ubuntu-docker-images team mailing list archive

Thread
Date

Re: CVEs potentially affecting upstream based ROCKs

To: Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>
From: Emilia Torino <emilia.torino@xxxxxxxxxxxxx>
Date: Tue, 5 Dec 2023 11:23:02 -0300
Cc: alex.murray@xxxxxxxxxxxxx, david.lane@xxxxxxxxxxxxx, paulo.smorigo@xxxxxxxxxxxxx, simon.aronsson@xxxxxxxxxxxxx, ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx, dylan.stephano-shachter@xxxxxxxxxxxxx
In-reply-to: <ZW8P59iMbpIzzHxJ@castor>

Hi Athos,

On Tue, Dec 5, 2023 at 8:56 AM Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>
wrote:

> On Tue, Dec 05, 2023 at 05:06:24AM +0000,
> security-team-toolbox-bot@xxxxxxxxxxxxx wrote:
> >New CVEs affecting packages used to build upstream based rocks have been
> >created in the Ubuntu CVE tracker:
> >
> >* https://github.com/hashicorp/consul: CVE-2023-5332
> >
> >Please review your rock to understand if it is affected by these CVEs.
> >
> >Thank you for your rock and for attending to this matter.
> >
> >References:
> >https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-5332
>
> Hi Emilia,
>
> I suppose these warnings used to have the potentially affected image
> names in the title IIRC. Is this right?

Yes you are correct. But at some point we changed it since the list of
upstream based rocks was growing (and remember we are not really inspecting
them as we do for deb based ones).

> If so, could we have that
> feature back? If not, would it be possible to add that?
>

Honestly it won't be that easy/quick. This whole service should be improved
when the fetch service is ready. So we can either wait for it or plan to
improve what we have today sooner... @Alex Murray
<alex.murray@xxxxxxxxxxxxx> thoughts?

>
> --
> Athos Ribeiro
>

Follow ups

Re: CVEs potentially affecting upstream based ROCKs
From: Alex Murray, 2023-12-05

References

CVEs potentially affecting upstream based ROCKs
From: security-team-toolbox-bot, 2023-12-05
Re: CVEs potentially affecting upstream based ROCKs
From: Athos Ribeiro, 2023-12-05