>> >>>> Cheers,
>> >>>>
>> >>>> Luca
>> >>>>
>> >>>> On 22/06/2023 17:37, Emilia Torino wrote:
>> >>>>> Hi all,
>> >>>>>
>> >>>>> Following up on this issue...
>> >>>>>
>> >>>>> On Fri, Jun 9, 2023 at 12:41 PM Emilia Torino
>> >>>>> <emilia.torino@xxxxxxxxxxxxx
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx>> wrote:
>> >>>>>
>> >>>>> Hi all,
>> >>>>>
>> >>>>> On 9/6/23 06:20, Cristovao Cordeiro wrote:
>> >>>>> > Sounds good to me. @Emilia Torino
>> >>>>> > <mailto:emilia.torino@xxxxxxxxxxxxx
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx>> do
>> >>>>> you need those repos to exist in
>> >>>>> > Docker Hub before you can onboard these?
>> >>>>>
>> >>>>> We don't. Since we don't scan the upstream
>> >>>>> based ROCKs (we only need
>> >>>>> this for the deb based ones).
>> >>>>>
>> >>>>> >
>> >>>>> > On Fri, Jun 9, 2023 at 10:42 AM Luca
>> >>>>> Bello <luca.bello@xxxxxxxxxxxxx
>> >>>>> <mailto:luca.bello@xxxxxxxxxxxxx>
>> >>>>> > <mailto:luca.bello@xxxxxxxxxxxxx
>> >>>>> <mailto:luca.bello@xxxxxxxxxxxxx>>> wrote:
>> >>>>> >
>> >>>>> > Hello everyone,
>> >>>>> >
>> >>>>> > as mentioned before, the ROCKs we
>> >>>>> have are all based on upstream
>> >>>>> > projects; the list is the following,
>> >>>>> as required:
>> >>>>> >
>> >>>>> > * Alertmanager
>> >>>>> (https://github.com/prometheus/alertmanager
>> >>>>> <https://github.com/prometheus/alertmanager
>> >
>> >>>>> >
>> >>>>> <
>> https://github.com/prometheus/alertmanager <
>> https://github.com/prometheus/alertmanager>>)
>> >>>>> > * Grafana Agent
>> >>>>> (https://github.com/grafana/agent
>> >>>>> <https://github.com/grafana/agent>
>> >>>>> > <https://github.com/grafana/agent
>> >>>>> <https://github.com/grafana/agent>>)
>> >>>>> > * Grafana
>> >>>>> (https://github.com/grafana/grafana
>> >>>>> <https://github.com/grafana/grafana>
>> >>>>> > <https://github.com/grafana/grafana
>> >>>>> <https://github.com/grafana/grafana>>)
>> >>>>> > * Loki
>> >>>>> (https://github.com/grafana/loki
>> >>>>> <https://github.com/grafana/loki>
>> >>>>> > <https://github.com/grafana/loki
>> >>>>> <https://github.com/grafana/loki>>)
>> >>>>> > * Mimir
>> >>>>> (https://github.com/grafana/mimir
>> >>>>> <https://github.com/grafana/mimir>
>> >>>>> > <https://github.com/grafana/mimir
>> >>>>> <https://github.com/grafana/mimir>>)
>> >>>>> > * SeaweedFS
>> >>>>> (https://github.com/seaweedfs/seaweedfs
>> >>>>> <https://github.com/seaweedfs/seaweedfs>
>> >>>>> >
>> >>>>> <https://github.com/seaweedfs/seaweedfs
>> >>>>> <https://github.com/seaweedfs/seaweedfs>>)
>> >>>>> > * Traefik
>> >>>>> (https://github.com/traefik/traefik
>> >>>>> <https://github.com/traefik/traefik>
>> >>>>> > <https://github.com/traefik/traefik
>> >>>>> <https://github.com/traefik/traefik>>)
>> >>>>> >
>> >>>>> > Please let me know if any of these
>> >>>>> qualifies!
