observability team mailing list archive
-
observability team
-
Mailing list archive
-
Message #00026
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
Thanks.
> But in the meantime, have you seen this spec by the Charmed Kubeflow
> team?
>
> https://docs.google.com/document/d/1U4eH0P-HeFOuKzAv8aEeZAwfjlGZ8SAsahpNZHgXk-k/edit
> .
> Someone in our team is helping them with security related items and he
> shared that doc with me. Seems they built a process and CI to scan and
> manage CVEs for their ROCK images.
I wasn't aware of it. Thanks. At first glance, it seems to be a subset of
what we offer in the OCI Factory as well:
https://github.com/canonical/oci-factory and
https://docs.google.com/document/d/1mZEFau32d2rGpqJNCd65g1jAio2pKl8z4ciDjtejKCg/edit#heading=h.seub7ztu6ont
.
The reason why we prefer to have the security team involved in the loop
instead of just trusting Trivy, is because:
1. there's more room/potential for tailoring the scans and supporting
non-standard image artefacts (like snaps)
2. you report on USN, which is different than reporting on a finding. The
latter raises an "action for mitigation" on the maintainer side, while the
former raises a "need to rebuild" on the OCI Factory side
3. it is more aligned with the SD story
On Tue, Aug 22, 2023 at 8:58 PM Emilia Torino <emilia.torino@xxxxxxxxxxxxx>
wrote:
>
>
> On 18/8/23 04:03, Cristovao Cordeiro wrote:
> > Thank you for the information @David Lane <mailto:
> david.lane@xxxxxxxxxxxxx>.
> >
> > I think this is a good summary that could be registered somewhere (like
> > a doc) so that our image maintainers can read it before making requests
> > for new images. Up to now, I've been using
> >
> https://docs.google.com/document/d/1kV4SQqKG-5zkSYdlNIhIHXMmDcjfXoIlX-8KSi3xBCg/edit#heading=h.z1vggsp50vj8
> <
> https://docs.google.com/document/d/1kV4SQqKG-5zkSYdlNIhIHXMmDcjfXoIlX-8KSi3xBCg/edit#heading=h.z1vggsp50vj8>
> as a reference. I think @Emilia Torino <mailto:emilia.torino@xxxxxxxxxxxxx> has
> access to this doc, so maybe it could be updated with that great summary?
>
> That doc was created once as a summary for a manager, and does not even
> have the Canonical spec format so I would say we should have a better
> deliverable. I will discuss this with David and let you know.
>
>
> >
> > Btw, are you planning on starting to publish said notifications via the
> > Event Bus? That would be a nice step towards automating image rebuilds...
>
> I will leave this to David but this is not in our plans at all afaik.
> Its my understanding that the super distro story should take care of
> this instead.
>
> But in the meantime, have you seen this spec by the Charmed Kubeflow
> team?
>
> https://docs.google.com/document/d/1U4eH0P-HeFOuKzAv8aEeZAwfjlGZ8SAsahpNZHgXk-k/edit.
>
> Someone in our team is helping them with security related items and he
> shared that doc with me. Seems they built a process and CI to scan and
> manage CVEs for their ROCK images.
>
>
> >
> > On Fri, Aug 18, 2023 at 2:52 AM David Lane <david.lane@xxxxxxxxxxxxx
> > <mailto:david.lane@xxxxxxxxxxxxx>> wrote:
> >
> > Hi Cristovao, Luca and co,
> >
> > I thought it might be useful if I provide just a brief high-level
> > overview of how our ROCK notification service works so you can
> > understand the limitations we have, particularly around ROCKS built
> > from upstream repos rather than debs.
> >
> > * All of the ROCKS notification services are based on USNs we
> > publish or CVEs in the Ubuntu CVE Tracker (UCT).
> > o Important: USNs and UCT are focused purely on deb packages
> > in the Ubuntu archives. Therefore if it's not a deb, we have
> > no information about it.
> > * Some ROCKS are built with a manifest specifying which deb
> > packages they are composed of.
> > o For a subset[1] of these, we alert if the package version in
> > that ROCK needs to be updated because a USN has been
> > published for it.
> > * Separate from that, we have a list of some specific projects[2]
> > which we know are used to build some ROCKS, *AND *(coincidently
> > _but importantly_) for which a deb package exists in the Ubuntu
> > archives.
> > o Because we have a package in the archive for representing
> > some version of these upstream projects, information about
> > CVEs affecting them is available to us.
> > o If we identify a CVE in one of those deb packages that
> > represents the 'upstream' project used to build a ROCK, we
> > notify you that we've seen a CVE.
> > o *Note / limitation:* We have no information about these
> > upstream repos or what exact version of upstream goes into
> > the ROCKS. We only know that you're interested in that
> > project and we have some information about it because there
> > is a deb for it in the archive and therefore we get CVE
> > information and pass that directly onto yourselves.
> >
> > [1]: ROCKS built with debs that we can alert for when a USN affects
> > them:
> > - apache2, bind9, charmed-opensearch, kafka, memcached, mlflow,
> > nginx, postres, redis, squid, zookeeper
> > [2]: 'upstream' packages that have also have debs and therefore CVE
> > information in UCT:
> > - consul, golang-gogoprotobuf, prometheus,
> > prometheus-alertmanager, (and now also) ca-certificates
> >
> > David.
> >
> > On Fri, Aug 18, 2023 at 3:14 AM Emilia Torino
> > <emilia.torino@xxxxxxxxxxxxx <mailto:emilia.torino@xxxxxxxxxxxxx>>
> > wrote:
> >
> >
> >
> > On 17/8/23 12:51, Cristovao Cordeiro wrote:
> > > Alright, thanks. So not much. I'll leave it up to you @Emilia
> > Torino
> > > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>> whether you think partial
> > > monitoring of these images is worth it. I'd say, only if it
> > is a no-op
> > > for you.
