ubuntu-docker-images team mailing list archive

Thread
Date

Re: CVEs potentially affecting cortex and telegraf

To: security-team-toolbox-bot@xxxxxxxxxxxxx
From: Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>
Date: Wed, 9 Feb 2022 16:42:18 -0300
Cc: emilia.torino@xxxxxxxxxxxxx, ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20220208050139.865ED141CE8@keule.canonical.com>

On Tue, Feb 08, 2022 at 05:01:39AM +0000, security-team-toolbox-bot@xxxxxxxxxxxxx wrote:

New CVEs affecting packages used to build upstream based rocks have been
created in the Ubuntu CVE tracker:

* https://github.com/gogo/protobuf:
* https://github.com/hashicorp/consul:
* https://github.com/prometheus/prometheus: CVE-2021-29622


This CVE affects prometheus 2.23.0 up until 2.26.1.

The affected endpoint was removed in prometheus 2.28.

Currently, our tagged images include

- 2.20-20.04,
- 2.32-20.04,
- 2.25-21.04, and
- 2.28-21.10.

Therefore, only 2.25-21.04 is affected. However, images under this tag
are no longer supported (this is a hirsute based OCI) do not receive
updates. None of the other images need further action from our end.


Please review your rock to understand if it is affected by these CVEs.

Thank you for your rock and for attending to this matter.

References:
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-29622



--
Mailing list: https://launchpad.net/~ubuntu-docker-images
Post to     : ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~ubuntu-docker-images
More help   : https://help.launchpad.net/ListHelp


--
Athos Ribeiro

References

CVEs potentially affecting cortex and telegraf
From: security-team-toolbox-bot, 2022-02-08