ubuntu-docker-images team mailing list archive

Thread
Date

Re: CVEs potentially affecting upstream based ROCKs

To: Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>
From: Sergio Durigan Junior <sergio.durigan@xxxxxxxxxxxxx>
Date: Thu, 29 Jul 2021 17:53:23 -0400
Cc: Emilia Torino <emilia.torino@xxxxxxxxxxxxx>, ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20210729211314.GD5154@castor> (Athos Ribeiro's message of "Thu, 29 Jul 2021 18:13:14 -0300")
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)

On Thursday, July 29 2021, Athos Ribeiro wrote:

> Finally, I did check that prometheus, telegraph, prometheus-alertmanager
> and cortex should be the candidates to be afected here. So far,
> prometheus and telegraph only use github.com/hashicorp/consul/api and
> should not be afected.

FWIW, I filed the following bug against telegraf:

  https://github.com/influxdata/telegraf/issues/9559

I also reported the CVE to the prometheus developers (they ask that
security issues be reported in private, so I don't have a bug number).

Athos will look into notifying the cortex and prometheus-alertmanager
developers tomorrow.

Thanks,

-- 
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14

Follow ups

Re: CVEs potentially affecting upstream based ROCKs
From: Athos Ribeiro, 2021-08-02

References

CVEs potentially affecting upstream based ROCKs
From: security-team-toolbox-bot, 2021-07-27
Re: CVEs potentially affecting upstream based ROCKs
From: Sergio Durigan Junior, 2021-07-29
Re: CVEs potentially affecting upstream based ROCKs
From: Emilia Torino, 2021-07-29
Re: CVEs potentially affecting upstream based ROCKs
From: Athos Ribeiro, 2021-07-29