>> >>>>>
>> >>>>> I am not sure how urgent is this, but if
>> >>>>> you help me identify the Ubuntu
>> >>>>> source packages associated we can make this
>> >>>>> faster. Otherwise we can
>> >>>>> work on this next week.
>> >>>>>
>> >>>>>
>> >>>>> Did you have a chance to check this?
>> >>>>>
>> >>>>>
>> >>>>> >
>> >>>>> >
>> >>>>> > Cheers,
>> >>>>> >
>> >>>>> > Luca
>> >>>>> >
>> >>>>> > On 31/05/2023 18:29, Cristovao
>> >>>>> Cordeiro wrote:
>> >>>>> >>
>> >>>>> >> So the only change from our side
>> >>>>> will be to add
>> >>>>> >> prometheus to the email
>> >>>>> notification subject (or I guess we
>> >>>>> >> can just
>> >>>>> >> simple replace it with "CVEs
>> >>>>> potentially affecting upstream based
>> >>>>> >> ROCKs"). Are the email
>> >>>>> recipients the same ones for the other
>> >>>>> >> ones?
>> >>>>> >>
>> >>>>> >>
>> >>>>> >> I think that would be fine for now.
>> >>>>> I'm reluctant to use the
>> >>>>> >> mailing list as a catch-all, but I
>> >>>>> think we can re-design this
>> >>>>> >> once there is an event bus at
>> >>>>> Canonical, so we rely less on emails.
>> >>>>> >>
>> >>>>> >> As for the other 10 ROCKs, @Luca
>> Bello
>> >>>>> >> <mailto:luca.bello@xxxxxxxxxxxxx
>> >>>>> <mailto:luca.bello@xxxxxxxxxxxxx>> let's
>> >>>>> first do the right due
>> >>>>> >> diligence on those, cause if a ROCK
>> >>>>> is not meant to be under the
>> >>>>> >> "ubuntu" namespace, then this
>> >>>>> security monitoring doesn't need to
>> >>>>> >> apply.
>> >>>>> >>
>> >>>>> >> On Wed, May 31, 2023 at 3:58 PM
>> >>>>> Emilia Torino
>> >>>>> >> <emilia.torino@xxxxxxxxxxxxx
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx>
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx>>>
>> >>>>> >> wrote:
>> >>>>> >>
>> >>>>> >>
>> >>>>> >> Hi all,
>> >>>>> >>
>> >>>>> >> On 31/5/23 04:03, Luca Bello
>> wrote:
>> >>>>> >> > Hi everyone,
>> >>>>> >> >
>> >>>>> >> > as said in the thread already,
>> >>>>> the prometheus image is
>> >>>>> >> indeed a ROCK
>> >>>>> >> > based on the
>> >>>>> *prometheus/prometheus* repository.
>> >>>>> >>
>> >>>>> >> That's very convenient. But just
>> >>>>> to be clear again, we are not
>> >>>>> >> "inspecting" the upstream based rocks
>> >>>>> the same way we do for
>> >>>>> >> the deb
>> >>>>> >> based ones. We are only
>> >>>>> monitoring new CVEs created for
>> >>>>> >> prometheus,
>> >>>>> >> protobuf and consul. So the only
>> >>>>> change from our side will be
>> >>>>> >> to add
>> >>>>> >> prometheus to the email
>> >>>>> notification subject (or I guess we
>> >>>>> >> can just
>> >>>>> >> simple replace it with "CVEs
>> >>>>> potentially affecting upstream based
>> >>>>> >> ROCKs"). Are the email
>> >>>>> recipients the same ones for the other
>> >>>>> >> ones?
>> >>>>> >>
>> >>>>> >> >
>> >>>>> >> > We're in the process of
>> >>>>> updating all of our ROCKs in a
>> >>>>> >> similar way,
>> >>>>> >> > meaning we want to make sure
>> >>>>> we are complying with any
>> >>>>> >> guidelines you
>> >>>>> >> > might have on them.
