ubuntu-docker-images team mailing list archive

[Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>]

On Thu, Sep 09, 2021 at 05:00:47AM +0000, security-team-toolbox-bot@xxxxxxxxxxxxx wrote:
> New CVEs affecting packages used to build upstream based rocks have been
> created in the Ubuntu CVE tracker:
>
> * https://github.com/hashicorp/consul: CVE-2021-37219, CVE-2021-38698
> * https://github.com/prometheus/prometheus:
> * https://github.com/gogo/protobuf:
>
> Please review your rock to understand if it is affected by these CVEs.
>
> Thank you for your rock and for attending to this matter.

Hi,

Regarding the CVEs, they both affect the consul server. However, both
cortex and telegraf use only the consul/api sub-module. Hence, they are
not affected by the CVE.

It may be worth to note, however, that for the hirsute and focal images,
telegraf sources do contain the code affected by the CVE. This is
because those versions of telegraf vendorizes the whole top-level consul
module. This did change for the impish version, which only vendorizes
consul/api.

Finally, this is a no-op alert on the OCI side, unless we really want to
get rid of the unused affected source code from that telegraf package.

> References:
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-37219
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-38698
>
>
>
> --
> Mailing list: https://launchpad.net/~ubuntu-docker-images
> Post to     : ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ubuntu-docker-images
> More help   : https://help.launchpad.net/ListHelp

--
Athos Ribeiro