← Back to team overview

observability team mailing list archive

Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf

 



On 18/8/23 04:03, Cristovao Cordeiro wrote:
Thank you for the information @David Lane <mailto:david.lane@xxxxxxxxxxxxx>.

I think this is a good summary that could be registered somewhere (like a doc) so that our image maintainers can read it before making requests for new images. Up to now, I've been using https://docs.google.com/document/d/1kV4SQqKG-5zkSYdlNIhIHXMmDcjfXoIlX-8KSi3xBCg/edit#heading=h.z1vggsp50vj8 <https://docs.google.com/document/d/1kV4SQqKG-5zkSYdlNIhIHXMmDcjfXoIlX-8KSi3xBCg/edit#heading=h.z1vggsp50vj8> as a reference. I think @Emilia Torino <mailto:emilia.torino@xxxxxxxxxxxxx> has access to this doc, so maybe it could be updated with that great summary?

That doc was created once as a summary for a manager, and does not even have the Canonical spec format so I would say we should have a better deliverable. I will discuss this with David and let you know.



Btw, are you planning on starting to publish said notifications via the Event Bus? That would be a nice step towards automating image rebuilds...

I will leave this to David but this is not in our plans at all afaik. Its my understanding that the super distro story should take care of this instead.

But in the meantime, have you seen this spec by the Charmed Kubeflow team? https://docs.google.com/document/d/1U4eH0P-HeFOuKzAv8aEeZAwfjlGZ8SAsahpNZHgXk-k/edit. Someone in our team is helping them with security related items and he shared that doc with me. Seems they built a process and CI to scan and manage CVEs for their ROCK images.



On Fri, Aug 18, 2023 at 2:52 AM David Lane <david.lane@xxxxxxxxxxxxx <mailto:david.lane@xxxxxxxxxxxxx>> wrote:

    Hi Cristovao, Luca and co,

    I thought it might be useful if I provide just a brief high-level
    overview of how our ROCK notification service works so you can
    understand the limitations we have, particularly around ROCKS built
    from upstream repos rather than debs.

      * All of the ROCKS notification services are based on USNs we
        publish or CVEs in the Ubuntu CVE Tracker (UCT).
          o Important: USNs and UCT are focused purely on deb packages
            in the Ubuntu archives. Therefore if it's not a deb, we have
            no information about it.
      * Some ROCKS are built with a manifest specifying which deb
        packages they are composed of.
          o For a subset[1] of these, we alert if the package version in
            that ROCK needs to be updated because a USN has been
            published for it.
      * Separate from that, we have a list of some specific projects[2]
        which we know are used to build some ROCKS, *AND *(coincidently
        _but importantly_) for which a deb package exists in the Ubuntu
        archives.
          o Because we have a package in the archive for representing
            some version of these upstream projects, information about
            CVEs affecting them is available to us.
          o If we identify a CVE in one of those deb packages that
            represents the 'upstream' project used to build a ROCK, we
            notify you that we've seen a CVE.
          o *Note / limitation:* We have no information about these
            upstream repos or what exact version of upstream goes into
            the ROCKS. We only know that you're interested in that
            project and we have some information about it because there
            is a deb for it in the archive and therefore we get CVE
            information and pass that directly onto yourselves.

    [1]: ROCKS built with debs that we can alert for when a USN affects
    them:
      - apache2, bind9, charmed-opensearch, kafka, memcached, mlflow,
    nginx, postres, redis, squid, zookeeper
    [2]: 'upstream' packages that have also have debs and therefore CVE
    information in UCT:
      - consul, golang-gogoprotobuf, prometheus,
    prometheus-alertmanager, (and now also) ca-certificates

    David.

    On Fri, Aug 18, 2023 at 3:14 AM Emilia Torino
    <emilia.torino@xxxxxxxxxxxxx <mailto:emilia.torino@xxxxxxxxxxxxx>>
    wrote:



        On 17/8/23 12:51, Cristovao Cordeiro wrote:
         > Alright, thanks. So not much. I'll leave it up to you @Emilia
        Torino
         > <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>> whether you think partial
         > monitoring of these images is worth it. I'd say, only if it
        is a no-op
         > for you.

        Adding CVEs notifications affecting ca-certificates is simple, I
        have
        just done it. For this service we dont fetch/inspect ROCKs at
        all so its
        not even resources consuming.