> >
> > Adding CVEs notifications affecting ca-certificates is simple, I
> > have
> > just done it. For this service we dont fetch/inspect ROCKs at
> > all so its
> > not even resources consuming.
> >
> > >
> > > On Thu, Aug 17, 2023 at 4:02 PM Luca Bello
> > <luca.bello@xxxxxxxxxxxxx <mailto:luca.bello@xxxxxxxxxxxxx>
> > > <mailto:luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>>> wrote:
> > >
> > > __
> > >
> > > Well yes, in pretty much all of our rocks we add the
> > > `ca-certificates` package for TLS operations:
> > >
> > > https://packages.ubuntu.com/search?keywords=ca-certificates
> > <https://packages.ubuntu.com/search?keywords=ca-certificates>
> > >
> > <https://packages.ubuntu.com/search?keywords=ca-certificates
> > <https://packages.ubuntu.com/search?keywords=ca-certificates>>
> > >
> > > We technically use things like `npm`, `nodejs` and `go`
> > for builds,
> > > but I think that's not particularly relevant.
> > >
> > >
> > > Cheers,
> > >
> > > Luca
> > >
> > > On 17/08/2023 15:28, Cristovao Cordeiro wrote:
> > >> Well, I'd need to inspect every one of those images
> > before making
> > >> such a statement, *but, *I'd risk saying that these
> images,
> > >> although snap-/source- based, might also have additional
> > debs, on
> > >> top of the base `ubuntu` image, that deserve monitoring.
> > @Luca
> > >> Bello <mailto:luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>> can you please confirm
> > >> that? I.e. if any of your snap-/source-based ROCKs also
> has
> > >> additional debs installed, then it's probably worth
> > monitoring
> > >> them nonetheless.
> > >>
> > >> On Thu, Aug 17, 2023 at 2:58 PM Emilia Torino
> > >> <emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>>>
> > >> wrote:
> > >>
> > >> Hi!
> > >>
> > >> On Thu, Aug 17, 2023 at 9:53 AM Luca Bello
> > >> <luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>
> > <mailto:luca.bello@xxxxxxxxxxxxx <mailto:
> luca.bello@xxxxxxxxxxxxx>>>
> > >> wrote:
> > >>
> > >> Hi everyone,
> > >>
> > >> that's correct, SeaweedFS is postponed :)
> > >>
> > >> On 17/08/2023 14:50, Cristovao Cordeiro wrote:
> > >>> Hi everyone,
> > >>>
> > >>> here's a ping just to revive this thread.
> > >>>
> > >>> @Emilia Torino
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>> you
> > >>> might have received some GH notifications from
> > me, which
> > >>> are related to @Luca Bello
> > >>> <mailto:luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>> 's images which are now
> > >>> being prepared to be published.
> > >>
> > >>
> > >> Yes, I got them and I was also going to ping you all
> > since
> > >> from our last discussion I said:
> > >>
> > >> "I did a search over the provided sources and only
> > found one
> > >> case where we have the project as a deb in the
> > archive, which
> > >> is alertmanager:
> > >> https://launchpad.net/ubuntu/+source/prometheus-alertmanager
> > <https://launchpad.net/ubuntu/+source/prometheus-alertmanager>
> > >>
> > <https://launchpad.net/ubuntu/+source/prometheus-alertmanager
> > <https://launchpad.net/ubuntu/+source/prometheus-alertmanager>>.
> > >> So unless you can confirm there are other debs in
> > the archive
> > >> matching the remaining upstream projects,
> > alertmanager is the
> > >> only one we can add to our CVEs monitoring service.
> > I can add
> > >> it right now."
> > >>
> > >>> I'm updating the list from above with the
> > Docker Hub
> > >>> repos that should be monitored:
> > >>>
> > >>> * Alertmanager
> > >>> (https://github.com/prometheus/alertmanager
> > <https://github.com/prometheus/alertmanager>
> > >>> <https://github.com/prometheus/alertmanager
> > <https://github.com/prometheus/alertmanager>>) ->
> > >>> https://hub.docker.com/r/ubuntu/alertmanager
> > <https://hub.docker.com/r/ubuntu/alertmanager>
> > >>> <https://hub.docker.com/r/ubuntu/alertmanager
> > <https://hub.docker.com/r/ubuntu/alertmanager>> (new)
> > >>> * Grafana Agent
> > (https://github.com/grafana/agent <
> https://github.com/grafana/agent>
> > >>> <https://github.com/grafana/agent
> > <https://github.com/grafana/agent>>) ->
> > >>> https://hub.docker.com/r/ubuntu/grafana-agent
> > <https://hub.docker.com/r/ubuntu/grafana-agent>
> > >>> <https://hub.docker.com/r/ubuntu/grafana-agent
> > <https://hub.docker.com/r/ubuntu/grafana-agent>> (new)
> > >>> * Grafana (https://github.com/grafana/grafana
> > <https://github.com/grafana/grafana>
> > >>> <https://github.com/grafana/grafana
> > <https://github.com/grafana/grafana>>) ->
> > >>> https://hub.docker.com/r/ubuntu/grafana
> > <https://hub.docker.com/r/ubuntu/grafana>
> > >>> <https://hub.docker.com/r/ubuntu/grafana
> > <https://hub.docker.com/r/ubuntu/grafana>>
> > >>> * Loki (https://github.com/grafana/loki
> > <https://github.com/grafana/loki>
> > >>> <https://github.com/grafana/loki
> > <https://github.com/grafana/loki>>) ->
> > >>> https://hub.docker.com/r/ubuntu/loki
> > <https://hub.docker.com/r/ubuntu/loki>
> > >>> <https://hub.docker.com/r/ubuntu/loki
> > <https://hub.docker.com/r/ubuntu/loki>>
> > >>> * Mimir (https://github.com/grafana/mimir
> > <https://github.com/grafana/mimir>
> > >>> <https://github.com/grafana/mimir
> > <https://github.com/grafana/mimir>>) ->
> > >>> https://hub.docker.com/r/ubuntu/mimir
> > <https://hub.docker.com/r/ubuntu/mimir>
> > >>> <https://hub.docker.com/r/ubuntu/mimir
> > <https://hub.docker.com/r/ubuntu/mimir>> (new)
> > >>> * SeaweedFS
> > (https://github.com/seaweedfs/seaweedfs
> > <https://github.com/seaweedfs/seaweedfs>
> > >>> <https://github.com/seaweedfs/seaweedfs
> > <https://github.com/seaweedfs/seaweedfs>>) [1]
> > >>> * Traefik (https://github.com/traefik/traefik
> > <https://github.com/traefik/traefik>
> > >>> <https://github.com/traefik/traefik
> > <https://github.com/traefik/traefik>>) ->
> > >>> https://hub.docker.com/r/ubuntu/traefik
> > <https://hub.docker.com/r/ubuntu/traefik>
> > >>> <https://hub.docker.com/r/ubuntu/traefik
> > <https://hub.docker.com/r/ubuntu/traefik>> (new)
> > >>
> > >> So unfortunately, all others can't be monitored with
> the
> > >> existing solution.
