← Back to team overview

ubuntu-docker-images team mailing list archive

Re: CVEs potentially affecting upstream based ROCKs

 

Hi Athos,


On Tue, Dec 5, 2023 at 8:56 AM Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>
wrote:

> On Tue, Dec 05, 2023 at 05:06:24AM +0000,
> security-team-toolbox-bot@xxxxxxxxxxxxx wrote:
> >New CVEs affecting packages used to build upstream based rocks have been
> >created in the Ubuntu CVE tracker:
> >
> >* https://github.com/hashicorp/consul: CVE-2023-5332
> >
> >Please review your rock to understand if it is affected by these CVEs.
> >
> >Thank you for your rock and for attending to this matter.
> >
> >References:
> >https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-5332
>
> Hi Emilia,
>
> I suppose these warnings used to have the potentially affected image
> names in the title IIRC. Is this right?


Yes you are correct. But at some point we changed it since the list of
upstream based rocks was growing (and remember we are not really inspecting
them as we do for deb based ones).


> If so, could we have that
> feature back? If not, would it be possible to add that?
>

Honestly it won't be that easy/quick. This whole service should be improved
when the fetch service is ready. So we can either wait for it or plan to
improve what we have today sooner... @Alex Murray
<alex.murray@xxxxxxxxxxxxx> thoughts?


>
> --
> Athos Ribeiro
>

Follow ups

References