>> >>>>> >> > We have about 10 ROCKs at the
>> >>>>> moment, mostly based on
>> >>>>> >> upstream projects
>> >>>>> >> > just like this one. Should I
>> >>>>> share the full list, so you can
>> >>>>> >> track them?
>> >>>>> >>
>> >>>>> >> I am happy to do an analysis of
>> >>>>> this list to see if we can add
>> >>>>> >> more. The
>> >>>>> >> short answer would be that if
>> >>>>> the software is packaged as a
>> >>>>> >> deb in main
>> >>>>> >> or universe (which is the
>> >>>>> situation for prometheus, protobuf
>> >>>>> >> and consul)
>> >>>>> >> then we can simply add them.
>> >>>>> This is because the service is
>> >>>>> >> based on the
>> >>>>> >> existing CVE triage work the
>> >>>>> security team does, which is
>> >>>>> >> mainly for
>> >>>>> >> debs (although now is being
>> >>>>> extended to other ecosystems
>> >>>>> >> because of SOSS
>> >>>>> >> but it is still limited and
>> >>>>> mainly supporting NVIDIA software).
>> >>>>> >>
>> >>>>> >> A simple improvement though
>> >>>>> could be to map the projects to
>> >>>>> >> the rocks so
>> >>>>> >> you dont get a general
>> >>>>> notification, but one per ROCK as the
>> >>>>> >> USNs/debs
>> >>>>> >> based service does. We can work
>> >>>>> on adding this for the next cycle.
>> >>>>> >>
>> >>>>> >> >
>> >>>>> >> >
>> >>>>> >> > Cheers,
>> >>>>> >> >
>> >>>>> >> > Luca
>> >>>>> >> >
>> >>>>> >> >
>> >>>>> >> > On 31/05/2023 08:12, Cristovao
>> >>>>> Cordeiro wrote:
>> >>>>> >> >> Thank you for the swift
>> >>>>> action, Emilia!
>> >>>>> >> >>
>> >>>>> >> >> > Does this
>> >>>>> >> >> > relate to a question being
>> >>>>> asked some hours ago in
>> >>>>> >> >> > ~Security
>> >>>>> >> >>
>> >>>>> >>
>> >>>>>
>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo> <
>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>>?
>> >>>>> >> >>
>> >>>>> >> >> Yes, precisely. @Luca Bello
>> >>>>> >> <mailto:luca.bello@xxxxxxxxxxxxx
>> >>>>> <mailto:luca.bello@xxxxxxxxxxxxx>
>> >>>>> >> <mailto:luca.bello@xxxxxxxxxxxxx
>> >>>>> <mailto:luca.bello@xxxxxxxxxxxxx>>> is in
>> >>>>> >> >> the process of updating that
>> >>>>> image and we're re-doing our
>> >>>>> >> due diligence.
>> >>>>> >> >> Luca can confirm, but this
>> >>>>> seems to be a ROCK based
>> >>>>> >> precisely on that
>> >>>>> >> >> upstream Prometheus
>> >>>>> repository that you are already monitoring
>> >>>>> >> >>
>> >>>>> >>
>> >>>>> (
>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
>> <
>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19>
>> <
>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
>> <
>> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
>> >>).
>> >>>>> >> >>
>> >>>>> >> >> Can we then add this image to
>> >>>>> your list of tracked ROCKs?
>> >>>>> >> >>
>> >>>>> >> >>
>> >>>>> >> >> On Tue, May 30, 2023 at
>> >>>>> 9:45 PM Emilia Torino
>> >>>>> >> >> <emilia.torino@xxxxxxxxxxxxx
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx>>>
>> wrote:
>> >>>>> >> >>
>> >>>>> >> >> Hey all,
>> >>>>> >> >>
>> >>>>> >> >> On 30/5/23 13:14, Emilia
>> >>>>> Torino wrote:
>> >>>>> >> >> > Hi Cristovao,
>> >>>>> >> >> >
>> >>>>> >> >> > On 30/5/23 09:41,
>> >>>>> Cristovao Cordeiro wrote:
>> >>>>> >> >> >> Hi Emilia,
>> >>>>> >> >> >>
>> >>>>> >> >> >> could you please confirm
>> >>>>> the `prometheus` container
>> >>>>> >> image is being
>> >>>>> >> >> >> monitored?
