ubuntu-docker-images team mailing list archive

Thread
Date

Re: USNs still not fixed for ROCKs

To: Emilia Torino <emilia.torino@xxxxxxxxxxxxx>
From: Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>
Date: Fri, 17 Dec 2021 12:13:37 -0300
Cc: ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx, Alex Burrage <alex.burrage@xxxxxxxxxxxxx>
In-reply-to: <CABYK4iwdC7+P9rf4t8rBNUaVMR79D8fjbVXKz_KyU_-a9ULEbg@mail.gmail.com>

On Thu, Dec 16, 2021 at 12:46:50PM -0300, Emilia Torino wrote:

Hey!


Hi Emilia,


I was double checking the ROCKs USN notification service due to the
critical log4j vulnerability announced yesterday (which I see none rock was
affected), but I noticed that there are some rocks that have not been fixed
yet for some older vulnerabilities, which are mysql and nginx:

{
 "mysql": {
   "a5455538074c": [
     "5022-1",
     "5123-1"
   ]
 },
 "nginx": {
   "206059394bea": [
     "5156-1"
   ],
   "4d10f2f33c30": [
     "5156-1"
   ],
   "62d6e123fe9c": [
     "5156-1"
   ],
   "6703a4156f95": [
     "5156-1"
   ],
   "7d650f7d4e49": [
     "5156-1"
   ],
   "c788f838de31": [
     "5156-1"
   ],
   "ee23afc91fac": [
     "5156-1"
   ],
   "fcf9050fd361": [
     "5156-1"
   ]
 }
}

I will fw again the email communications sent just in case were missed due
to this email issue we are still having. Could you please make sure those
issues are addressed?


Are the images being verified up-to-date? While the nginx images are
indeed affected by "USN-5156-1", the mysql ones are not affected by the
mentioned USNs.

For mysql, we have 3 images tagged in ECR and dockerhub:

ae83488ccc49 (focal)
b62a30320517 (hirsute)
20f6fcbbc895 (impish)

For them, we have the following versions of mysql:

$ podman run --rm -it ae83488ccc49 dpkg-query --show -f 'Binary package ${Package} from ${Source} version ${Version}\n' | grep mysql-server
Binary package mysql-server-core-8.0 from mysql-8.0 version 8.0.27-0ubuntu0.20.04.1

$ podman run --rm -it b62a30320517 dpkg-query --show -f 'Binary package ${Package} from ${Source} version ${Version}\n' | grep mysql-server
Binary package mysql-server-core-8.0 from mysql-8.0 version 8.0.27-0ubuntu0.21.04.1

$ podman run --rm -it 20f6fcbbc895 dpkg-query --show -f 'Binary package ${Package} from ${Source} version ${Version}\n' | grep mysql-server
Binary package mysql-server-core-8.0 from mysql-8.0 version 8.0.27-0ubuntu0.21.10.1

which seems to satisfy USNs "5022-1" and "5123-1"

For nginx, we also have 3 different images tagged in ECR and dockerhub:

011f0c8b3d6f (focal)
0e8c842c2577 (hirsute)
ac0521ce4f2b (impish)

For them, we have:

$ podman run --rm -it 011f0c8b3d6f dpkg-query --show -f 'Binary package ${Package} from ${Source} version ${Version}\n' | grep icu
Binary package libicu66 from icu version 66.1-2ubuntu2

$ podman run --rm -it 0e8c842c2577 dpkg-query --show -f 'Binary package ${Package} from ${Source} version ${Version}\n' | grep icu
Binary package libicu67 from icu version 67.1-6ubuntu2

$ podman run --rm -it ac0521ce4f2b dpkg-query --show -f 'Binary package ${Package} from ${Source} version ${Version}\n' | grep icu
Binary package libicu67 from icu version 67.1-7ubuntu1

hence, the first 2 are indeed affected.

I also verified that the last nginx builds were triggered on
2021-10-26, which happened before the USN was disclosed. I just
requested builds for all the 3 images above and will tag them as soon as
they get published.


Thanks!!!


--
Athos Ribeiro

References

USNs still not fixed for ROCKs
From: Emilia Torino, 2021-12-16