         >
         > On Thu, Aug 17, 2023 at 4:02 PM Luca Bello
        <luca.bello@xxxxxxxxxxxxx <mailto:luca.bello@xxxxxxxxxxxxx>
         > <mailto:luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>>> wrote:
         >
         >     __
         >
         >     Well yes, in pretty much all of our rocks we add the
         >     `ca-certificates` package for TLS operations:
         >
         > https://packages.ubuntu.com/search?keywords=ca-certificates
        <https://packages.ubuntu.com/search?keywords=ca-certificates>
>  <https://packages.ubuntu.com/search?keywords=ca-certificates
        <https://packages.ubuntu.com/search?keywords=ca-certificates>>
         >
         >     We technically use things like `npm`, `nodejs` and `go`
        for builds,
         >     but I think that's not particularly relevant.
         >
         >
         >     Cheers,
         >
         >     Luca
         >
         >     On 17/08/2023 15:28, Cristovao Cordeiro wrote:
         >>     Well, I'd need to inspect every one of those images
        before making
         >>     such a statement, *but, *I'd risk saying that these images,
         >>     although snap-/source- based, might also have additional
        debs, on
         >>     top of the base `ubuntu` image, that deserve monitoring.
        @Luca
         >>     Bello <mailto:luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>> can you please confirm
         >>     that? I.e. if any of your snap-/source-based ROCKs also has
         >>     additional debs installed, then it's probably worth
        monitoring
         >>     them nonetheless.
         >>
         >>     On Thu, Aug 17, 2023 at 2:58 PM Emilia Torino
         >>     <emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>
        <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>>>
         >>     wrote:
         >>
         >>         Hi!
         >>
         >>         On Thu, Aug 17, 2023 at 9:53 AM Luca Bello
         >>         <luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>
        <mailto:luca.bello@xxxxxxxxxxxxx <mailto:luca.bello@xxxxxxxxxxxxx>>>
         >>         wrote:
         >>
         >>             Hi everyone,
         >>
         >>             that's correct, SeaweedFS is postponed :)
         >>
         >>             On 17/08/2023 14:50, Cristovao Cordeiro wrote:
         >>>             Hi everyone,
         >>>
         >>>             here's a ping just to revive this thread.
         >>>
         >>>             @Emilia Torino
        <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>> you
         >>>             might have received some GH notifications from
        me, which
         >>>             are related to @Luca Bello
         >>>             <mailto:luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>> 's images which are now
         >>>             being prepared to be published.
         >>
         >>
         >>         Yes, I got them and I was also going to ping you all
        since
         >>         from our last discussion I said:
         >>
         >>         "I did a search over the provided sources and only
        found one
         >>         case where we have the project as a deb in the
        archive, which
         >>         is alertmanager:
         >> https://launchpad.net/ubuntu/+source/prometheus-alertmanager
        <https://launchpad.net/ubuntu/+source/prometheus-alertmanager>
>>  <https://launchpad.net/ubuntu/+source/prometheus-alertmanager
        <https://launchpad.net/ubuntu/+source/prometheus-alertmanager>>.
         >>         So unless you can confirm there are other debs in
        the archive
         >>         matching the remaining upstream projects,
        alertmanager is the
         >>         only one we can add to our CVEs monitoring service.
        I can add
         >>         it right now."
         >>
         >>>             I'm updating the list from above with the
        Docker Hub
         >>>             repos that should be monitored:
         >>>
         >>>             * Alertmanager
         >>>             (https://github.com/prometheus/alertmanager
        <https://github.com/prometheus/alertmanager>
         >>>             <https://github.com/prometheus/alertmanager
        <https://github.com/prometheus/alertmanager>>) ->
         >>> https://hub.docker.com/r/ubuntu/alertmanager
        <https://hub.docker.com/r/ubuntu/alertmanager>
         >>>             <https://hub.docker.com/r/ubuntu/alertmanager
        <https://hub.docker.com/r/ubuntu/alertmanager>> (new)
         >>>             * Grafana Agent
        (https://github.com/grafana/agent <https://github.com/grafana/agent>
         >>>             <https://github.com/grafana/agent
        <https://github.com/grafana/agent>>) ->
         >>> https://hub.docker.com/r/ubuntu/grafana-agent
        <https://hub.docker.com/r/ubuntu/grafana-agent>
         >>>             <https://hub.docker.com/r/ubuntu/grafana-agent
        <https://hub.docker.com/r/ubuntu/grafana-agent>> (new)
         >>>             * Grafana (https://github.com/grafana/grafana
        <https://github.com/grafana/grafana>
         >>>             <https://github.com/grafana/grafana
        <https://github.com/grafana/grafana>>) ->
         >>> https://hub.docker.com/r/ubuntu/grafana
        <https://hub.docker.com/r/ubuntu/grafana>
         >>>             <https://hub.docker.com/r/ubuntu/grafana
        <https://hub.docker.com/r/ubuntu/grafana>>
         >>>             * Loki (https://github.com/grafana/loki
        <https://github.com/grafana/loki>
         >>>             <https://github.com/grafana/loki
        <https://github.com/grafana/loki>>) ->
         >>> https://hub.docker.com/r/ubuntu/loki
        <https://hub.docker.com/r/ubuntu/loki>
         >>>             <https://hub.docker.com/r/ubuntu/loki
        <https://hub.docker.com/r/ubuntu/loki>>
         >>>             * Mimir (https://github.com/grafana/mimir
        <https://github.com/grafana/mimir>
         >>>             <https://github.com/grafana/mimir
        <https://github.com/grafana/mimir>>) ->
         >>> https://hub.docker.com/r/ubuntu/mimir
        <https://hub.docker.com/r/ubuntu/mimir>
         >>>             <https://hub.docker.com/r/ubuntu/mimir
        <https://hub.docker.com/r/ubuntu/mimir>> (new)
         >>>             * SeaweedFS
        (https://github.com/seaweedfs/seaweedfs
        <https://github.com/seaweedfs/seaweedfs>
         >>>             <https://github.com/seaweedfs/seaweedfs
        <https://github.com/seaweedfs/seaweedfs>>) [1]
         >>>             * Traefik (https://github.com/traefik/traefik
        <https://github.com/traefik/traefik>
         >>>             <https://github.com/traefik/traefik
        <https://github.com/traefik/traefik>>) ->
         >>> https://hub.docker.com/r/ubuntu/traefik
        <https://hub.docker.com/r/ubuntu/traefik>
         >>>             <https://hub.docker.com/r/ubuntu/traefik
        <https://hub.docker.com/r/ubuntu/traefik>> (new)
         >>
         >>         So unfortunately, all others can't be monitored with the
         >>         existing solution.
         >>
         >>>
         >>>             [1] @Luca Bello
        <mailto:luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>> is this
         >>>             one postponed?
         >>>
         >>>             On Mon, Jul 3, 2023 at 9:37 AM Luca Bello
