ubuntu-docker-images team mailing list archive

[Sergio Durigan Junior <sergio.durigan@xxxxxxxxxxxxx>]

On Thursday, July 29 2021, Emilia Torino wrote:

> Hey Sergio,
>
> On 29/7/21 11:45, Sergio Durigan Junior wrote:
>> On Tuesday, July 27 2021, security-team-toolbox-bot@xxxxxxxxxxxxx wrote:
>> 
>>> New CVEs affecting packages used to build upstream based rocks have been
>>> created in the Ubuntu CVE tracker:
>>>
>>> * https://github.com/prometheus/prometheus:
>>> * https://github.com/hashicorp/consul: CVE-2021-32574, CVE-2021-36213
>>> * https://github.com/gogo/protobuf:
>>>
>>> Please review your rock to understand if it is affected by these CVEs.
>>>
>>> Thank you for your rock and for attending to this matter.
>>>
>>> References:
>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-32574
>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-36213
>> 
>> Hi Emi,
>> 
>> I found the message above a bit confusing.  There are three components
>> listed (prometheus/prometheus, hashicorp/consul and gogo/protobuf), but
>> only one (hashicorp/consul) has CVEs listed for it.  Do the other two
>> components also have CVEs opened against them? 
>
> You are correct, this msg is confusing. Only CVEs affecting consul have
> been created this time.
>
>  Is there any reason why
>> they're being listed in the message?
>
> This is a bug in our service. Since these are the 3 upstream
> repositories we are monitoring, the template msg is incorrectly adding
> the 3 when in this case, it should only list consul. I will add this bug
> to our queue to fix it asap.

Aha!  Thank you for the clarification (and for working on this!).

Cheers,

-- 
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14