ubuntu-docker-images team mailing list archive

[Emilia Torino <emilia.torino@xxxxxxxxxxxxx>]

Hey Sergio,

On 29/7/21 11:45, Sergio Durigan Junior wrote:
> On Tuesday, July 27 2021, security-team-toolbox-bot@xxxxxxxxxxxxx wrote:
> 
>> New CVEs affecting packages used to build upstream based rocks have been
>> created in the Ubuntu CVE tracker:
>>
>> * https://github.com/prometheus/prometheus:
>> * https://github.com/hashicorp/consul: CVE-2021-32574, CVE-2021-36213
>> * https://github.com/gogo/protobuf:
>>
>> Please review your rock to understand if it is affected by these CVEs.
>>
>> Thank you for your rock and for attending to this matter.
>>
>> References:
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-32574
>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-36213
> 
> Hi Emi,
> 
> I found the message above a bit confusing.  There are three components
> listed (prometheus/prometheus, hashicorp/consul and gogo/protobuf), but
> only one (hashicorp/consul) has CVEs listed for it.  Do the other two
> components also have CVEs opened against them? 

You are correct, this msg is confusing. Only CVEs affecting consul have
been created this time.

 Is there any reason why
> they're being listed in the message?

This is a bug in our service. Since these are the 3 upstream
repositories we are monitoring, the template msg is incorrectly adding
the 3 when in this case, it should only list consul. I will add this bug
to our queue to fix it asap.

> 
> Thanks!

Thank you!

>