> > >>
> > >>>
> > >>> [1] @Luca Bello
> > <mailto:luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>> is this
> > >>> one postponed?
> > >>>
> > >>> On Mon, Jul 3, 2023 at 9:37 AM Luca Bello
> > >>> <luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>
> > >>> <mailto:luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>>> wrote:
> > >>>
> > >>> Hi Emilia,
> > >>>
> > >>> that's great; thanks for following through!
> > >>>
> > >>>
> > >>> Cheers,
> > >>>
> > >>> Luca
> > >>>
> > >>> On 28/06/2023 22:18, Emilia Torino wrote:
> > >>>> Hi Luca,
> > >>>>
> > >>>> On Tue, Jun 27, 2023 at 5:11 AM Luca Bello
> > >>>> <luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>
> > >>>> <mailto:luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>>> wrote:
> > >>>>
> > >>>> Hi Emilia,
> > >>>>
> > >>>> I did not look into it as our
> short-term
> > >>>> priorities changed a little bit; if
> > you need
> > >>>> anything else from my side please let
> > me know!
> > >>>>
> > >>>>
> > >>>> I did a search over the provided sources
> > and only
> > >>>> found one case where we have the project
> > as a deb in
> > >>>> the archive, which is alertmanager:
> > >>>>
> > https://launchpad.net/ubuntu/+source/prometheus-alertmanager
> > <https://launchpad.net/ubuntu/+source/prometheus-alertmanager>
> > <https://launchpad.net/ubuntu/+source/prometheus-alertmanager
> > <https://launchpad.net/ubuntu/+source/prometheus-alertmanager>>
> > >>>>
> > >>>> So unless you can confirm there are other
> > debs in
> > >>>> the archive matching the remaining upstream
> > >>>> projects, alertmanager is the only one we
> > can add to
> > >>>> our CVEs monitoring service. I can add it
> > right now.
> > >>>>
> > >>>> Let me know if you have any questions.
> > >>>>
> > >>>> Emilia
> > >>>>
> > >>>>
> > >>>> Cheers,
> > >>>>
> > >>>> Luca
> > >>>>
> > >>>> On 22/06/2023 17:37, Emilia Torino
> wrote:
> > >>>>> Hi all,
> > >>>>>
> > >>>>> Following up on this issue...
> > >>>>>
> > >>>>> On Fri, Jun 9, 2023 at 12:41 PM
> > Emilia Torino
> > >>>>> <emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>
> > >>>>> <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>>> wrote:
> > >>>>>
> > >>>>> Hi all,
> > >>>>>
> > >>>>> On 9/6/23 06:20, Cristovao
> > Cordeiro wrote:
> > >>>>> > Sounds good to me. @Emilia
> Torino
> > >>>>> >
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>>> do
> > >>>>> you need those repos to exist in
> > >>>>> > Docker Hub before you can
> > onboard these?
> > >>>>>
> > >>>>> We don't. Since we don't scan the
> > upstream
> > >>>>> based ROCKs (we only need
> > >>>>> this for the deb based ones).
