ubuntu-docker-images team mailing list archive

Thread
Date

Re: postgres contains outdated Ubuntu packages

To: ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx, sergio.durigan@xxxxxxxxxxxxx
From: Emilia Torino <emilia.torino@xxxxxxxxxxxxx>
Date: Fri, 17 Sep 2021 09:28:14 -0300
In-reply-to: <61442230.1c69fb81.87130.32e0SMTPIN_ADDED_MISSING@mx.google.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0

Hey all,

Yesterday we fixed a bug in the review-tools which was preventing some
security notices to be reported. The service was not properly
considering the arch qualifier in a binary name (e.g. liblz4-1:amd64)
and thus it was failing to match USNs affecting such binary:
https://code.launchpad.net/~emitorino/review-tools/+git/review-tools/+merge/408743.

As result, last night when the service run with this fix included, it
reported those missing USNs.

Apologize for the inconveniences!

On 17/9/21 02:05, security-team-toolbox-bot@xxxxxxxxxxxxx wrote:
> A scan of this rock shows that it was built with packages from the Ubuntu
> archive that have since received security updates. The following lists new
> USNs for affected binary packages in each rock revision:
> 
> Revision r082ff27d676a (ppc64le; channels: 13-21.04_edge, latest, 13-21.04_beta, edge)
>  * libgcrypt20: 5080-1
> 
> Revision r79cdc9eddb46 (ppc64le; channels: 12-20.04_edge, 12-20.04_beta)
>  * libgcrypt20: 5080-1
>  * libgnutls30: 5029-1
> 
> Revision r9d65f96b9570 (arm64; channels: 13-21.04_edge, latest, 13-21.04_beta, edge)
>  * libgcrypt20: 5080-1
> 
> Revision rae568b27513e (s390x; channels: 13-21.04_edge, latest, 13-21.04_beta, edge)
>  * libgcrypt20: 5080-1
> 
> Revision rb29e1f0d396a (arm64; channels: 12-20.04_edge, 12-20.04_beta)
>  * libgcrypt20: 5080-1
>  * libgnutls30: 5029-1
> 
> Revision rcee197386dfe (amd64; channels: 13-21.04_edge, latest, 13-21.04_beta, edge)
>  * libgcrypt20: 5080-1
> 
> Revision rdeebbf9101e3 (amd64; channels: 12-20.04_edge, 12-20.04_beta)
>  * libgcrypt20: 5080-1
>  * libgnutls30: 5029-1
> 
> Revision re73f3f5acdba (s390x; channels: 12-20.04_edge, 12-20.04_beta)
>  * libgcrypt20: 5080-1
>  * libgnutls30: 5029-1
> 
> Simply rebuilding the rock will pull in the new security updates and
> resolve this. If your rock also contains vendored code, now might be a
> good time to review it for any needed updates.
> 
> Thank you for your rock and for attending to this matter.
> 
> References:
>  * https://ubuntu.com/security/notices/USN-5029-1/
>  * https://ubuntu.com/security/notices/USN-5080-1/
>

Follow ups

Re: postgres contains outdated Ubuntu packages
From: Sergio Durigan Junior, 2021-09-17