         >>>             <luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>
         >>>             <mailto:luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>>> wrote:
         >>>
         >>>                 Hi Emilia,
         >>>
         >>>                 that's great; thanks for following through!
         >>>
         >>>
         >>>                 Cheers,
         >>>
         >>>                 Luca
         >>>
         >>>                 On 28/06/2023 22:18, Emilia Torino wrote:
         >>>>                 Hi Luca,
         >>>>
         >>>>                 On Tue, Jun 27, 2023 at 5:11 AM Luca Bello
         >>>>                 <luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>
         >>>>                 <mailto:luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>>> wrote:
         >>>>
         >>>>                     Hi Emilia,
         >>>>
         >>>>                     I did not look into it as our short-term
         >>>>                     priorities changed a little bit; if
        you need
         >>>>                     anything else from my side please let
        me know!
         >>>>
         >>>>
         >>>>                 I did a search over the provided sources
        and only
         >>>>                 found one case where we have the project
        as a deb in
         >>>>                 the archive, which is alertmanager:
         >>>>
        https://launchpad.net/ubuntu/+source/prometheus-alertmanager
        <https://launchpad.net/ubuntu/+source/prometheus-alertmanager>
        <https://launchpad.net/ubuntu/+source/prometheus-alertmanager
        <https://launchpad.net/ubuntu/+source/prometheus-alertmanager>>
         >>>>
         >>>>                 So unless you can confirm there are other
        debs in
         >>>>                 the archive matching the remaining upstream
         >>>>                 projects, alertmanager is the only one we
        can add to
         >>>>                 our CVEs monitoring service. I can add it
        right now.
         >>>>
         >>>>                 Let me know if you have any questions.
         >>>>
         >>>>                 Emilia
         >>>>
         >>>>
         >>>>                     Cheers,
         >>>>
         >>>>                     Luca
         >>>>
         >>>>                     On 22/06/2023 17:37, Emilia Torino wrote:
         >>>>>                     Hi all,
         >>>>>
         >>>>>                     Following up on this issue...
         >>>>>
         >>>>>                     On Fri, Jun 9, 2023 at 12:41 PM
        Emilia Torino
         >>>>>                     <emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>
         >>>>>                     <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>>> wrote:
         >>>>>
         >>>>>                         Hi all,
         >>>>>
         >>>>>                         On 9/6/23 06:20, Cristovao
        Cordeiro wrote:
         >>>>>                         > Sounds good to me. @Emilia Torino
         >>>>>                         >
        <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>
>>>>>  <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>>> do
         >>>>>                         you need those repos to exist in
         >>>>>                         > Docker Hub before you can
        onboard these?
         >>>>>
         >>>>>                         We don't. Since we don't scan the
        upstream
         >>>>>                         based ROCKs (we only need
         >>>>>                         this for the deb based ones).
         >>>>>
         >>>>>                         >
         >>>>>                         > On Fri, Jun 9, 2023 at 10:42 AM
        Luca
         >>>>>                         Bello <luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>
         >>>>>                         <mailto:luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>>
         >>>>>                         >
        <mailto:luca.bello@xxxxxxxxxxxxx <mailto:luca.bello@xxxxxxxxxxxxx>
         >>>>>                         <mailto:luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>>>> wrote:
         >>>>>                         >
         >>>>>                         >     Hello everyone,
         >>>>>                         >
         >>>>>                         >     as mentioned before, the
        ROCKs we
         >>>>>                         have are all based on upstream
         >>>>>                         >     projects; the list is the
        following,
         >>>>>                         as required:
         >>>>>                         >
         >>>>>                         >     * Alertmanager
>>>>>  (https://github.com/prometheus/alertmanager
        <https://github.com/prometheus/alertmanager>
>>>>>  <https://github.com/prometheus/alertmanager
        <https://github.com/prometheus/alertmanager>>
         >>>>>                         >
>>>>>   <https://github.com/prometheus/alertmanager
        <https://github.com/prometheus/alertmanager>
        <https://github.com/prometheus/alertmanager
        <https://github.com/prometheus/alertmanager>>>)
         >>>>>                         >     * Grafana Agent
         >>>>>                         (https://github.com/grafana/agent
        <https://github.com/grafana/agent>
         >>>>>                         <https://github.com/grafana/agent
        <https://github.com/grafana/agent>>
>>>>>                         >  <https://github.com/grafana/agent
        <https://github.com/grafana/agent>
         >>>>>                         <https://github.com/grafana/agent
        <https://github.com/grafana/agent>>>)
         >>>>>                         >     * Grafana
>>>>>  (https://github.com/grafana/grafana
        <https://github.com/grafana/grafana>
>>>>>  <https://github.com/grafana/grafana
        <https://github.com/grafana/grafana>>
>>>>>                         >  <https://github.com/grafana/grafana
        <https://github.com/grafana/grafana>
>>>>>  <https://github.com/grafana/grafana
        <https://github.com/grafana/grafana>>>)
         >>>>>                         >     * Loki
         >>>>>                         (https://github.com/grafana/loki
        <https://github.com/grafana/loki>
         >>>>>                         <https://github.com/grafana/loki
        <https://github.com/grafana/loki>>
>>>>>                         >  <https://github.com/grafana/loki <https://github.com/grafana/loki>
         >>>>>                         <https://github.com/grafana/loki
        <https://github.com/grafana/loki>>>)
         >>>>>                         >     * Mimir
         >>>>>                         (https://github.com/grafana/mimir
        <https://github.com/grafana/mimir>
         >>>>>                         <https://github.com/grafana/mimir
        <https://github.com/grafana/mimir>>
>>>>>                         >  <https://github.com/grafana/mimir
        <https://github.com/grafana/mimir>
         >>>>>                         <https://github.com/grafana/mimir
        <https://github.com/grafana/mimir>>>)
         >>>>>                         >     * SeaweedFS
>>>>>  (https://github.com/seaweedfs/seaweedfs
        <https://github.com/seaweedfs/seaweedfs>
>>>>>  <https://github.com/seaweedfs/seaweedfs
        <https://github.com/seaweedfs/seaweedfs>>