> > >>>>>
> > >>>>> >
> > >>>>> > On Fri, Jun 9, 2023 at 10:42 AM
> > Luca
> > >>>>> Bello <luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>
> > >>>>> <mailto:luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>>
> > >>>>> >
> > <mailto:luca.bello@xxxxxxxxxxxxx <mailto:
> luca.bello@xxxxxxxxxxxxx>
> > >>>>> <mailto:luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>>>> wrote:
> > >>>>> >
> > >>>>> > Hello everyone,
> > >>>>> >
> > >>>>> > as mentioned before, the
> > ROCKs we
> > >>>>> have are all based on upstream
> > >>>>> > projects; the list is the
> > following,
> > >>>>> as required:
> > >>>>> >
> > >>>>> > * Alertmanager
> > >>>>>
> > (https://github.com/prometheus/alertmanager
> > <https://github.com/prometheus/alertmanager>
> > >>>>>
> > <https://github.com/prometheus/alertmanager
> > <https://github.com/prometheus/alertmanager>>
> > >>>>> >
> > >>>>>
> > <https://github.com/prometheus/alertmanager
> > <https://github.com/prometheus/alertmanager>
> > <https://github.com/prometheus/alertmanager
> > <https://github.com/prometheus/alertmanager>>>)
> > >>>>> > * Grafana Agent
> > >>>>> (https://github.com/grafana/agent
> > <https://github.com/grafana/agent>
> > >>>>> <https://github.com/grafana/agent
> > <https://github.com/grafana/agent>>
> > >>>>> >
> > <https://github.com/grafana/agent
> > <https://github.com/grafana/agent>
> > >>>>> <https://github.com/grafana/agent
> > <https://github.com/grafana/agent>>>)
> > >>>>> > * Grafana
> > >>>>>
> > (https://github.com/grafana/grafana
> > <https://github.com/grafana/grafana>
> > >>>>>
> > <https://github.com/grafana/grafana
> > <https://github.com/grafana/grafana>>
> > >>>>> >
> > <https://github.com/grafana/grafana
> > <https://github.com/grafana/grafana>
> > >>>>>
> > <https://github.com/grafana/grafana
> > <https://github.com/grafana/grafana>>>)
> > >>>>> > * Loki
> > >>>>> (https://github.com/grafana/loki
> > <https://github.com/grafana/loki>
> > >>>>> <https://github.com/grafana/loki
> > <https://github.com/grafana/loki>>
> > >>>>> >
> > <https://github.com/grafana/loki <
> https://github.com/grafana/loki>
> > >>>>> <https://github.com/grafana/loki
> > <https://github.com/grafana/loki>>>)
> > >>>>> > * Mimir
> > >>>>> (https://github.com/grafana/mimir
> > <https://github.com/grafana/mimir>
> > >>>>> <https://github.com/grafana/mimir
> > <https://github.com/grafana/mimir>>
> > >>>>> >
> > <https://github.com/grafana/mimir
> > <https://github.com/grafana/mimir>
> > >>>>> <https://github.com/grafana/mimir
> > <https://github.com/grafana/mimir>>>)
> > >>>>> > * SeaweedFS
> > >>>>>
> > (https://github.com/seaweedfs/seaweedfs
> > <https://github.com/seaweedfs/seaweedfs>
> > >>>>>
> > <https://github.com/seaweedfs/seaweedfs
> > <https://github.com/seaweedfs/seaweedfs>>
> > >>>>> >
> > >>>>>
> > <https://github.com/seaweedfs/seaweedfs
> > <https://github.com/seaweedfs/seaweedfs>
> > >>>>>
> > <https://github.com/seaweedfs/seaweedfs
> > <https://github.com/seaweedfs/seaweedfs>>>)
> > >>>>> > * Traefik
> > >>>>>
> > (https://github.com/traefik/traefik
> > <https://github.com/traefik/traefik>
> > >>>>>
> > <https://github.com/traefik/traefik
> > <https://github.com/traefik/traefik>>
> > >>>>> >
> > <https://github.com/traefik/traefik
> > <https://github.com/traefik/traefik>
> > >>>>>
> > <https://github.com/traefik/traefik
> > <https://github.com/traefik/traefik>>>)
> > >>>>> >
> > >>>>> > Please let me know if any
> > of these
> > >>>>> qualifies!
> > >>>>>
> > >>>>> I am not sure how urgent is this,
> > but if
> > >>>>> you help me identify the Ubuntu
> > >>>>> source packages associated we can
> > make this
> > >>>>> faster. Otherwise we can
> > >>>>> work on this next week.
> > >>>>>
> > >>>>>
> > >>>>> Did you have a chance to check this?
> > >>>>>
> > >>>>>
> > >>>>> >
> > >>>>> >
> > >>>>> > Cheers,
> > >>>>> >
> > >>>>> > Luca
> > >>>>> >
> > >>>>> > On 31/05/2023 18:29,
> Cristovao
> > >>>>> Cordeiro wrote:
> > >>>>> >>
> > >>>>> >> So the only change
> > from our side
> > >>>>> will be to add
> > >>>>> >> prometheus to the email
> > >>>>> notification subject (or I guess
> we
> > >>>>> >> can just
> > >>>>> >> simple replace it with
> > "CVEs
> > >>>>> potentially affecting upstream
> based
> > >>>>> >> ROCKs"). Are the email
> > >>>>> recipients the same ones for the
> > other
> > >>>>> >> ones?
> > >>>>> >>
> > >>>>> >>
> > >>>>> >> I think that would be fine
> > for now.
> > >>>>> I'm reluctant to use the
> > >>>>> >> mailing list as a
> > catch-all, but I
> > >>>>> think we can re-design this
> > >>>>> >> once there is an event bus
> at
> > >>>>> Canonical, so we rely less on
> emails.
> > >>>>> >>
> > >>>>> >> As for the other 10 ROCKs,
> > @Luca Bello
> > >>>>> >>
> > <mailto:luca.bello@xxxxxxxxxxxxx <mailto:
> luca.bello@xxxxxxxxxxxxx>
> > >>>>> <mailto:luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>>> let's
> > >>>>> first do the right due
> > >>>>> >> diligence on those, cause
> > if a ROCK
> > >>>>> is not meant to be under the
> > >>>>> >> "ubuntu" namespace, then
> this
> > >>>>> security monitoring doesn't need
> to
> > >>>>> >> apply.
