ubuntu-docker-images team mailing list archive

Thread
Date

Re: CVEs potentially affecting upstream based ROCKs

To: ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx, emilia.torino@xxxxxxxxxxxxx, alex.murray@xxxxxxxxxxxxx
From: Sergio Durigan Junior <sergio.durigan@xxxxxxxxxxxxx>
Date: Thu, 29 Jul 2021 10:45:52 -0400
In-reply-to: <20210727050044.C8A15141CFC@keule.canonical.com> (security-team-toolbox-bot@canonical.com's message of "Tue, 27 Jul 2021 05:00:44 +0000 (UTC)")
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)

On Tuesday, July 27 2021, security-team-toolbox-bot@xxxxxxxxxxxxx wrote:

> New CVEs affecting packages used to build upstream based rocks have been
> created in the Ubuntu CVE tracker:
>
> * https://github.com/prometheus/prometheus:
> * https://github.com/hashicorp/consul: CVE-2021-32574, CVE-2021-36213
> * https://github.com/gogo/protobuf:
>
> Please review your rock to understand if it is affected by these CVEs.
>
> Thank you for your rock and for attending to this matter.
>
> References:
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-32574
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-36213

Hi Emi,

I found the message above a bit confusing.  There are three components
listed (prometheus/prometheus, hashicorp/consul and gogo/protobuf), but
only one (hashicorp/consul) has CVEs listed for it.  Do the other two
components also have CVEs opened against them?  Is there any reason why
they're being listed in the message?

Thanks!

-- 
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14

Follow ups

Re: CVEs potentially affecting upstream based ROCKs
From: Emilia Torino, 2021-07-29

References

CVEs potentially affecting upstream based ROCKs
From: security-team-toolbox-bot, 2021-07-27