         >>>>>                         >
>>>>>   <https://github.com/seaweedfs/seaweedfs
        <https://github.com/seaweedfs/seaweedfs>
>>>>>  <https://github.com/seaweedfs/seaweedfs
        <https://github.com/seaweedfs/seaweedfs>>>)
         >>>>>                         >     * Traefik
>>>>>  (https://github.com/traefik/traefik
        <https://github.com/traefik/traefik>
>>>>>  <https://github.com/traefik/traefik
        <https://github.com/traefik/traefik>>
>>>>>                         >  <https://github.com/traefik/traefik
        <https://github.com/traefik/traefik>
>>>>>  <https://github.com/traefik/traefik
        <https://github.com/traefik/traefik>>>)
         >>>>>                         >
         >>>>>                         >     Please let me know if any
        of these
         >>>>>                         qualifies!
         >>>>>
         >>>>>                         I am not sure how urgent is this,
        but if
         >>>>>                         you help me identify the Ubuntu
         >>>>>                         source packages associated we can
        make this
         >>>>>                         faster. Otherwise we can
         >>>>>                         work on this next week.
         >>>>>
         >>>>>
         >>>>>                     Did you have a chance to check this?
         >>>>>
         >>>>>
         >>>>>                         >
         >>>>>                         >
         >>>>>                         >     Cheers,
         >>>>>                         >
         >>>>>                         >     Luca
         >>>>>                         >
         >>>>>                         >     On 31/05/2023 18:29, Cristovao
         >>>>>                         Cordeiro wrote:
         >>>>>                         >>
         >>>>>                         >>         So the only change
        from our side
         >>>>>                         will be to add
         >>>>>                         >>         prometheus to the email
         >>>>>                         notification subject (or I guess we
         >>>>>                         >>         can just
         >>>>>                         >>         simple replace it with
        "CVEs
         >>>>>                         potentially affecting upstream based
         >>>>>                         >>         ROCKs"). Are the email
         >>>>>                         recipients the same ones for the
        other
         >>>>>                         >>         ones?
         >>>>>                         >>
         >>>>>                         >>
         >>>>>                         >>     I think that would be fine
        for now.
         >>>>>                         I'm reluctant to use the
         >>>>>                         >>     mailing list as a
        catch-all, but I
         >>>>>                         think we can re-design this
         >>>>>                         >>     once there is an event bus at
         >>>>>                         Canonical, so we rely less on emails.
         >>>>>                         >>
         >>>>>                         >>     As for the other 10 ROCKs,
        @Luca Bello
>>>>>                         >>  <mailto:luca.bello@xxxxxxxxxxxxx <mailto:luca.bello@xxxxxxxxxxxxx>
         >>>>>                         <mailto:luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>>> let's
         >>>>>                         first do the right due
         >>>>>                         >>     diligence on those, cause
        if a ROCK
         >>>>>                         is not meant to be under the
         >>>>>                         >>     "ubuntu" namespace, then this
         >>>>>                         security monitoring doesn't need to
         >>>>>                         >>     apply.
         >>>>>                         >>
         >>>>>                         >>     On Wed, May 31, 2023 at
        3:58 PM
         >>>>>                         Emilia Torino
>>>>>                         >>  <emilia.torino@xxxxxxxxxxxxx <mailto:emilia.torino@xxxxxxxxxxxxx> >>>>>  <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>>
>>>>>  <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>
>>>>>  <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>>>>
         >>>>>                         >>     wrote:
         >>>>>                         >>
         >>>>>                         >>
         >>>>>                         >>         Hi all,
         >>>>>                         >>
         >>>>>                         >>         On 31/5/23 04:03, Luca
        Bello wrote:
         >>>>>                         >>         > Hi everyone,
         >>>>>                         >>         >
         >>>>>                         >>         > as said in the
        thread already,
         >>>>>                         the prometheus image is
         >>>>>                         >>         indeed a ROCK
         >>>>>                         >>         > based on the
         >>>>>                         *prometheus/prometheus* repository.
         >>>>>                         >>
         >>>>>                         >>         That's very
        convenient. But just
         >>>>>                         to be clear again, we are not
         >>>>>                         >>  "inspecting" the upstream
        based rocks
         >>>>>                         the same way we do for
         >>>>>                         >>         the deb
         >>>>>                         >>         based ones. We are only
         >>>>>                         monitoring new CVEs created for
         >>>>>                         >>         prometheus,
         >>>>>                         >>         protobuf and consul.
        So the only
         >>>>>                         change from our side will be
         >>>>>                         >>         to add
         >>>>>                         >>         prometheus to the email
         >>>>>                         notification subject (or I guess we
         >>>>>                         >>         can just
         >>>>>                         >>         simple replace it with
        "CVEs
         >>>>>                         potentially affecting upstream based
         >>>>>                         >>         ROCKs"). Are the email
         >>>>>                         recipients the same ones for the
        other
         >>>>>                         >>         ones?
         >>>>>                         >>
         >>>>>                         >>         >
         >>>>>                         >>         > We're in the process of
         >>>>>                         updating all of our ROCKs in a
         >>>>>                         >>         similar way,
         >>>>>                         >>         > meaning we want to
        make sure
         >>>>>                         we are complying with any
         >>>>>                         >>         guidelines you
         >>>>>                         >>         > might have on them.
         >>>>>                         >>         > We have about 10
        ROCKs at the
         >>>>>                         moment, mostly based on
         >>>>>                         >>         upstream projects
         >>>>>                         >>         > just like this one.