>> >>>>> >> >> >
>> >>>>> >> >> > I don't see prometheus
>> >>>>> being monitored by our
>> >>>>> >> services (not as a
>> >>>>> >> >> rock
>> >>>>> >> >> > based on upstream source
>> >>>>> code nor as a rock based on
>> >>>>> >> debs). Does
>> >>>>> >> >> this
>> >>>>> >> >> > relate to a question being
>> >>>>> asked some hours ago in
>> >>>>> >> >> > ~Security
>> >>>>> >> >>
>> >>>>> >>
>> >>>>>
>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo> <
>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
>> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>>?
>> >>>>> >> >> >
>> >>>>> >> >> >
>> >>>>> >> >> > These emails' subject only
>> >>>>> mentions cortex and
>> >>>>> >> telegraf, but
>> >>>>> >> >> >> I can see
>> >>>>> "https://github.com/prometheus/prometheus
>> >>>>> <https://github.com/prometheus/prometheus>
>> >>>>> >>
>> >>>>> <https://github.com/prometheus/prometheus
>> >>>>> <https://github.com/prometheus/prometheus>>
>> >>>>> >> >> >>
>> >>>>> <https://github.com/prometheus/prometheus
>> >>>>> <https://github.com/prometheus/prometheus>
>> >>>>> >>
>> >>>>> <https://github.com/prometheus/prometheus
>> >>>>> <https://github.com/prometheus/prometheus>>>"
>> in the body of the
>> >>>>> >> >> email.
>> >>>>> >> >> >
>> >>>>> >> >> > Apologize for the
>> >>>>> confusion, this sounds like a bug
>> >>>>> >> in the email
>> >>>>> >> >> content
>> >>>>> >> >> > generator code. I will
>> >>>>> take a look at it later.
>> >>>>> >> >>
>> >>>>> >> >> I investigated this bug and
>> >>>>> it should be solved
>> >>>>> >> already. There was an
>> >>>>> >> >> issue in the past, but we
>> >>>>> fixed it already. I thought
>> >>>>> >> it could be
>> >>>>> >> >> related but I see this
>> >>>>> notification you are asking is
>> >>>>> >> from March.
>> >>>>> >> >> If you
>> >>>>> >> >> check the last notification
>> >>>>> sent on Thu, May 4, 2:03 AM
>> >>>>> >> is correctly
>> >>>>> >> >> reporting about a single
>> >>>>> package (cortex only).
>> >>>>> >> >>
>> >>>>> >> >> Let me know if you have any
>> >>>>> further question.
>> >>>>> >> >>
>> >>>>> >> >> In this case, only a new
>> >>>>> >> >> > CVE affecting consul has
>> >>>>> been created in our tracker
>> >>>>> >> >> >
>> >>>>> >> >>
>> >>>>> >>
>> >>>>>
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>.
>> >>>>> >> >> >
>> >>>>> >> >> > Still, this does not mean
>> >>>>> cortex and telegraf are
>> >>>>> >> affected,
>> >>>>> >> >> since this
>> >>>>> >> >> > needs triage (i.e.
>> >>>>> understand if the code/version
>> >>>>> >> present in the
>> >>>>> >> >> rocks
>> >>>>> >> >> > are indeed vulnerable).
