ubuntu-docker-images team mailing list archive
-
ubuntu-docker-images team
-
Mailing list archive
-
Message #00013
Re: memcached contains outdated Ubuntu packages
-
To:
Bryce Harrington <bryce.harrington@xxxxxxxxxxxxx>
-
From:
Emilia Torino <emilia.torino@xxxxxxxxxxxxx>
-
Date:
Thu, 22 Apr 2021 19:52:18 -0300
-
Autocrypt:
addr=emilia.torino@xxxxxxxxxxxxx; keydata= mQINBF++mKgBEADJI5fqcQ0s9bTqUltfZrOjW+Y2iz++GWXVDeb4MduiD3ExQOU79Y9nw+Gg sfCTCJ8Q+WIkh482KwoAbVvNww2zxxzP+4JlJ2gWxrgW6gRD6t8RwVfox4HoneSc6Rm1p4pU fkkTdMLLas4lGAXVdzbA5r6SfpKprGClzo9lj6j2pmhFdD+fv9cKOw43scRCHFvvV2PwakMY Ufh5eHVXXduuuqtuTB/GgJpzTt2Wbz1u+YCzfptXFIMPgie4oJeJrBu8fz09t5NRffTnKBI6 0T3opwP6naSx8bxXxq83JvmvnwtjJpjDoZhiYArEBYF3jjs4tLIiPXwbtEU9IFbv727FK51n 7/44RDRg98j2+OXISLcuPo/kQ/TWceH+Wi0F2hSyg1B2A48TcmSLYd0nqePJnLMkITJKI0ht yD0PCiOzoPiKUmmo/gIMO+L6oETmSY3SjWwz6lpv9nkaVjYKUoDHDTVXqyAOhuukGOQ0iPzT VMzyCdmrAQHA5GBZ5r9QhLBbheUqd1cgp3PszU0w1o3RbE/QdA3/vugfwhLXvRmnSs8kyMbk pV2V/3zlYCb/ZRX0qS2Wk5Y3CTYDADxPDuddLbf2T7+cVKqLdqS/TAlNmINqyBWua1piOvT7 z5tRRNGucr/RQJHhRP5Zz5aHdJpsYTwXn3+nzOx5c/LLi4nKawARAQABtDFNYXJpYSBFbWls aWEgVG9yaW5vIDxlbWlsaWEudG9yaW5vQGNhbm9uaWNhbC5jb20+iQJUBBMBCgA+FiEET5B4 c0UgisHPJeML4cb9mBt1GIMFAl++mKgCGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQ4cb9mBt1GIPl6hAAvYbz79Qe12FALW9Dp9vGgxre19pGOa8GInkLtBWIN+/vy19y RP90oi7xrZ5rvMDAcAG8v7xUYSBHhY+Yb3WJ7uKEoMMiPtv3+IXniBKtk2/CBKuFN2vV4gh+ 5tRXyvqosGnd8g5t9DAEbSE6zwwKbfXe+0pW/CoiuwaCEiLqBwAPT40aTXvavjM3gQwgkEQe pMjwulMXUrcJIuIgOAp0w3FZuwK9wGXDh0d0C5u5AjY7Hevwoa2B8wNAzXc0bBkBQ2qFMAqH aXfU+kWk8GHpFhjXIHOGq62UOUWHNH8eMP6feTu0S108qIctCzMNgoKBgBnrEHWupKxzZBqh hQsrOgmyCNoTB2dy4YIXL8+IX765pvn1D8VcW3xHLQA1j51jbCwVlVPHQamBCfDPPP/wRyt6 ralhDLCEqfPSU1MUUVzdRt+y2oU0JQZtLUM9c73q672VaCGloGRVtMDfE+AFpJo9oO4m7NXh 57axThGtdoFIuz64omv7X8YxbeItq449dR+qaaRLETHKe8amPlta6g0CkQ0wEcG3nCFxqYKc H36EuLoYWxtS1Am0qzc9VNi5mZhqBhDt/n+Kef/Pknkg/F8QSAVLqaioP5p09BqT717xSFtO 5cskaE9ZoydUNXjO8KKj+DZpwSARIkSxkLgOwg/judgiP388zDaAg8nixBG5Ag0EX76YqAEQ AMffMzDE1mPlpDtghdmUXa6UjAl3TN7xcL0KSFl98OOs3/+qkOhfgKKGyvigfAK2mm+lfWZB 8N+wYUhRTIZfKU/k7i2hETcHf+Qe5zd7C5V5dilLPiQ/TSvcam8njE/p2tqNL0VdCIV2eMVG tb2WBIUF6XUKccQyeTSMJftp+JSg0K+6FHogPuXKwYof1aox6SUDBeqOam9D43hQgMXxZPp8 /DktV1azRALR5jHexhdEBYN4GAPXLxIVADTHHxP0tCA66EKoCieGAFfDee7KTSvdHFknjs3Y lIqasQEBhJJnxzFX5bkFuVJ4meulaaB/kTnUgD5z2f/dWsdr8QC6WlWl9AU12uGgseNBV5T5 7CmM7j0VoqWN95sVHUhWFskebnFvENg1PAeYSn7FmKDUzRhWWn+VLOEoe2zvU/b/++YxrTjP X4TVjbgs1QlOnXZqB3R+MmVjQq7BVE1Q9sj2g1h+BJ1Vl9kPvVHHnFLmnyUvtFcuEycRE+N0 aojcTxfw9QrvCLuksYmXLwQY7/q+920JWsadwqxQ/kDpVcQaI9egJ4TaT4QZkchT5Q0RCU1f lZ1sc82++J8Y/cbOAUrH/tfH4z6s3/mFrcPcYRjGUfBXUQA4YzD4ipnq2s5g/l4Tfcj1Qj84 ilu/qxbTABoKkLzKtpfco7BcuicF3wjdSBUXABEBAAGJAjwEGAEKACYWIQRPkHhzRSCKwc8l 4wvhxv2YG3UYgwUCX76YqAIbDAUJAeEzgAAKCRDhxv2YG3UYg0wBEACjLYdiLhJtleG5QjKg r4ZIg8EFg8NA+i5GWJimx5Pc8lD/w4QjRArKBEX8EMlCw9uaFKOkl4qL21VOkln/VFwHf4yB UKpCHQaEsaItvOmwW5yE7wmtV8LMVCq9hOgz/xBKYFylpDzo3V5YMXhkJpgexPNQcHp54VtJ fXV7z9jbfQQSjLynRWMP2hR8AoVGu+LEX0n0AgnOxDTh5/7YYveJOlqHcbUZu0Xi8JKAsFKg N717oMp/9qY7dHGS3Q/enMWIfTlKqJjITViJRvdMEdr7xFgxh0Ly3ipBiCyXIMVaYkZuyC7j NoycotbDzgYkGh0BQb2t4gxGQgOGZMKEiVY5Xog2aM82j8kK3sOpIG1IFZKD7gao/677NFU8 oHAs6Oj9tnZyu2oKPeB6ggaiWz9ZLY5YlE2giPnNMUDrOwwBektLU6WXyaIuAliQC6M7t59U LJY8h2Q/sZMCDvnDlioNu6zVI8J8ILcuEOFz9CMIO0FqPtOx+RfAfY2sp2vK47SvDbxDFPEN miC52CbnwCebAMWJSKGSMp0rqWm7M59iIotKSLvGococ/LGtBaFfSFGM8GprdZfI13w11DUv oQYJ8o1ZPWtcoajhMYrVrdVBGGkBLXSWyE9m4IwbJLe5CF3Lf3MKZ6TOMZGsEoqiGzYzK+5q ihD2cjwv1fwalfDghg==
