ubuntu-docker-images team mailing list archive

[Emilia Torino <emilia.torino@xxxxxxxxxxxxx>]

Hi Athos:

On 27/9/22 13:49, Athos Ribeiro wrote:
> On Sat, Sep 24, 2022 at 05:02:11AM +0000, 
> security-team-toolbox-bot@xxxxxxxxxxxxx wrote:
>
> Hi Emilia,
>
> > New CVEs affecting packages used to build upstream based rocks have been
> > created in the Ubuntu CVE tracker:
> >
> > * https://github.com/gogo/protobuf:
> > * https://github.com/hashicorp/consul: CVE-2021-41803, CVE-2022-40716
> > * https://github.com/prometheus/prometheus:
> >
> > Please review your rock to understand if it is affected by these CVEs.
> >
> > Thank you for your rock and for attending to this matter.
> >
> > References:
> > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-41803
> > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2022-40716
>
> I am writing you to let you know that Simon (telegraf), and Dylan
> (cortex) did not receive this email.

This is a different issue since this is a different service: it does not 
inspect published USNs for every staged package in a given published 
snap, but notifies about newly created CVEs in our $UCT for a very small 
subset of supported upstream packages we agreed some time ago. When we 
configured the later one, we added Sergio and the 
ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx dist list as recipients. If 
this list needs to be updated, please let me know since this is a manual 
configuration I need to do in our server.

> I also Cc'd Paulo since this may be related (?) to the fact he is not
> receiving the kafka snap security related emails, as we discussed in the
> snapcraft channel a few days ago.
>
> Is there any action needed on our end?

I have once again downloaded the latest store db dump and Paulo is not 
yet in the list of collaborators available:

[{'name': 'Sergio Durigan Junior', 'email': 
'sergio.durigan@xxxxxxxxxxxxx'}, {'name': 'Casey Marshall', 'email': 
'casey.marshall@xxxxxxxxxxxxx'}, {'name': 'Khanh Nguyen', 'email': 
'khanhtnguyen300@xxxxxxxxx'}]

The snaps USNs notification service consumes this information so there 
is nothing I can do on our side. There seems to be an issue on the store 
db dump creation and we need to follow-up with roadmr. I can ping him 
again in the store channel.

> Simon, Dylam,
>
> in the meanwhile, would you like to address the notice above to verify
> if the CVEs do affect the current versions of telegraf and cortex? If
> positive, then rebuilding the images will be required (after the issue
> is addressed somehow).

When we agreed on this service, we did not commit to triage the CVEs 
against the packages in the ROCKs. We should work on this at some point 
(this was identified as a feature along with other ROCKs needs, which I 
documented last year 
https://docs.google.com/document/d/1kV4SQqKG-5zkSYdlNIhIHXMmDcjfXoIlX-8KSi3xBCg/edit), 
but this needs to be added in a future cycle since now we are very busy 
with other commitments. I am adding AlexB to the loop so we can discuss 
when this can be added to our roadmap (maybe we can meet and reset the 
expectations in Prague?).

> regards,

Attachment: OpenPGP_signature
Description: OpenPGP digital signature