ubuntu-docker-images team mailing list archive

Thread
Date

Re: CVEs potentially affecting cortex and telegraf

To: security-team-toolbox-bot@xxxxxxxxxxxxx
From: Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>
Date: Fri, 22 Apr 2022 13:56:36 -0300
Cc: emilia.torino@xxxxxxxxxxxxx, ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20220421050149.477FE1424FB@keule.canonical.com>

On Thu, Apr 21, 2022 at 05:01:49AM +0000, security-team-toolbox-bot@xxxxxxxxxxxxx wrote:

New CVEs affecting packages used to build upstream based rocks have been
created in the Ubuntu CVE tracker:

* https://github.com/gogo/protobuf:
* https://github.com/hashicorp/consul: CVE-2022-29153
* https://github.com/prometheus/prometheus:

Please review your rock to understand if it is affected by these CVEs.

Thank you for your rock and for attending to this matter.

References:
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2022-29153



--
Mailing list: https://launchpad.net/~ubuntu-docker-images
Post to     : ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~ubuntu-docker-images
More help   : https://help.launchpad.net/ListHelp


The new telegraf 22.04 ROCK does not ship the affected version of
consul.

While the cortex ROCK does use a consul version that is affected by this
CVE, it only ships the consul/api client package, which is not affected
by the CVE.

No actions should be needed from our end here.

--
Athos Ribeiro

Follow ups

Re: CVEs potentially affecting cortex and telegraf
From: Sergio Durigan Junior, 2022-04-22

References

CVEs potentially affecting cortex and telegraf
From: security-team-toolbox-bot, 2022-04-21