> > >>>>> >>
> > >>>>> >> On Wed, May 31, 2023 at
> > 3:58 PM
> > >>>>> Emilia Torino
> > >>>>> >>
> > <emilia.torino@xxxxxxxxxxxxx <mailto:
> emilia.torino@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>>
> > >>>>>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>>>>
> > >>>>> >> wrote:
> > >>>>> >>
> > >>>>> >>
> > >>>>> >> Hi all,
> > >>>>> >>
> > >>>>> >> On 31/5/23 04:03, Luca
> > Bello wrote:
> > >>>>> >> > Hi everyone,
> > >>>>> >> >
> > >>>>> >> > as said in the
> > thread already,
> > >>>>> the prometheus image is
> > >>>>> >> indeed a ROCK
> > >>>>> >> > based on the
> > >>>>> *prometheus/prometheus*
> repository.
> > >>>>> >>
> > >>>>> >> That's very
> > convenient. But just
> > >>>>> to be clear again, we are not
> > >>>>> >> "inspecting" the upstream
> > based rocks
> > >>>>> the same way we do for
> > >>>>> >> the deb
> > >>>>> >> based ones. We are only
> > >>>>> monitoring new CVEs created for
> > >>>>> >> prometheus,
> > >>>>> >> protobuf and consul.
> > So the only
> > >>>>> change from our side will be
> > >>>>> >> to add
> > >>>>> >> prometheus to the email
> > >>>>> notification subject (or I guess
> we
> > >>>>> >> can just
> > >>>>> >> simple replace it with
> > "CVEs
> > >>>>> potentially affecting upstream
> based
> > >>>>> >> ROCKs"). Are the email
> > >>>>> recipients the same ones for the
> > other
> > >>>>> >> ones?
> > >>>>> >>
> > >>>>> >> >
> > >>>>> >> > We're in the process
> of
> > >>>>> updating all of our ROCKs in a
> > >>>>> >> similar way,
> > >>>>> >> > meaning we want to
> > make sure
> > >>>>> we are complying with any
> > >>>>> >> guidelines you
> > >>>>> >> > might have on them.
> > >>>>> >> > We have about 10
> > ROCKs at the
> > >>>>> moment, mostly based on
> > >>>>> >> upstream projects
> > >>>>> >> > just like this one.
> > Should I
> > >>>>> share the full list, so you can
> > >>>>> >> track them?
> > >>>>> >>
> > >>>>> >> I am happy to do an
> > analysis of
> > >>>>> this list to see if we can add
> > >>>>> >> more. The
> > >>>>> >> short answer would be
> > that if
> > >>>>> the software is packaged as a
> > >>>>> >> deb in main
> > >>>>> >> or universe (which is
> the
> > >>>>> situation for prometheus, protobuf
> > >>>>> >> and consul)
> > >>>>> >> then we can simply add
> > them.
> > >>>>> This is because the service is
> > >>>>> >> based on the
> > >>>>> >> existing CVE triage
> > work the
> > >>>>> security team does, which is
> > >>>>> >> mainly for
> > >>>>> >> debs (although now is
> > being
> > >>>>> extended to other ecosystems
> > >>>>> >> because of SOSS
> > >>>>> >> but it is still
> > limited and
> > >>>>> mainly supporting NVIDIA
> software).
> > >>>>> >>
> > >>>>> >> A simple improvement
> > though
> > >>>>> could be to map the projects to
> > >>>>> >> the rocks so
> > >>>>> >> you dont get a general
> > >>>>> notification, but one per ROCK as
> the
> > >>>>> >> USNs/debs
> > >>>>> >> based service does. We
> > can work
> > >>>>> on adding this for the next cycle.
> > >>>>> >>
> > >>>>> >> >
> > >>>>> >> >
> > >>>>> >> > Cheers,
> > >>>>> >> >
> > >>>>> >> > Luca
> > >>>>> >> >
> > >>>>> >> >
> > >>>>> >> > On 31/05/2023 08:12,
> > Cristovao
> > >>>>> Cordeiro wrote:
> > >>>>> >> >> Thank you for the
> swift
> > >>>>> action, Emilia!
> > >>>>> >> >>
> > >>>>> >> >> > Does this
> > >>>>> >> >> > relate to a
> > question being
> > >>>>> asked some hours ago in
> > >>>>> >> >> > ~Security
> > >>>>> >> >>
> > >>>>> >>
> > >>>>>
> >
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo> <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>> <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo> <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>>>?
> > >>>>> >> >>
> > >>>>> >> >> Yes, precisely.
> > @Luca Bello
> > >>>>> >>
> > <mailto:luca.bello@xxxxxxxxxxxxx <mailto:
> luca.bello@xxxxxxxxxxxxx>
> > >>>>> <mailto:luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>>
> > >>>>> >>
> > <mailto:luca.bello@xxxxxxxxxxxxx <mailto:
> luca.bello@xxxxxxxxxxxxx>
> > >>>>> <mailto:luca.bello@xxxxxxxxxxxxx
> > <mailto:luca.bello@xxxxxxxxxxxxx>>>> is in
> > >>>>> >> >> the process of
> > updating that
> > >>>>> image and we're re-doing our
> > >>>>> >> due diligence.
> > >>>>> >> >> Luca can confirm,
> > but this
> > >>>>> seems to be a ROCK based
> > >>>>> >> precisely on that
> > >>>>> >> >> upstream Prometheus
> > >>>>> repository that you are already
> > monitoring
> > >>>>> >> >>
> > >>>>> >>
> > >>>>>
> > (
> https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
> <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19>
> <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
> <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19>>
> <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
> <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19>
> <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
> <https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
> >>>).
> > >>>>> >> >>
> > >>>>> >> >> Can we then add
> > this image to
> > >>>>> your list of tracked ROCKs?