-
Cc:
ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx, alex.burrage@xxxxxxxxxxxxx
-
In-reply-to:
<20210422191402.GI3559177@bryceharrington.org>
-
User-agent:
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
Hey Bryce,
On 22/4/21 16:14, Bryce Harrington wrote:
> Will these notices be available through any other sources besides email?
> (E.g. a bug tracker, trello board, ...?)
The security team does not track each CVE that is being processed in any
board today. The Ubuntu CVE Tracker
(https://git.launchpad.net/ubuntu-cve-tracker/tree/) is our main source
for vulnerabilities and patching tracking. There is an embargoed tree as
well where only people from the security team have access.
But we are indeed working on identifying processes improvements (please
help me welcome Alex B our new ESM manager :) and if needed we could add
support for issues affecting rocks before we publish them. Actually Rick
mentioned the requirement of being notified about embargoed issues and
the rock being updated at the same time as the security update which I
think is the scenario you are also considering?
Let me know if you have any question.
Emi
>
> Bryce
>
> On Thu, Apr 22, 2021 at 03:53:05PM -0300, Emilia Torino wrote:
>> Ok so this is what I could do without any review tools code change: the
>> service sends the email to the publisher
>> (ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx) and the revision uploader
>> (sergio.durigan@xxxxxxxxxxxxx) as stated in the store db, so I added
>> both in my store db creator script which is private. Unfortunately those
>> fields do not accept a list of addresses so I could not add Athos this
>> time (but I can add you both to the review-tools override when public)
>>
>> Also, FYI Alex M and myself are always BCC to these emails as you could
>> see (snaps and now rocks)
>>
>> Let me know if you have any further question!
>>
>> Emi
>>
>> On 22/4/21 15:40, noreply@xxxxxxxxxxxxx wrote:
>>> A scan of this rock shows that it was built with packages from the Ubuntu
>>> archive that have since received security updates. The following lists new
>>> USNs for affected binary packages in each rock revision:
>>>
>>> Revision r2f395c76001a (amd64; channels: 1.5-20.04_edge, 1.5-20.04_beta)
>>> * tar: 4692-1
>>>
>>> Revision r5a1a57b7cd56 (ppc64el; channels: 1.5-20.04_edge)
>>> * tar: 4692-1
>>>
>>> Revision r98aa361dac5c (arm64; channels: 1.5-20.04_edge, 1.5-20.04_beta)
>>> * tar: 4692-1
>>>
>>> Revision rb3bc22ed6a2b (s390x; channels: 1.5-20.04_edge)
>>> * tar: 4692-1
>>>
>>> Simply rebuilding the rock will pull in the new security updates and
>>> resolve this. If your rock also contains vendored code, now might be a
>>> good time to review it for any needed updates.
>>>
>>> Thank you for your rock and for attending to this matter.
>>>
>>> References:
>>> * https://ubuntu.com/security/notices/USN-4692-1/
>>>
>>
>> --
>> Mailing list: https://launchpad.net/~ubuntu-docker-images
>> Post to : ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~ubuntu-docker-images
>> More help : https://help.launchpad.net/ListHelp
References