← Back to team overview

ubuntu-docker-images team mailing list archive

Re: CVEs potentially affecting upstream based ROCKs

 

On Thu, Jul 29, 2021 at 05:53:23PM -0400, Sergio Durigan Junior wrote:
On Thursday, July 29 2021, Athos Ribeiro wrote:

Finally, I did check that prometheus, telegraph, prometheus-alertmanager
and cortex should be the candidates to be afected here. So far,
prometheus and telegraph only use github.com/hashicorp/consul/api and
should not be afected.

FWIW, I filed the following bug against telegraf:

 https://github.com/influxdata/telegraf/issues/9559

I also reported the CVE to the prometheus developers (they ask that
security issues be reported in private, so I don't have a bug number).

Athos will look into notifying the cortex and prometheus-alertmanager
developers tomorrow.

This is done.

I emailed the cortex team since they also ask that security related
topics should be discussed privately. For alertmanager, I just replied
in Sergio's thread about prometheus, given they use the same mailing
list for prometheus and alertmanager security issues.


Thanks,

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14

--
Athos Ribeiro


References