        Should I
         >>>>>                         share the full list, so you can
         >>>>>                         >>         track them?
         >>>>>                         >>
         >>>>>                         >>         I am happy to do an
        analysis of
         >>>>>                         this list to see if we can add
         >>>>>                         >>         more. The
         >>>>>                         >>         short answer would be
        that if
         >>>>>                         the software is packaged as a
         >>>>>                         >>         deb in main
         >>>>>                         >>         or universe (which is the
         >>>>>                         situation for prometheus, protobuf
         >>>>>                         >>         and consul)
         >>>>>                         >>         then we can simply add
        them.
         >>>>>                         This is because the service is
         >>>>>                         >>         based on the
         >>>>>                         >>         existing CVE triage
        work the
         >>>>>                         security team does, which is
         >>>>>                         >>         mainly for
         >>>>>                         >>         debs (although now is
        being
         >>>>>                         extended to other ecosystems
         >>>>>                         >>         because of SOSS
         >>>>>                         >>         but it is still
        limited and
         >>>>>                         mainly supporting NVIDIA software).
         >>>>>                         >>
         >>>>>                         >>         A simple improvement
        though
         >>>>>                         could be to map the projects to
         >>>>>                         >>         the rocks so
         >>>>>                         >>         you dont get a general
         >>>>>                         notification, but one per ROCK as the
         >>>>>                         >>         USNs/debs
         >>>>>                         >>         based service does. We
        can work
         >>>>>                         on adding this for the next cycle.
         >>>>>                         >>
         >>>>>                         >>         >
         >>>>>                         >>         >
         >>>>>                         >>         > Cheers,
         >>>>>                         >>         >
         >>>>>                         >>         > Luca
         >>>>>                         >>         >
         >>>>>                         >>         >
         >>>>>                         >>         > On 31/05/2023 08:12,
        Cristovao
         >>>>>                         Cordeiro wrote:
         >>>>>                         >>         >> Thank you for the swift
         >>>>>                         action, Emilia!
         >>>>>                         >>         >>
         >>>>>                         >>         >> > Does this
         >>>>>                         >>         >> > relate to a
        question being
         >>>>>                         asked some hours ago in
         >>>>>                         >>         >> > ~Security
         >>>>>                         >>         >>
         >>>>>                         >>
         >>>>>
        https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo> <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>> <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo> <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>>>?
         >>>>>                         >>         >>
         >>>>>                         >>         >> Yes, precisely.
        @Luca Bello
>>>>>                         >>  <mailto:luca.bello@xxxxxxxxxxxxx <mailto:luca.bello@xxxxxxxxxxxxx>
         >>>>>                         <mailto:luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>>
>>>>>                         >>  <mailto:luca.bello@xxxxxxxxxxxxx <mailto:luca.bello@xxxxxxxxxxxxx>
         >>>>>                         <mailto:luca.bello@xxxxxxxxxxxxx
        <mailto:luca.bello@xxxxxxxxxxxxx>>>> is in
         >>>>>                         >>         >> the process of
        updating that
         >>>>>                         image and we're re-doing our
         >>>>>                         >>         due diligence.
         >>>>>                         >>         >> Luca can confirm,
        but this
         >>>>>                         seems to be a ROCK based
         >>>>>                         >>         precisely on that
         >>>>>                         >>         >> upstream Prometheus
         >>>>>                         repository that you are already
        monitoring
         >>>>>                         >>         >>
         >>>>>                         >>
>>>>>   (https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19> <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19>> <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19> <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19 <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19>>>).
         >>>>>                         >>         >>
         >>>>>                         >>         >> Can we then add
        this image to
         >>>>>                         your list of tracked ROCKs?
         >>>>>                         >>         >>
         >>>>>                         >>         >>
         >>>>>                         >>         >> On Tue, May 30, 2023 at
         >>>>>                         9:45 PM Emilia Torino
         >>>>>                         >>         >>
        <emilia.torino@xxxxxxxxxxxxx <mailto:emilia.torino@xxxxxxxxxxxxx>
>>>>>  <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>
>>>>>  <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>>>> wrote:
         >>>>>                         >>         >>
         >>>>>                         >>         >>  Hey all,
         >>>>>                         >>         >>
         >>>>>                         >>         >>  On 30/5/23 13:14,
        Emilia
         >>>>>                         Torino wrote:
         >>>>>                         >>         >>  > Hi Cristovao,
         >>>>>                         >>         >>  >
         >>>>>                         >>         >>  > On 30/5/23 09:41,
         >>>>>                         Cristovao Cordeiro wrote:
         >>>>>                         >>         >>  >> Hi Emilia,
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>  >> could you
        please confirm
         >>>>>                         the `prometheus` container
         >>>>>                         >>         image is being
         >>>>>                         >>         >>  >> monitored?
         >>>>>                         >>         >>  >
         >>>>>                         >>         >>  > I don't see
        prometheus
         >>>>>                         being monitored by our
         >>>>>                         >>         services (not as a
         >>>>>                         >>         >>  rock
         >>>>>                         >>         >>  > based on
        upstream source
         >>>>>                         code nor as a rock based on
         >>>>>                         >>         debs). Does