> > >>>>> >> >>
> > >>>>> >> >>
> > >>>>> >> >> On Tue, May 30,
> 2023 at
> > >>>>> 9:45 PM Emilia Torino
> > >>>>> >> >>
> > <emilia.torino@xxxxxxxxxxxxx <mailto:emilia.torino@xxxxxxxxxxxxx
> >
> > >>>>>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>>>> wrote:
> > >>>>> >> >>
> > >>>>> >> >> Hey all,
> > >>>>> >> >>
> > >>>>> >> >> On 30/5/23 13:14,
> > Emilia
> > >>>>> Torino wrote:
> > >>>>> >> >> > Hi Cristovao,
> > >>>>> >> >> >
> > >>>>> >> >> > On 30/5/23 09:41,
> > >>>>> Cristovao Cordeiro wrote:
> > >>>>> >> >> >> Hi Emilia,
> > >>>>> >> >> >>
> > >>>>> >> >> >> could you
> > please confirm
> > >>>>> the `prometheus` container
> > >>>>> >> image is being
> > >>>>> >> >> >> monitored?
> > >>>>> >> >> >
> > >>>>> >> >> > I don't see
> > prometheus
> > >>>>> being monitored by our
> > >>>>> >> services (not as a
> > >>>>> >> >> rock
> > >>>>> >> >> > based on
> > upstream source
> > >>>>> code nor as a rock based on
> > >>>>> >> debs). Does
> > >>>>> >> >> this
> > >>>>> >> >> > relate to a
> > question being
> > >>>>> asked some hours ago in
> > >>>>> >> >> > ~Security
> > >>>>> >> >>
> > >>>>> >>
> > >>>>>
> >
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo> <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>> <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo> <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo <
> https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>>>?
> > >>>>> >> >> >
> > >>>>> >> >> >
> > >>>>> >> >> > These emails'
> > subject only
> > >>>>> mentions cortex and
> > >>>>> >> telegraf, but
> > >>>>> >> >> >> I can see
> > >>>>>
> > "https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>>
> > >>>>> >>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>>>
> > >>>>> >> >> >>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>>
> > >>>>> >>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>>>>" in the body of
> the
> > >>>>> >> >> email.
> > >>>>> >> >> >
> > >>>>> >> >> > Apologize for the
> > >>>>> confusion, this sounds like a bug
> > >>>>> >> in the email
> > >>>>> >> >> content
> > >>>>> >> >> > generator code.
> > I will
> > >>>>> take a look at it later.
> > >>>>> >> >>
> > >>>>> >> >> I investigated
> > this bug and
> > >>>>> it should be solved
> > >>>>> >> already. There was an
> > >>>>> >> >> issue in the past,
> > but we
> > >>>>> fixed it already. I thought
> > >>>>> >> it could be
> > >>>>> >> >> related but I see
> this
> > >>>>> notification you are asking is
> > >>>>> >> from March.
> > >>>>> >> >> If you
> > >>>>> >> >> check the last
> > notification
> > >>>>> sent on Thu, May 4, 2:03 AM
> > >>>>> >> is correctly
> > >>>>> >> >> reporting about a
> > single
> > >>>>> package (cortex only).
> > >>>>> >> >>
> > >>>>> >> >> Let me know if you
> > have any
> > >>>>> further question.
> > >>>>> >> >>
> > >>>>> >> >> In this case,
> > only a new
> > >>>>> >> >> > CVE affecting
> > consul has
> > >>>>> been created in our tracker
> > >>>>> >> >> >
> > >>>>> >> >>
> > >>>>> >>
> > >>>>>
> >
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>> <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>>.
> > >>>>> >> >> >
> > >>>>> >> >> > Still, this does
> > not mean
> > >>>>> cortex and telegraf are
> > >>>>> >> affected,
> > >>>>> >> >> since this
> > >>>>> >> >> > needs triage
> (i.e.
> > >>>>> understand if the code/version
> > >>>>> >> present in the
> > >>>>> >> >> rocks
> > >>>>> >> >> > are indeed
> > vulnerable).
> > >>>>> >> >> >
> > >>>>> >> >> > FYI the reason
> why
> > >>>>> >>
> > https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>>
> > >>>>> >>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>>>
> > >>>>> (and
> > >>>>> >> >> also
> > >>>>> >> >> >
> > >>>>> https://github.com/gogo/protobuf
> > <https://github.com/gogo/protobuf>
> > >>>>> <https://github.com/gogo/protobuf
> > <https://github.com/gogo/protobuf>>
> > >>>>> >>
> > >>>>>
> > <https://github.com/gogo/protobuf
> > <https://github.com/gogo/protobuf>
> > >>>>> <https://github.com/gogo/protobuf
> > <https://github.com/gogo/protobuf>>>) are
> > >>>>> listed in this email, is
> > >>>>> >> >> because
> > >>>>> >> >> > these 3 are the
> > *only*
> > >>>>> upstream projects we are
> > >>>>> >> monitoring
> > >>>>> >> >> (because of
> > >>>>> >> >> > the bug the 3 are
> > >>>>> incorrectly listed in the email,
> > >>>>> >> only consul
> > >>>>> >> >> should
> > >>>>> >> >> > be). In other
> > words, we
> > >>>>> are not scanning every
> > >>>>> >> upstream source
> > >>>>> >> >> project
> > >>>>> >> >> > which is used to
> > build
> > >>>>> cortex and telegraf.
> > >>>>> >> >> >
> > >>>>> >> >> > There are
> > reasons why this
> > >>>>> service is very limited,
> > >>>>> >> and I hope this
> > >>>>> >> >> > is/was clear.
> > Let me know
> > >>>>> if you need more information.
