ubuntu-docker-images team mailing list archive

[Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>]

On Fri, Jul 30, 2021 at 12:05:54PM -0300, Emilia Torino wrote:
> Hey Athos,
>
> On 29/7/21 18:13, Athos Ribeiro wrote:
> > On Thu, Jul 29, 2021 at 11:57:30AM -0300, Emilia Torino wrote:
> > > Hey Sergio,
> > >
> > > On 29/7/21 11:45, Sergio Durigan Junior wrote:
> > > > On Tuesday, July 27 2021, security-team-toolbox-bot@xxxxxxxxxxxxx wrote:
> > > >
> > > > > New CVEs affecting packages used to build upstream based rocks have
> > > > > been
> > > > > created in the Ubuntu CVE tracker:
> > > > >
> > > > > * https://github.com/prometheus/prometheus:
> > > > > * https://github.com/hashicorp/consul: CVE-2021-32574, CVE-2021-36213
> > > > > * https://github.com/gogo/protobuf:
> > > > >
> > > > > Please review your rock to understand if it is affected by these CVEs.
> > > > >
> > > > > Thank you for your rock and for attending to this matter.
> > > > >
> > > > > References:
> > > > > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-32574
> > > > > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-36213
> > > >
> > > > Hi Emi,
> > > >
> > > > I found the message above a bit confusing.  There are three components
> > > > listed (prometheus/prometheus, hashicorp/consul and gogo/protobuf), but
> > > > only one (hashicorp/consul) has CVEs listed for it.  Do the other two
> > > > components also have CVEs opened against them?
> > >
> > > You are correct, this msg is confusing. Only CVEs affecting consul have
> > > been created this time.
> >
> > Hi Emilia,
> >
> > Would it be possible for the Go related CVE alerts to be reported in a
> > package level instead of in a module level?
> >
> > e.g., CVE-2021-36213: github.com/hashicorp/consul/agent/xds,
> > github.com/hashicorp/consul/agent, ...
>
> The current implementation only monitors 3 git trees which were/are
> present in upstream based rocks. You can find further details about it
> here:
> https://docs.google.com/document/d/1HL_9FeXCWKLSGW3cG8UeyexJqSw17LAM6a1r9IHomYI/edit#.
> The current consul git tree was obtained from
> https://pastebin.canonical.com/p/GMhwVwh8bK/ (it is also mentioned in
> the shared doc).
>
> > This would make it easier to determine whether one of our ROCKs is
> > affected by the vulnerability and aid on taking decisions on
> > how to act on them.
>
> The sec team has an extensive history on triaging, monitoring, patching
> etc CVEs affecting Ubuntu packages, but not other "package" types.
> Actually we were already aware of the fact that this implementation is
> very basic, but as per spec we committed to only monitor a set of git
> trees, not everything in github, since we are still working on setting
> all processes and tools needed for such task. For sure we can work
> together on making this service most useful for your team. We can
> probably add this to the next cycle.
>
> > Moreover, am I correct if I suppose the tooling generating this alerts
> > know which ROCKs are possibly affected by the CVE? If sou, would it be
> > possible to also include that information here?
>
> We have 2 different services implemented:
>
> - one is the USNs notification service, which notifies about security
> updates affecting ubuntu-based rocks. We get each rock from docker hub,
> and compare the packages in their dpkg.query files against the USN
> database. You might have seen the emails describing the specific rock
> and packages affected. The list of rocks we are monitoring is: redis,
> nginx, apache2, memcached, mysql and postgres.

Could we add the new cassandra OCI to this list as well? Is there a
formal process I should follow to add new OCI images to the list?

> - the other service is the CVEs notification service, which should serve
> the purposes of notifying about upstream-based rocks: cortex and
> telegraf. Due to the reasons explained above, we did not commit to do
> the extensive vulnerabilities triage as we did for ubuntu based ones. So
> it is a best effort to notify about a CVE being created in our tracker,
> which could affect any of those. If it helps I can change the email
> subject from: "CVEs potentially affecting upstream based ROCKs" to "CVEs
> potentially affecting cortex and telegraf". That is a very simple change
> I can quickly add.

Thanks! Yes, it would be nice to have it either in the title or in the
body of the message.

> To confirm if the 3 git trees were present in both upstream based rocks
> we were considering, I locally got them (docker pull ubuntu/cortex &&
> docker image save etc, same for telegraf) and in both cases I see the
> upstream manifest empty. Is that correct?

I just noticed this one as well. I am on it right now. Thanks for
letting us know!

> > Finally, I did check that prometheus, telegraph, prometheus-alertmanager
> > and cortex should be the candidates to be afected here. So far,
> > prometheus and telegraph only use github.com/hashicorp/consul/api and
> > should not be afected.>
> > > Is there any reason why
> > > > they're being listed in the message?
>
> We also agree prometheus, prometheus-alertmanager and grafana were out
> of this initial services, as were based on snaps. Is that still correct?
>
> > > This is a bug in our service. Since these are the 3 upstream
> > > repositories we are monitoring, the template msg is incorrectly adding
> > > the 3 when in this case, it should only list consul. I will add this bug
> > > to our queue to fix it asap.
> > >
> > > > Thanks!
> > >
> > > Thank you!
> > >
> > > >
> > >
> > > -- 
> > > Mailing list: https://launchpad.net/~ubuntu-docker-images
> > > Post to     : ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > > Unsubscribe : https://launchpad.net/~ubuntu-docker-images
> > > More help   : https://help.launchpad.net/ListHelp

--
Athos Ribeiro