ubuntu-docker-images team mailing list archive

[Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>]

On Tue, Sep 27, 2022 at 05:55:42PM -0300, Emilia Torino wrote:
> Hi Athos:
>
> On 27/9/22 13:49, Athos Ribeiro wrote:
> > On Sat, Sep 24, 2022 at 05:02:11AM +0000, 
> > security-team-toolbox-bot@xxxxxxxxxxxxx wrote:
> >
> > Hi Emilia,
> >
> > > New CVEs affecting packages used to build upstream based rocks have been
> > > created in the Ubuntu CVE tracker:
> > >
> > > * https://github.com/gogo/protobuf:
> > > * https://github.com/hashicorp/consul: CVE-2021-41803, CVE-2022-40716
> > > * https://github.com/prometheus/prometheus:
> > >
> > > Please review your rock to understand if it is affected by these CVEs.
> > >
> > > Thank you for your rock and for attending to this matter.
> > >
> > > References:
> > > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-41803
> > > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2022-40716
> >
> > I am writing you to let you know that Simon (telegraf), and Dylan
> > (cortex) did not receive this email.
>
> This is a different issue since this is a different service: it does 
> not inspect published USNs for every staged package in a given 
> published snap, but notifies about newly created CVEs in our $UCT for 
> a very small subset of supported upstream packages we agreed some time 
> ago. When we configured the later one, we added Sergio and the 
> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx dist list as recipients. If 
> this list needs to be updated, please let me know since this is a 
> manual configuration I need to do in our server.

Oh, right! I suppose Dylan and Simon did get this mail then. Could you
(Dylan and Simon) confirm?

> > I also Cc'd Paulo since this may be related (?) to the fact he is not
> > receiving the kafka snap security related emails, as we discussed in the
> > snapcraft channel a few days ago.
> >
> > Is there any action needed on our end?
>
> I have once again downloaded the latest store db dump and Paulo is not 
> yet in the list of collaborators available:
>
> [{'name': 'Sergio Durigan Junior', 'email': 
> 'sergio.durigan@xxxxxxxxxxxxx'}, {'name': 'Casey Marshall', 'email': 
> 'casey.marshall@xxxxxxxxxxxxx'}, {'name': 'Khanh Nguyen', 'email': 
> 'khanhtnguyen300@xxxxxxxxx'}]
>
> The snaps USNs notification service consumes this information so there 
> is nothing I can do on our side. There seems to be an issue on the 
> store db dump creation and we need to follow-up with roadmr. I can 
> ping him again in the store channel.

Thanks for doing that!

> > Simon, Dylam,

Sorry for the typo :)

> > in the meanwhile, would you like to address the notice above to verify
> > if the CVEs do affect the current versions of telegraf and cortex? If
> > positive, then rebuilding the images will be required (after the issue
> > is addressed somehow).
>
> When we agreed on this service, we did not commit to triage the CVEs 
> against the packages in the ROCKs. We should work on this at some 
> point (this was identified as a feature along with other ROCKs needs, 
> which I documented last year https://docs.google.com/document/d/1kV4SQqKG-5zkSYdlNIhIHXMmDcjfXoIlX-8KSi3xBCg/edit), 
> but this needs to be added in a future cycle since now we are very 
> busy with other commitments. I am adding AlexB to the loop so we can 
> discuss when this can be added to our roadmap (maybe we can meet and 
> reset the expectations in Prague?).

That would be nice! Maybe we could involve the ROCKs team, who would be
the main stakeholder at this point!

> > regards,

--
Athos Ribeiro