         >>>>>                         >>         >>  this
         >>>>>                         >>         >>  > relate to a
        question being
         >>>>>                         asked some hours ago in
         >>>>>                         >>         >>  > ~Security
         >>>>>                         >>         >>
         >>>>>                         >>
         >>>>>
        https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo> <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>> <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo> <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>>>?
         >>>>>                         >>         >>  >
         >>>>>                         >>         >>  >
         >>>>>                         >>         >>  > These emails'
        subject only
         >>>>>                         mentions cortex and
         >>>>>                         >>         telegraf, but
         >>>>>                         >>         >>  >> I can see
>>>>>  "https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>
>>>>>  <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>>
         >>>>>                         >>
>>>>>   <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>
>>>>>  <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>>>
         >>>>>                         >>         >>  >>
>>>>>  <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>
>>>>>  <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>>
         >>>>>                         >>
>>>>>   <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>
>>>>>  <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>>>>" in the body of the
         >>>>>                         >>         >>  email.
         >>>>>                         >>         >>  >
         >>>>>                         >>         >>  > Apologize for the
         >>>>>                         confusion, this sounds like a bug
         >>>>>                         >>         in the email
         >>>>>                         >>         >>  content
         >>>>>                         >>         >>  > generator code.
        I will
         >>>>>                         take a look at it later.
         >>>>>                         >>         >>
         >>>>>                         >>         >>  I investigated
        this bug and
         >>>>>                         it should be solved
         >>>>>                         >>         already. There was an
         >>>>>                         >>         >>  issue in the past,
        but we
         >>>>>                         fixed it already. I thought
         >>>>>                         >>         it could be
         >>>>>                         >>         >>  related but I see this
         >>>>>                         notification you are asking is
         >>>>>                         >>         from March.
         >>>>>                         >>         >>  If you
         >>>>>                         >>         >>  check the last
        notification
         >>>>>                         sent on Thu, May 4, 2:03 AM
         >>>>>                         >>         is correctly
         >>>>>                         >>         >>  reporting about a
        single
         >>>>>                         package (cortex only).
         >>>>>                         >>         >>
         >>>>>                         >>         >>  Let me know if you
        have any
         >>>>>                         further question.
         >>>>>                         >>         >>
         >>>>>                         >>         >>    In this case,
        only a new
         >>>>>                         >>         >>  > CVE affecting
        consul has
         >>>>>                         been created in our tracker
         >>>>>                         >>         >>  >
         >>>>>                         >>         >>
         >>>>>                         >>
         >>>>>
        https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>>.
         >>>>>                         >>         >>  >
         >>>>>                         >>         >>  > Still, this does
        not mean
         >>>>>                         cortex and telegraf are
         >>>>>                         >>         affected,
         >>>>>                         >>         >>  since this
         >>>>>                         >>         >>  > needs triage (i.e.
         >>>>>                         understand if the code/version
         >>>>>                         >>         present in the
         >>>>>                         >>         >>  rocks
         >>>>>                         >>         >>  > are indeed
        vulnerable).
         >>>>>                         >>         >>  >
         >>>>>                         >>         >>  > FYI the reason why
         >>>>>                         >>
        https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>
>>>>>  <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>>
         >>>>>                         >>
>>>>>   <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>
>>>>>  <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>>>
         >>>>>                         (and
         >>>>>                         >>         >>  also
         >>>>>                         >>         >>  >
         >>>>> https://github.com/gogo/protobuf
        <https://github.com/gogo/protobuf>
         >>>>>                         <https://github.com/gogo/protobuf
        <https://github.com/gogo/protobuf>>
         >>>>>                         >>
>>>>>   <https://github.com/gogo/protobuf
        <https://github.com/gogo/protobuf>
         >>>>>                         <https://github.com/gogo/protobuf
        <https://github.com/gogo/protobuf>>>) are
         >>>>>                         listed in this email, is
         >>>>>                         >>         >>  because
         >>>>>                         >>         >>  > these 3 are the
        *only*
         >>>>>                         upstream projects we are
         >>>>>                         >>         monitoring
         >>>>>                         >>         >>  (because of
         >>>>>                         >>         >>  > the bug the 3 are
         >>>>>                         incorrectly listed in the email,
         >>>>>                         >>         only consul
         >>>>>                         >>         >>  should
         >>>>>                         >>         >>  > be). In other
        words, we
         >>>>>                         are not scanning every
         >>>>>                         >>         upstream source
         >>>>>                         >>         >>  project
         >>>>>                         >>         >>  > which is used to
        build
         >>>>>                         cortex and telegraf.
         >>>>>                         >>         >>  >
         >>>>>                         >>         >>  > There are
        reasons why this
         >>>>>                         service is very limited,
         >>>>>                         >>         and I hope this
         >>>>>                         >>         >>  > is/was clear.
        Let me know
         >>>>>                         if you need more information.
         >>>>>                         >>         >>  >
