ubuntu-docker-images team mailing list archive

Thread
Date

Re: CVEs potentially affecting cortex and telegraf

To: emilia.torino@xxxxxxxxxxxxx
From: Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>
Date: Tue, 27 Sep 2022 13:49:25 -0300
Cc: alex.murray@xxxxxxxxxxxxx, paulo.machado@xxxxxxxxxxxxx, simon.aronsson@xxxxxxxxxxxxx, ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx, dylan.stephano-shachter@xxxxxxxxxxxxx
In-reply-to: <20220924050211.D8101140E03@keule.canonical.com>

On Sat, Sep 24, 2022 at 05:02:11AM +0000, security-team-toolbox-bot@xxxxxxxxxxxxx wrote:

Hi Emilia,

New CVEs affecting packages used to build upstream based rocks have been
created in the Ubuntu CVE tracker:

* https://github.com/gogo/protobuf:
* https://github.com/hashicorp/consul: CVE-2021-41803, CVE-2022-40716
* https://github.com/prometheus/prometheus:

Please review your rock to understand if it is affected by these CVEs.

Thank you for your rock and for attending to this matter.

References:
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-41803
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2022-40716


I am writing you to let you know that Simon (telegraf), and Dylan
(cortex) did not receive this email.

I also Cc'd Paulo since this may be related (?) to the fact he is not
receiving the kafka snap security related emails, as we discussed in the
snapcraft channel a few days ago.

Is there any action needed on our end?

Simon, Dylam,

in the meanwhile, would you like to address the notice above to verify
if the CVEs do affect the current versions of telegraf and cortex? If
positive, then rebuilding the images will be required (after the issue
is addressed somehow).

regards,

--
Athos Ribeiro

Follow ups

Re: CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2022-09-27

References

CVEs potentially affecting cortex and telegraf
From: security-team-toolbox-bot, 2022-09-24