← Back to team overview

ubuntu-docker-images team mailing list archive

Re: memcached contains outdated Ubuntu packages

 

Hey Bryce,

On 22/4/21 16:14, Bryce Harrington wrote:
> Will these notices be available through any other sources besides email?
> (E.g. a bug tracker, trello board, ...?)

The security team does not track each CVE that is being processed in any
board today. The Ubuntu CVE Tracker
(https://git.launchpad.net/ubuntu-cve-tracker/tree/) is our main source
for vulnerabilities and patching tracking. There is an embargoed tree as
well where only people from the security team have access.

But we are indeed working on identifying processes improvements (please
help me welcome Alex B our new ESM manager :) and if needed we could add
support for issues affecting rocks before we publish them. Actually Rick
mentioned the requirement of being notified about embargoed issues and
the rock being updated at the same time as the security update which I
think is the scenario you are also considering?

Let me know if you have any question.

Emi

> 
> Bryce
> 
> On Thu, Apr 22, 2021 at 03:53:05PM -0300, Emilia Torino wrote:
>> Ok so this is what I could do without any review tools code change: the
>> service sends the email to the publisher
>> (ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx) and the revision uploader
>> (sergio.durigan@xxxxxxxxxxxxx) as stated in the store db, so I added
>> both in my store db creator script which is private. Unfortunately those
>> fields do not accept a list of addresses so I could not add Athos this
>> time (but I can add you both to the review-tools override when public)
>>
>> Also, FYI Alex M and myself are always BCC to these emails as you could
>> see (snaps and now rocks)
>>
>> Let me know if you have any further question!
>>
>> Emi
>>
>> On 22/4/21 15:40, noreply@xxxxxxxxxxxxx wrote:
>>> A scan of this rock shows that it was built with packages from the Ubuntu
>>> archive that have since received security updates. The following lists new
>>> USNs for affected binary packages in each rock revision:
>>>
>>> Revision r2f395c76001a (amd64; channels: 1.5-20.04_edge, 1.5-20.04_beta)
>>>  * tar: 4692-1
>>>
>>> Revision r5a1a57b7cd56 (ppc64el; channels: 1.5-20.04_edge)
>>>  * tar: 4692-1
>>>
>>> Revision r98aa361dac5c (arm64; channels: 1.5-20.04_edge, 1.5-20.04_beta)
>>>  * tar: 4692-1
>>>
>>> Revision rb3bc22ed6a2b (s390x; channels: 1.5-20.04_edge)
>>>  * tar: 4692-1
>>>
>>> Simply rebuilding the rock will pull in the new security updates and
>>> resolve this. If your rock also contains vendored code, now might be a
>>> good time to review it for any needed updates.
>>>
>>> Thank you for your rock and for attending to this matter.
>>>
>>> References:
>>>  * https://ubuntu.com/security/notices/USN-4692-1/
>>>
>>
>> -- 
>> Mailing list: https://launchpad.net/~ubuntu-docker-images
>> Post to     : ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~ubuntu-docker-images
>> More help   : https://help.launchpad.net/ListHelp


References