         >>>>>                         >>         >>  > Emilia
         >>>>>                         >>         >>  >
         >>>>>                         >>         >>  >
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>  >> ----------
        Forwarded
         >>>>>                         message ---------
         >>>>>                         >>         >>  >> From:
>>>>>  <security-team-toolbox-bot@xxxxxxxxxxxxx
        <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
>>>>>  <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
        <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
        <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
        <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
        <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>>
         >>>>>                         >>         >>  >>
>>>>>  <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
        <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
        <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
        <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
        <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
        <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
        <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>>>>
         >>>>>                         >>         >>  >> Date: Sat, Mar
        11, 2023
         >>>>>                         at 6:03 AM
         >>>>>                         >>         >>  >> Subject:
         >>>>>                         [Ubuntu-docker-images] CVEs
        potentially
         >>>>>                         >>         affecting
         >>>>>                         >>         >>  cortex and
         >>>>>                         >>         >>  >> telegraf
         >>>>>                         >>         >>  >> To:
>>>>>  <ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>>>>>  <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>
         >>>>>                         >>         >>  >>
>>>>>  <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>>>,
         >>>>>                         >>         >>  >>
         >>>>>                         <sergio.durigan@xxxxxxxxxxxxx
        <mailto:sergio.durigan@xxxxxxxxxxxxx>
>>>>>  <mailto:sergio.durigan@xxxxxxxxxxxxx
        <mailto:sergio.durigan@xxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:sergio.durigan@xxxxxxxxxxxxx
        <mailto:sergio.durigan@xxxxxxxxxxxxx>
>>>>>  <mailto:sergio.durigan@xxxxxxxxxxxxx
        <mailto:sergio.durigan@xxxxxxxxxxxxx>>>
         >>>>>                         >>         >>
>>>>>   <mailto:sergio.durigan@xxxxxxxxxxxxx
        <mailto:sergio.durigan@xxxxxxxxxxxxx>
>>>>>  <mailto:sergio.durigan@xxxxxxxxxxxxx
        <mailto:sergio.durigan@xxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:sergio.durigan@xxxxxxxxxxxxx
        <mailto:sergio.durigan@xxxxxxxxxxxxx>
>>>>>  <mailto:sergio.durigan@xxxxxxxxxxxxx
        <mailto:sergio.durigan@xxxxxxxxxxxxx>>>>>,
         >>>>>                         >>         >>  >>
         >>>>>                         <emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>
>>>>>  <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>
>>>>>  <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>>>
         >>>>>                         >>         >>
>>>>>   <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>
>>>>>  <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>
>>>>>  <mailto:emilia.torino@xxxxxxxxxxxxx
        <mailto:emilia.torino@xxxxxxxxxxxxx>>>>>,
         >>>>>                         >>         >>  >>
         >>>>>                         <alex.murray@xxxxxxxxxxxxx
        <mailto:alex.murray@xxxxxxxxxxxxx>
         >>>>>                         <mailto:alex.murray@xxxxxxxxxxxxx
        <mailto:alex.murray@xxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:alex.murray@xxxxxxxxxxxxx
        <mailto:alex.murray@xxxxxxxxxxxxx>
         >>>>>                         <mailto:alex.murray@xxxxxxxxxxxxx
        <mailto:alex.murray@xxxxxxxxxxxxx>>>
         >>>>>                         >>
>>>>>   <mailto:alex.murray@xxxxxxxxxxxxx
        <mailto:alex.murray@xxxxxxxxxxxxx>
         >>>>>                         <mailto:alex.murray@xxxxxxxxxxxxx
        <mailto:alex.murray@xxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:alex.murray@xxxxxxxxxxxxx
        <mailto:alex.murray@xxxxxxxxxxxxx>
         >>>>>                         <mailto:alex.murray@xxxxxxxxxxxxx
        <mailto:alex.murray@xxxxxxxxxxxxx>>>>>,
         >>>>>                         >>         >>  >>
         >>>>>                         <simon.aronsson@xxxxxxxxxxxxx
        <mailto:simon.aronsson@xxxxxxxxxxxxx>
>>>>>  <mailto:simon.aronsson@xxxxxxxxxxxxx
        <mailto:simon.aronsson@xxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:simon.aronsson@xxxxxxxxxxxxx
        <mailto:simon.aronsson@xxxxxxxxxxxxx>
>>>>>  <mailto:simon.aronsson@xxxxxxxxxxxxx
        <mailto:simon.aronsson@xxxxxxxxxxxxx>>>
         >>>>>                         >>         >>
>>>>>   <mailto:simon.aronsson@xxxxxxxxxxxxx
        <mailto:simon.aronsson@xxxxxxxxxxxxx>
>>>>>  <mailto:simon.aronsson@xxxxxxxxxxxxx
        <mailto:simon.aronsson@xxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:simon.aronsson@xxxxxxxxxxxxx
        <mailto:simon.aronsson@xxxxxxxxxxxxx>
>>>>>  <mailto:simon.aronsson@xxxxxxxxxxxxx
        <mailto:simon.aronsson@xxxxxxxxxxxxx>>>>>,
         >>>>>                         >>         >>  >>
>>>>>  <dylan.stephano-shachter@xxxxxxxxxxxxx
        <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
>>>>>  <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
        <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
        <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
        <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
        <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>>
         >>>>>                         >>         >>  >>
>>>>>  <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
        <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
        <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
        <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
        <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
        <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
        <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>>>>
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>  >> New CVEs affecting
         >>>>>                         packages used to build upstream
         >>>>>                         >>         based rocks
         >>>>>                         >>         >>  have been
         >>>>>                         >>         >>  >> created in the
        Ubuntu CVE
         >>>>>                         tracker:
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>  >> *
         >>>>> https://github.com/gogo/protobuf
        <https://github.com/gogo/protobuf>
         >>>>>                         <https://github.com/gogo/protobuf
        <https://github.com/gogo/protobuf>>
         >>>>>                         >>
>>>>>   <https://github.com/gogo/protobuf
        <https://github.com/gogo/protobuf>
         >>>>>                         <https://github.com/gogo/protobuf
        <https://github.com/gogo/protobuf>>>
         >>>>>                         >>         >>
>>>>>   <https://github.com/gogo/protobuf