>> >>>>> >> >> >
>> >>>>> >> >> > FYI the reason why
>> >>>>> >> https://github.com/prometheus/prometheus
>> >>>>> <https://github.com/prometheus/prometheus>
>> >>>>> >>
>> >>>>> <https://github.com/prometheus/prometheus
>> >>>>> <https://github.com/prometheus/prometheus>>
>> >>>>> (and
>> >>>>> >> >> also
>> >>>>> >> >> >
>> >>>>> https://github.com/gogo/protobuf
>> >>>>> <https://github.com/gogo/protobuf>
>> >>>>> >>
>> >>>>> <https://github.com/gogo/protobuf
>> >>>>> <https://github.com/gogo/protobuf>>) are
>> >>>>> listed in this email, is
>> >>>>> >> >> because
>> >>>>> >> >> > these 3 are the *only*
>> >>>>> upstream projects we are
>> >>>>> >> monitoring
>> >>>>> >> >> (because of
>> >>>>> >> >> > the bug the 3 are
>> >>>>> incorrectly listed in the email,
>> >>>>> >> only consul
>> >>>>> >> >> should
>> >>>>> >> >> > be). In other words, we
>> >>>>> are not scanning every
>> >>>>> >> upstream source
>> >>>>> >> >> project
>> >>>>> >> >> > which is used to build
>> >>>>> cortex and telegraf.
>> >>>>> >> >> >
>> >>>>> >> >> > There are reasons why this
>> >>>>> service is very limited,
>> >>>>> >> and I hope this
>> >>>>> >> >> > is/was clear. Let me know
>> >>>>> if you need more information.
>> >>>>> >> >> >
>> >>>>> >> >> > Emilia
>> >>>>> >> >> >
>> >>>>> >> >> >
>> >>>>> >> >> >>
>> >>>>> >> >> >> ---------- Forwarded
>> >>>>> message ---------
>> >>>>> >> >> >> From:
>> >>>>> <security-team-toolbox-bot@xxxxxxxxxxxxx
>> >>>>> <mailto:
>> security-team-toolbox-bot@xxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:
>> security-team-toolbox-bot@xxxxxxxxxxxxx <mailto:
>> security-team-toolbox-bot@xxxxxxxxxxxxx>>
>> >>>>> >> >> >>
>> >>>>> <mailto:
>> security-team-toolbox-bot@xxxxxxxxxxxxx <mailto:
>> security-team-toolbox-bot@xxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:
>> security-team-toolbox-bot@xxxxxxxxxxxxx <mailto:
>> security-team-toolbox-bot@xxxxxxxxxxxxx>>>>
>> >>>>> >> >> >> Date: Sat, Mar 11, 2023
>> >>>>> at 6:03 AM
>> >>>>> >> >> >> Subject:
>> >>>>> [Ubuntu-docker-images] CVEs potentially
>> >>>>> >> affecting
>> >>>>> >> >> cortex and
>> >>>>> >> >> >> telegraf
>> >>>>> >> >> >> To:
>> >>>>> <ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>> >>>>> <mailto:
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx <mailto:
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
>> >>>>> >> >> >>
>> >>>>> <mailto:
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx <mailto:
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx <mailto:
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>>,
>> >>>>> >> >> >>
>> >>>>> <sergio.durigan@xxxxxxxxxxxxx
>> >>>>> <mailto:sergio.durigan@xxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:sergio.durigan@xxxxxxxxxxxxx
>> >>>>> <mailto:sergio.durigan@xxxxxxxxxxxxx>>
>> >>>>> >> >>
>> >>>>> <mailto:sergio.durigan@xxxxxxxxxxxxx
>> >>>>> <mailto:sergio.durigan@xxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:sergio.durigan@xxxxxxxxxxxxx
>> >>>>> <mailto:sergio.durigan@xxxxxxxxxxxxx>>>>,
>> >>>>> >> >> >>
>> >>>>> <emilia.torino@xxxxxxxxxxxxx
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx>>
>> >>>>> >> >>
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx
>> >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx>>>>,
>> >>>>> >> >> >>
>> >>>>> <alex.murray@xxxxxxxxxxxxx
>> >>>>> <mailto:alex.murray@xxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:alex.murray@xxxxxxxxxxxxx
>> >>>>> <mailto:alex.murray@xxxxxxxxxxxxx>>
>> >>>>> >>
>> >>>>> <mailto:alex.murray@xxxxxxxxxxxxx
>> >>>>> <mailto:alex.murray@xxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:alex.murray@xxxxxxxxxxxxx
>> >>>>> <mailto:alex.murray@xxxxxxxxxxxxx>>>>,
>> >>>>> >> >> >>
>> >>>>> <simon.aronsson@xxxxxxxxxxxxx
>> >>>>> <mailto:simon.aronsson@xxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:simon.aronsson@xxxxxxxxxxxxx
>> >>>>> <mailto:simon.aronsson@xxxxxxxxxxxxx>>
>> >>>>> >> >>
>> >>>>> <mailto:simon.aronsson@xxxxxxxxxxxxx
>> >>>>> <mailto:simon.aronsson@xxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:simon.aronsson@xxxxxxxxxxxxx
>> >>>>> <mailto:simon.aronsson@xxxxxxxxxxxxx>>>>,
>> >>>>> >> >> >>
>> >>>>> <dylan.stephano-shachter@xxxxxxxxxxxxx
>> >>>>> <mailto:
>> dylan.stephano-shachter@xxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:
>> dylan.stephano-shachter@xxxxxxxxxxxxx <mailto:
>> dylan.stephano-shachter@xxxxxxxxxxxxx>>
>> >>>>> >> >> >>
>> >>>>> <mailto:
>> dylan.stephano-shachter@xxxxxxxxxxxxx <mailto:
>> dylan.stephano-shachter@xxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:
>> dylan.stephano-shachter@xxxxxxxxxxxxx <mailto:
>> dylan.stephano-shachter@xxxxxxxxxxxxx>>>>
>> >>>>> >> >> >>
>> >>>>> >> >> >>
>> >>>>> >> >> >> New CVEs affecting
>> >>>>> packages used to build upstream
>> >>>>> >> based rocks
>> >>>>> >> >> have been
>> >>>>> >> >> >> created in the Ubuntu CVE
>> >>>>> tracker:
>> >>>>> >> >> >>
>> >>>>> >> >> >> *
>> >>>>> https://github.com/gogo/protobuf
>> >>>>> <https://github.com/gogo/protobuf>
>> >>>>> >>
>> >>>>> <https://github.com/gogo/protobuf
>> >>>>> <https://github.com/gogo/protobuf>>
>> >>>>> >> >>
>> >>>>> <https://github.com/gogo/protobuf
>> >>>>> <https://github.com/gogo/protobuf>
>> >>>>> >>
>> >>>>> <https://github.com/gogo/protobuf
>> >>>>> <https://github.com/gogo/protobuf>>>:
>> >>>>> >> >> >> *
>> >>>>> https://github.com/hashicorp/consul
>> >>>>> <https://github.com/hashicorp/consul>
>> >>>>> >>
>> >>>>> <https://github.com/hashicorp/consul
>> >>>>> <https://github.com/hashicorp/consul>>
>> >>>>> >> >> >>
>> >>>>> <https://github.com/hashicorp/consul
>> >>>>> <https://github.com/hashicorp/consul>
>> >>>>> >>
>> >>>>> <https://github.com/hashicorp/consul
>> >>>>> <https://github.com/hashicorp/consul>>>:
>> >>>>> CVE-2023-0845
>> >>>>> >> >> >> *
>> >>>>> https://github.com/prometheus/prometheus
>> >>>>> <https://github.com/prometheus/prometheus>
>> >>>>> >>
>> >>>>> <https://github.com/prometheus/prometheus
>> >>>>> <https://github.com/prometheus/prometheus>>
>> >>>>> >> >> >>
>> >>>>> <https://github.com/prometheus/prometheus
>> >>>>> <https://github.com/prometheus/prometheus>
>> >>>>> >>
>> >>>>> <https://github.com/prometheus/prometheus
>> >>>>> <https://github.com/prometheus/prometheus
>> >>>:
>> >>>>> >> >> >>
>> >>>>> >> >> >> Please review your rock
>> >>>>> to understand if it is
>> >>>>> >> affected by
>> >>>>> >> >> these CVEs.