> > >>>>> >> >> >
> > >>>>> >> >> > Emilia
> > >>>>> >> >> >
> > >>>>> >> >> >
> > >>>>> >> >> >>
> > >>>>> >> >> >> ----------
> > Forwarded
> > >>>>> message ---------
> > >>>>> >> >> >> From:
> > >>>>>
> > <security-team-toolbox-bot@xxxxxxxxxxxxx
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>>
> > >>>>> >> >> >>
> > >>>>>
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
> > <mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>>>>
> > >>>>> >> >> >> Date: Sat, Mar
> > 11, 2023
> > >>>>> at 6:03 AM
> > >>>>> >> >> >> Subject:
> > >>>>> [Ubuntu-docker-images] CVEs
> > potentially
> > >>>>> >> affecting
> > >>>>> >> >> cortex and
> > >>>>> >> >> >> telegraf
> > >>>>> >> >> >> To:
> > >>>>>
> > <ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
> > >>>>>
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>
> > >>>>> >> >> >>
> > >>>>>
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>>>,
> > >>>>> >> >> >>
> > >>>>> <sergio.durigan@xxxxxxxxxxxxx
> > <mailto:sergio.durigan@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:sergio.durigan@xxxxxxxxxxxxx
> > <mailto:sergio.durigan@xxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:sergio.durigan@xxxxxxxxxxxxx
> > <mailto:sergio.durigan@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:sergio.durigan@xxxxxxxxxxxxx
> > <mailto:sergio.durigan@xxxxxxxxxxxxx>>>
> > >>>>> >> >>
> > >>>>>
> > <mailto:sergio.durigan@xxxxxxxxxxxxx
> > <mailto:sergio.durigan@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:sergio.durigan@xxxxxxxxxxxxx
> > <mailto:sergio.durigan@xxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:sergio.durigan@xxxxxxxxxxxxx
> > <mailto:sergio.durigan@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:sergio.durigan@xxxxxxxxxxxxx
> > <mailto:sergio.durigan@xxxxxxxxxxxxx>>>>>,
> > >>>>> >> >> >>
> > >>>>> <emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>>>
> > >>>>> >> >>
> > >>>>>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:emilia.torino@xxxxxxxxxxxxx
> > <mailto:emilia.torino@xxxxxxxxxxxxx>>>>>,
> > >>>>> >> >> >>
> > >>>>> <alex.murray@xxxxxxxxxxxxx
> > <mailto:alex.murray@xxxxxxxxxxxxx>
> > >>>>> <mailto:alex.murray@xxxxxxxxxxxxx
> > <mailto:alex.murray@xxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:alex.murray@xxxxxxxxxxxxx
> > <mailto:alex.murray@xxxxxxxxxxxxx>
> > >>>>> <mailto:alex.murray@xxxxxxxxxxxxx
> > <mailto:alex.murray@xxxxxxxxxxxxx>>>
> > >>>>> >>
> > >>>>>
> > <mailto:alex.murray@xxxxxxxxxxxxx
> > <mailto:alex.murray@xxxxxxxxxxxxx>
> > >>>>> <mailto:alex.murray@xxxxxxxxxxxxx
> > <mailto:alex.murray@xxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:alex.murray@xxxxxxxxxxxxx
> > <mailto:alex.murray@xxxxxxxxxxxxx>
> > >>>>> <mailto:alex.murray@xxxxxxxxxxxxx
> > <mailto:alex.murray@xxxxxxxxxxxxx>>>>>,
> > >>>>> >> >> >>
> > >>>>> <simon.aronsson@xxxxxxxxxxxxx
> > <mailto:simon.aronsson@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:simon.aronsson@xxxxxxxxxxxxx
> > <mailto:simon.aronsson@xxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:simon.aronsson@xxxxxxxxxxxxx
> > <mailto:simon.aronsson@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:simon.aronsson@xxxxxxxxxxxxx
> > <mailto:simon.aronsson@xxxxxxxxxxxxx>>>
> > >>>>> >> >>
> > >>>>>
> > <mailto:simon.aronsson@xxxxxxxxxxxxx
> > <mailto:simon.aronsson@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:simon.aronsson@xxxxxxxxxxxxx
> > <mailto:simon.aronsson@xxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:simon.aronsson@xxxxxxxxxxxxx
> > <mailto:simon.aronsson@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:simon.aronsson@xxxxxxxxxxxxx
> > <mailto:simon.aronsson@xxxxxxxxxxxxx>>>>>,
> > >>>>> >> >> >>
> > >>>>>
> > <dylan.stephano-shachter@xxxxxxxxxxxxx
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
> > >>>>>
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>>
> > >>>>> >> >> >>
> > >>>>>
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
> > <mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>>>>
> > >>>>> >> >> >>
> > >>>>> >> >> >>
> > >>>>> >> >> >> New CVEs
> affecting
> > >>>>> packages used to build upstream
> > >>>>> >> based rocks
> > >>>>> >> >> have been
> > >>>>> >> >> >> created in the
> > Ubuntu CVE
> > >>>>> tracker:
> > >>>>> >> >> >>
> > >>>>> >> >> >> *
> > >>>>> https://github.com/gogo/protobuf
> > <https://github.com/gogo/protobuf>
> > >>>>> <https://github.com/gogo/protobuf
> > <https://github.com/gogo/protobuf>>
> > >>>>> >>
> > >>>>>
> > <https://github.com/gogo/protobuf
> > <https://github.com/gogo/protobuf>
> > >>>>> <https://github.com/gogo/protobuf
> > <https://github.com/gogo/protobuf>>>
> > >>>>> >> >>
> > >>>>>
> > <https://github.com/gogo/protobuf
> > <https://github.com/gogo/protobuf>
> > >>>>> <https://github.com/gogo/protobuf
> > <https://github.com/gogo/protobuf>>
> > >>>>> >>
> > >>>>>
> > <https://github.com/gogo/protobuf
> > <https://github.com/gogo/protobuf>
> > >>>>> <https://github.com/gogo/protobuf
> > <https://github.com/gogo/protobuf>>>>:
> > >>>>> >> >> >> *
> > >>>>> https://github.com/hashicorp/consul
> > <https://github.com/hashicorp/consul>
> > >>>>>
> > <https://github.com/hashicorp/consul
> > <https://github.com/hashicorp/consul>>
> > >>>>> >>
> > >>>>>
> > <https://github.com/hashicorp/consul
> > <https://github.com/hashicorp/consul>
> > >>>>>
> > <https://github.com/hashicorp/consul
> > <https://github.com/hashicorp/consul>>>
> > >>>>> >> >> >>
> > >>>>>
> > <https://github.com/hashicorp/consul
> > <https://github.com/hashicorp/consul>
> > >>>>>
> > <https://github.com/hashicorp/consul
> > <https://github.com/hashicorp/consul>>
> > >>>>> >>
> > >>>>>
> > <https://github.com/hashicorp/consul
> > <https://github.com/hashicorp/consul>
> > >>>>>
> > <https://github.com/hashicorp/consul
> > <https://github.com/hashicorp/consul>>>>:
> > >>>>> CVE-2023-0845
> > >>>>> >> >> >> *
> > >>>>> https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>>
> > >>>>> >>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>>>
> > >>>>> >> >> >>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>>
> > >>>>> >>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>
> > >>>>>
> > <https://github.com/prometheus/prometheus
> > <https://github.com/prometheus/prometheus>>>>:
> > >>>>> >> >> >>
> > >>>>> >> >> >> Please review
> > your rock
> > >>>>> to understand if it is
> > >>>>> >> affected by
> > >>>>> >> >> these CVEs.
