ubuntu-docker-images team mailing list archive

Thread
Date

Re: Fwd: CVEs potentially affecting cortex and telegraf

To: Emilia Torino <emilia.torino@xxxxxxxxxxxxx>
From: Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>
Date: Thu, 16 Dec 2021 09:25:21 -0300
Cc: ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CABYK4ixcD-FD2uQxGTuWx4JgH_W=ViBf+ZfTJgs6Lf5zMH2gKQ@mail.gmail.com>

On Tue, Dec 14, 2021 at 09:18:27AM -0300, Emilia Torino wrote:

---------- Forwarded message ---------
From: <security-team-toolbox-bot@xxxxxxxxxxxxx>
Date: Tue, Dec 14, 2021 at 2:01 AM
Subject: CVEs potentially affecting cortex and telegraf
To: <ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>, <
sergio.durigan@xxxxxxxxxxxxx>, <emilia.torino@xxxxxxxxxxxxx>, <
alex.murray@xxxxxxxxxxxxx>

New CVEs affecting packages used to build upstream based rocks have been
created in the Ubuntu CVE tracker:

* https://github.com/gogo/protobuf:
* https://github.com/hashicorp/consul: CVE-2021-41805
* https://github.com/prometheus/prometheus:

Please review your rock to understand if it is affected by these CVEs.

Thank you for your rock and for attending to this matter.

References:
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-41805



As per [1] and [2], CVE-2021-41805 only affects the Enterprise version
of Consul (not the open source one). Therefore, our cortex and telegraf
OCIs are not affected by this vulnerability.

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41805
[2] https://github.com/hashicorp/consul/blob/1052f4bb1af21185afdc6624895ccb03ca019b59/CHANGELOG.md#1110-december-14-2021

--
Athos Ribeiro

References

CVEs potentially affecting cortex and telegraf
From: security-team-toolbox-bot, 2021-12-14
Fwd: CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2021-12-14