>> >>>>> >> >> >>
>> >>>>> >> >> >> Thank you for your rock
>> >>>>> and for attending to this
>> >>>>> >> matter.
>> >>>>> >> >> >>
>> >>>>> >> >> >> References:
>> >>>>> >> >> >>
>> >>>>> >> >>
>> >>>>> >>
>> >>>>>
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>
>> >>>>> >> >> >>
>> >>>>> >> >>
>> >>>>> >>
>> >>>>> <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>>
>> >>>>> >> >> >>
>> >>>>> >> >> >>
>> >>>>> >> >> >>
>> >>>>> >> >> >> --
>> >>>>> >> >> >> Mailing list:
>> >>>>> >>
>> >>>>> https://launchpad.net/~ubuntu-docker-images
>> >>>>> <
>> https://launchpad.net/~ubuntu-docker-images>
>> >>>>> >>
>> >>>>> <
>> https://launchpad.net/~ubuntu-docker-images <
>> https://launchpad.net/~ubuntu-docker-images>>
>> >>>>> >> >> >>
>> >>>>> <
>> https://launchpad.net/~ubuntu-docker-images <
>> https://launchpad.net/~ubuntu-docker-images>
>> >>>>> >>
>> >>>>> <
>> https://launchpad.net/~ubuntu-docker-images <
>> https://launchpad.net/~ubuntu-docker-images>>>
>> >>>>> >> >> >> Post to :
>> >>>>> >> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>> >>>>> <mailto:
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx <mailto:
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
>> >>>>> >> >> >>
>> >>>>> <mailto:
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx <mailto:
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>> >>>>> >>
>> >>>>> <mailto:
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx <mailto:
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>
>> >>>>> >> >> >> Unsubscribe :
>> >>>>> >>
>> >>>>> https://launchpad.net/~ubuntu-docker-images
>> >>>>> <
>> https://launchpad.net/~ubuntu-docker-images>
>> >>>>> >>
>> >>>>> <
>> https://launchpad.net/~ubuntu-docker-images <
>> https://launchpad.net/~ubuntu-docker-images>>
>> >>>>> >> >> >>
>> >>>>> <
>> https://launchpad.net/~ubuntu-docker-images <
>> https://launchpad.net/~ubuntu-docker-images>
>> >>>>> >>
>> >>>>> <
>> https://launchpad.net/~ubuntu-docker-images <
>> https://launchpad.net/~ubuntu-docker-images>>>
>> >>>>> >> >> >> More help :
>> >>>>> https://help.launchpad.net/ListHelp
>> >>>>> <https://help.launchpad.net/ListHelp>
>> >>>>> >>
>> >>>>> <https://help.launchpad.net/ListHelp
>> >>>>> <https://help.launchpad.net/ListHelp>>
>> >>>>> >> >> >>
>> >>>>> <https://help.launchpad.net/ListHelp
>> >>>>> <https://help.launchpad.net/ListHelp>
>> >>>>> >>
>> >>>>> <https://help.launchpad.net/ListHelp
>> >>>>> <https://help.launchpad.net/ListHelp>>>
>> >>>>> >> >> >>
>> >>>>> >> >> >>
>> >>>>> >> >> >> --
>> >>>>> >> >> >> Cris
>> >>>>> >> >>
>> >>>>> >> >>
>> >>>>> >> >>
>> >>>>> >> >> --
>> >>>>> >> >> Cris
>> >>>>> >>
>> >>>>> >>
>> >>>>> >>
>> >>>>> >> --
>> >>>>> >> Cris
>> >>>>> > ____
>> >>>>> >
>> >>>>> >
>> >>>>> >
>> >>>>> > --
>> >>>>> > Cris
>> >>>>>
>> >>>
>> >>>
>> >>> --
>> >>> Cris
>> >>
>> >>
>> >>
>> >> --
>> >> Cris
>> >
>> >
>> >
>> > --
>> > Cris
>>
>
--
Cris
Follow ups
References
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-05-31
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-22
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-06-27
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-28
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-07-03
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: David Lane, 2023-08-18