> > >>>>> >> >> >>
> > >>>>> >> >> >> Thank you for
> > your rock
> > >>>>> and for attending to this
> > >>>>> >> matter.
> > >>>>> >> >> >>
> > >>>>> >> >> >> References:
> > >>>>> >> >> >>
> > >>>>> >> >>
> > >>>>> >>
> > >>>>>
> >
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>> <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>>
> > >>>>> >> >> >>
> > >>>>> >> >>
> > >>>>> >>
> > >>>>>
> > <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>> <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845> <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 <
> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>>>
> > >>>>> >> >> >>
> > >>>>> >> >> >>
> > >>>>> >> >> >>
> > >>>>> >> >> >> --
> > >>>>> >> >> >> Mailing list:
> > >>>>> >>
> > >>>>> https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>
> > >>>>>
> > <https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>>
> > >>>>> >>
> > >>>>>
> > <https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>
> > <https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>>>
> > >>>>> >> >> >>
> > >>>>>
> > <https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>
> > <https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>>
> > >>>>> >>
> > >>>>>
> > <https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>
> > <https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>>>>
> > >>>>> >> >> >> Post to :
> > >>>>> >>
> > ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
> > >>>>>
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>
> > >>>>> >> >> >>
> > >>>>>
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
> > >>>>> >>
> > >>>>>
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
> > <mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>>
> > >>>>> >> >> >> Unsubscribe :
> > >>>>> >>
> > >>>>> https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>
> > >>>>>
> > <https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>>
> > >>>>> >>
> > >>>>>
> > <https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>
> > <https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>>>
> > >>>>> >> >> >>
> > >>>>>
> > <https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>
> > <https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>>
> > >>>>> >>
> > >>>>>
> > <https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>
> > <https://launchpad.net/~ubuntu-docker-images
> > <https://launchpad.net/~ubuntu-docker-images>>>>
> > >>>>> >> >> >> More help :
> > >>>>> https://help.launchpad.net/ListHelp
> > <https://help.launchpad.net/ListHelp>
> > >>>>>
> > <https://help.launchpad.net/ListHelp
> > <https://help.launchpad.net/ListHelp>>
> > >>>>> >>
> > >>>>>
> > <https://help.launchpad.net/ListHelp
> > <https://help.launchpad.net/ListHelp>
> > >>>>>
> > <https://help.launchpad.net/ListHelp
> > <https://help.launchpad.net/ListHelp>>>
> > >>>>> >> >> >>
> > >>>>>
> > <https://help.launchpad.net/ListHelp
> > <https://help.launchpad.net/ListHelp>
> > >>>>>
> > <https://help.launchpad.net/ListHelp
> > <https://help.launchpad.net/ListHelp>>
> > >>>>> >>
> > >>>>>
> > <https://help.launchpad.net/ListHelp
> > <https://help.launchpad.net/ListHelp>
> > >>>>>
> > <https://help.launchpad.net/ListHelp
> > <https://help.launchpad.net/ListHelp>>>>
> > >>>>> >> >> >>
> > >>>>> >> >> >>
> > >>>>> >> >> >> --
> > >>>>> >> >> >> Cris
> > >>>>> >> >>
> > >>>>> >> >>
> > >>>>> >> >>
> > >>>>> >> >> --
> > >>>>> >> >> Cris
> > >>>>> >>
> > >>>>> >>
> > >>>>> >>
> > >>>>> >> --
> > >>>>> >> Cris
> > >>>>> > ____
> > >>>>> >
> > >>>>> >
> > >>>>> >
> > >>>>> > --
> > >>>>> > Cris
> > >>>>>
> > >>>
> > >>>
> > >>> --
> > >>> Cris
> > >>
> > >>
> > >>
> > >> --
> > >> Cris
> > >
> > >
> > >
> > > --
> > > Cris
> >
> >
> >
> > --
> > Cris
>
--
Cris
References
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-09
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-22
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-06-27
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-06-28
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-07-03
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Luca Bello, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-08-17
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: David Lane, 2023-08-18
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Cristovao Cordeiro, 2023-08-18
-
Re: Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf
From: Emilia Torino, 2023-08-22
