ubuntu-docker-images team mailing list archive

[Sergio Durigan Junior <sergio.durigan@xxxxxxxxxxxxx>]

On Thursday, September 09 2021, Athos Ribeiro wrote:

> On Thu, Sep 09, 2021 at 05:00:47AM +0000, security-team-toolbox-bot@xxxxxxxxxxxxx wrote:
>>New CVEs affecting packages used to build upstream based rocks have been
>>created in the Ubuntu CVE tracker:
>>
>>* https://github.com/hashicorp/consul: CVE-2021-37219, CVE-2021-38698
>>* https://github.com/prometheus/prometheus:
>>* https://github.com/gogo/protobuf:
>>
>>Please review your rock to understand if it is affected by these CVEs.
>>
>>Thank you for your rock and for attending to this matter.
>
> Hi,
>
> Regarding the CVEs, they both affect the consul server. However, both
> cortex and telegraf use only the consul/api sub-module. Hence, they are
> not affected by the CVE.
>
> It may be worth to note, however, that for the hirsute and focal images,
> telegraf sources do contain the code affected by the CVE. This is
> because those versions of telegraf vendorizes the whole top-level consul
> module. This did change for the impish version, which only vendorizes
> consul/api.
>
> Finally, this is a no-op alert on the OCI side, unless we really want to
> get rid of the unused affected source code from that telegraf package.

Thanks for the investigation, Athos.

Like we discussed in private, I don't think it's worth going through the
SRU process in order to fix this for Hirsute (when talking about
telegraf; cortex is a different case), given that the problem doesn't
exist in the generated binaries.

In summary: I agree this is a no-op.

Thanks,

-- 
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0  EB2F 106D A1C8 C3CB BF14