        <https://github.com/gogo/protobuf>
         >>>>>                         <https://github.com/gogo/protobuf
        <https://github.com/gogo/protobuf>>
         >>>>>                         >>
>>>>>   <https://github.com/gogo/protobuf
        <https://github.com/gogo/protobuf>
         >>>>>                         <https://github.com/gogo/protobuf
        <https://github.com/gogo/protobuf>>>>:
         >>>>>                         >>         >>  >> *
         >>>>> https://github.com/hashicorp/consul
        <https://github.com/hashicorp/consul>
>>>>>  <https://github.com/hashicorp/consul
        <https://github.com/hashicorp/consul>>
         >>>>>                         >>
>>>>>   <https://github.com/hashicorp/consul
        <https://github.com/hashicorp/consul>
>>>>>  <https://github.com/hashicorp/consul
        <https://github.com/hashicorp/consul>>>
         >>>>>                         >>         >>  >>
>>>>>  <https://github.com/hashicorp/consul
        <https://github.com/hashicorp/consul>
>>>>>  <https://github.com/hashicorp/consul
        <https://github.com/hashicorp/consul>>
         >>>>>                         >>
>>>>>   <https://github.com/hashicorp/consul
        <https://github.com/hashicorp/consul>
>>>>>  <https://github.com/hashicorp/consul
        <https://github.com/hashicorp/consul>>>>:
         >>>>>                         CVE-2023-0845
         >>>>>                         >>         >>  >> *
         >>>>> https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>
>>>>>  <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>>
         >>>>>                         >>
>>>>>   <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>
>>>>>  <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>>>
         >>>>>                         >>         >>  >>
>>>>>  <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>
>>>>>  <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>>
         >>>>>                         >>
>>>>>   <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>
>>>>>  <https://github.com/prometheus/prometheus
        <https://github.com/prometheus/prometheus>>>>:
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>  >> Please review
        your rock
         >>>>>                         to understand if it is
         >>>>>                         >>         affected by
         >>>>>                         >>         >>  these CVEs.
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>  >> Thank you for
        your rock
         >>>>>                         and for attending to this
         >>>>>                         >>         matter.
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>  >> References:
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>
         >>>>>                         >>
         >>>>>
        https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>>
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>
         >>>>>                         >>
>>>>>    <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>>>
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>  >> --
         >>>>>                         >>         >>  >> Mailing list:
         >>>>>                         >>
         >>>>> https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>
>>>>>  <https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>>
         >>>>>                         >>
>>>>>   <https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>
        <https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>>>
         >>>>>                         >>         >>  >>
>>>>>  <https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>
        <https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>>
         >>>>>                         >>
>>>>>   <https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>
        <https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>>>>
         >>>>>                         >>         >>  >> Post to     :
         >>>>>                         >>
        ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>>>>>  <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>
         >>>>>                         >>         >>  >>
>>>>>  <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
         >>>>>                         >>
>>>>>   <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
        <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>>
         >>>>>                         >>         >>  >> Unsubscribe :
         >>>>>                         >>
         >>>>> https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>
>>>>>  <https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>>
         >>>>>                         >>
>>>>>   <https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>
        <https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>>>
         >>>>>                         >>         >>  >>
>>>>>  <https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>
        <https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>>
         >>>>>                         >>
>>>>>   <https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>
        <https://launchpad.net/~ubuntu-docker-images
        <https://launchpad.net/~ubuntu-docker-images>>>>
         >>>>>                         >>         >>  >> More help   :
         >>>>> https://help.launchpad.net/ListHelp
        <https://help.launchpad.net/ListHelp>
>>>>>  <https://help.launchpad.net/ListHelp
        <https://help.launchpad.net/ListHelp>>
         >>>>>                         >>
>>>>>   <https://help.launchpad.net/ListHelp
        <https://help.launchpad.net/ListHelp>
>>>>>  <https://help.launchpad.net/ListHelp
        <https://help.launchpad.net/ListHelp>>>
         >>>>>                         >>         >>  >>
>>>>>  <https://help.launchpad.net/ListHelp
        <https://help.launchpad.net/ListHelp>
>>>>>  <https://help.launchpad.net/ListHelp
        <https://help.launchpad.net/ListHelp>>
         >>>>>                         >>
>>>>>   <https://help.launchpad.net/ListHelp
        <https://help.launchpad.net/ListHelp>
>>>>>  <https://help.launchpad.net/ListHelp
        <https://help.launchpad.net/ListHelp>>>>
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>  >>
         >>>>>                         >>         >>  >> --
         >>>>>                         >>         >>  >> Cris
         >>>>>                         >>         >>
         >>>>>                         >>         >>
         >>>>>                         >>         >>
         >>>>>                         >>         >> --
         >>>>>                         >>         >> Cris
         >>>>>                         >>
         >>>>>                         >>
         >>>>>                         >>
         >>>>>                         >>     --
         >>>>>                         >>     Cris
         >>>>>                         >     ____
         >>>>>                         >
         >>>>>                         >
         >>>>>                         >
         >>>>>                         > --
         >>>>>                         > Cris
         >>>>>
         >>>
         >>>
         >>>             --
         >>>             Cris
         >>
         >>
         >>
         >>     --
         >>     Cris
         >
         >
         >
         > --
         > Cris



--
Cris


Follow ups

References