ubuntu-docker-images team mailing list archive
-
ubuntu-docker-images team
-
Mailing list archive
-
Message #00328
Re: CVEs potentially affecting cortex and telegraf
On 27/9/22 19:26, Athos Ribeiro wrote:
On Tue, Sep 27, 2022 at 05:55:42PM -0300, Emilia Torino wrote:
Hi Athos:
On 27/9/22 13:49, Athos Ribeiro wrote:
On Sat, Sep 24, 2022 at 05:02:11AM +0000,
security-team-toolbox-bot@xxxxxxxxxxxxx wrote:
Hi Emilia,
New CVEs affecting packages used to build upstream based rocks have
been
created in the Ubuntu CVE tracker:
* https://github.com/gogo/protobuf:
* https://github.com/hashicorp/consul: CVE-2021-41803, CVE-2022-40716
* https://github.com/prometheus/prometheus:
Please review your rock to understand if it is affected by these CVEs.
Thank you for your rock and for attending to this matter.
References:
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-41803
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2022-40716
I am writing you to let you know that Simon (telegraf), and Dylan
(cortex) did not receive this email.
This is a different issue since this is a different service: it does
not inspect published USNs for every staged package in a given
published snap, but notifies about newly created CVEs in our $UCT for
a very small subset of supported upstream packages we agreed some time
ago. When we configured the later one, we added Sergio and the
ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx dist list as recipients. If
this list needs to be updated, please let me know since this is a
manual configuration I need to do in our server.
Oh, right! I suppose Dylan and Simon did get this mail then. Could you
(Dylan and Simon) confirm?
I also Cc'd Paulo since this may be related (?) to the fact he is not
receiving the kafka snap security related emails, as we discussed in the
snapcraft channel a few days ago.
Is there any action needed on our end?
I have once again downloaded the latest store db dump and Paulo is not
yet in the list of collaborators available:
[{'name': 'Sergio Durigan Junior', 'email':
'sergio.durigan@xxxxxxxxxxxxx'}, {'name': 'Casey Marshall', 'email':
'casey.marshall@xxxxxxxxxxxxx'}, {'name': 'Khanh Nguyen', 'email':
'khanhtnguyen300@xxxxxxxxx'}]
The snaps USNs notification service consumes this information so there
is nothing I can do on our side. There seems to be an issue on the
store db dump creation and we need to follow-up with roadmr. I can
ping him again in the store channel.
Thanks for doing that!
I am not sure if you saw but Daniel said "now that you mention it -
there've been some recent changes on how collaborators are handled,
which may have something to do with it. I'll create a Jira ticket to
look at this with some urgency as we don't want that to be broken."
Hopefully this is fixed soon.
Simon, Dylam,
Sorry for the typo :)
in the meanwhile, would you like to address the notice above to verify
if the CVEs do affect the current versions of telegraf and cortex? If
positive, then rebuilding the images will be required (after the issue
is addressed somehow).
When we agreed on this service, we did not commit to triage the CVEs
against the packages in the ROCKs. We should work on this at some
point (this was identified as a feature along with other ROCKs needs,
which I documented last year
https://docs.google.com/document/d/1kV4SQqKG-5zkSYdlNIhIHXMmDcjfXoIlX-8KSi3xBCg/edit),
but this needs to be added in a future cycle since now we are very
busy with other commitments. I am adding AlexB to the loop so we can
discuss when this can be added to our roadmap (maybe we can meet and
reset the expectations in Prague?).
That would be nice! Maybe we could involve the ROCKs team, who would be
the main stakeholder at this point!
Sure, I will coordinate with AlexB and let you know.
regards,
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
References
