ubuntu-docker-images team mailing list archive

Thread
Date

Re: CVEs potentially affecting upstream based ROCKs

To: Emilia Torino <emilia.torino@xxxxxxxxxxxxx>
From: Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>
Date: Thu, 29 Jul 2021 18:13:14 -0300
Cc: ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
In-reply-to: <e06f64cc-bd70-ff9b-994b-ee07e10534c0@canonical.com>

On Thu, Jul 29, 2021 at 11:57:30AM -0300, Emilia Torino wrote:

Hey Sergio,

On 29/7/21 11:45, Sergio Durigan Junior wrote:

On Tuesday, July 27 2021, security-team-toolbox-bot@xxxxxxxxxxxxx wrote:

New CVEs affecting packages used to build upstream based rocks have been
created in the Ubuntu CVE tracker:

* https://github.com/prometheus/prometheus:
* https://github.com/hashicorp/consul: CVE-2021-32574, CVE-2021-36213
* https://github.com/gogo/protobuf:

Please review your rock to understand if it is affected by these CVEs.

Thank you for your rock and for attending to this matter.

References:
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-32574
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-36213


Hi Emi,

I found the message above a bit confusing.  There are three components
listed (prometheus/prometheus, hashicorp/consul and gogo/protobuf), but
only one (hashicorp/consul) has CVEs listed for it.  Do the other two
components also have CVEs opened against them?


You are correct, this msg is confusing. Only CVEs affecting consul have
been created this time.


Hi Emilia,

Would it be possible for the Go related CVE alerts to be reported in a
package level instead of in a module level?

e.g., CVE-2021-36213: github.com/hashicorp/consul/agent/xds,
github.com/hashicorp/consul/agent, ...

This would make it easier to determine whether one of our ROCKs is
affected by the vulnerability and aid on taking decisions on
how to act on them.

Moreover, am I correct if I suppose the tooling generating this alerts
know which ROCKs are possibly affected by the CVE? If sou, would it be
possible to also include that information here?

Finally, I did check that prometheus, telegraph, prometheus-alertmanager
and cortex should be the candidates to be afected here. So far,
prometheus and telegraph only use github.com/hashicorp/consul/api and
should not be afected.


Is there any reason why

they're being listed in the message?


This is a bug in our service. Since these are the 3 upstream
repositories we are monitoring, the template msg is incorrectly adding
the 3 when in this case, it should only list consul. I will add this bug
to our queue to fix it asap.


Thanks!


Thank you!


--
Mailing list: https://launchpad.net/~ubuntu-docker-images
Post to     : ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~ubuntu-docker-images
More help   : https://help.launchpad.net/ListHelp


--
Athos Ribeiro

Follow ups

Re: CVEs potentially affecting upstream based ROCKs
From: Emilia Torino, 2021-07-30
Re: CVEs potentially affecting upstream based ROCKs
From: Sergio Durigan Junior, 2021-07-29

References

CVEs potentially affecting upstream based ROCKs
From: security-team-toolbox-bot, 2021-07-27
Re: CVEs potentially affecting upstream based ROCKs
From: Sergio Durigan Junior, 2021-07-29
Re: CVEs potentially affecting upstream based ROCKs
From: Emilia Torino, 2021-07-29