ubuntu-docker-images team mailing list archive

Thread
Date

Re: CVEs potentially affecting upstream based ROCKs

To: Sergio Durigan Junior <sergio.durigan@xxxxxxxxxxxxx>
From: Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>
Date: Mon, 2 Aug 2021 08:45:48 -0300
Cc: Emilia Torino <emilia.torino@xxxxxxxxxxxxx>, ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
In-reply-to: <87v94s948c.fsf@canonical.com>

On Thu, Jul 29, 2021 at 05:53:23PM -0400, Sergio Durigan Junior wrote:

On Thursday, July 29 2021, Athos Ribeiro wrote:

Finally, I did check that prometheus, telegraph, prometheus-alertmanager
and cortex should be the candidates to be afected here. So far,
prometheus and telegraph only use github.com/hashicorp/consul/api and
should not be afected.


FWIW, I filed the following bug against telegraf:

 https://github.com/influxdata/telegraf/issues/9559

I also reported the CVE to the prometheus developers (they ask that
security issues be reported in private, so I don't have a bug number).

Athos will look into notifying the cortex and prometheus-alertmanager
developers tomorrow.


This is done.

I emailed the cortex team since they also ask that security related
topics should be discussed privately. For alertmanager, I just replied
in Sergio's thread about prometheus, given they use the same mailing
list for prometheus and alertmanager security issues.


Thanks,

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14


--
Athos Ribeiro

References

CVEs potentially affecting upstream based ROCKs
From: security-team-toolbox-bot, 2021-07-27
Re: CVEs potentially affecting upstream based ROCKs
From: Sergio Durigan Junior, 2021-07-29
Re: CVEs potentially affecting upstream based ROCKs
From: Emilia Torino, 2021-07-29
Re: CVEs potentially affecting upstream based ROCKs
From: Athos Ribeiro, 2021-07-29
Re: CVEs potentially affecting upstream based ROCKs
From: Sergio Durigan Junior, 2021-07-29