Thank you for the swift action, Emilia! > Does this > relate to a question being asked some hours ago in > ~Security https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo?
Yes, precisely. @Luca Bello <[email protected]> is in the process of updating that image and we're re-doing our due diligence. Luca can confirm, but this seems to be a ROCK based precisely on that upstream Prometheus repository that you are already monitoring ( https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19). Can we then add this image to your list of tracked ROCKs? On Tue, May 30, 2023 at 9:45 PM Emilia Torino <[email protected]> wrote: > Hey all, > > On 30/5/23 13:14, Emilia Torino wrote: > > Hi Cristovao, > > > > On 30/5/23 09:41, Cristovao Cordeiro wrote: > >> Hi Emilia, > >> > >> could you please confirm the `prometheus` container image is being > >> monitored? > > > > I don't see prometheus being monitored by our services (not as a rock > > based on upstream source code nor as a rock based on debs). Does this > > relate to a question being asked some hours ago in > > ~Security > https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo? > > > > > > These emails' subject only mentions cortex and telegraf, but > >> I can see "https://github.com/prometheus/prometheus > >> <https://github.com/prometheus/prometheus>" in the body of the email. > > > > Apologize for the confusion, this sounds like a bug in the email content > > generator code. I will take a look at it later. > > I investigated this bug and it should be solved already. There was an > issue in the past, but we fixed it already. I thought it could be > related but I see this notification you are asking is from March. If you > check the last notification sent on Thu, May 4, 2:03 AM is correctly > reporting about a single package (cortex only). > > Let me know if you have any further question. > > In this case, only a new > > CVE affecting consul has been created in our tracker > > https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845. > > > > Still, this does not mean cortex and telegraf are affected, since this > > needs triage (i.e. understand if the code/version present in the rocks > > are indeed vulnerable). > > > > FYI the reason why https://github.com/prometheus/prometheus (and also > > https://github.com/gogo/protobuf) are listed in this email, is because > > these 3 are the *only* upstream projects we are monitoring (because of > > the bug the 3 are incorrectly listed in the email, only consul should > > be). In other words, we are not scanning every upstream source project > > which is used to build cortex and telegraf. > > > > There are reasons why this service is very limited, and I hope this > > is/was clear. Let me know if you need more information. > > > > Emilia > > > > > >> > >> ---------- Forwarded message --------- > >> From: <[email protected] > >> <mailto:[email protected]>> > >> Date: Sat, Mar 11, 2023 at 6:03 AM > >> Subject: [Ubuntu-docker-images] CVEs potentially affecting cortex and > >> telegraf > >> To: <[email protected] > >> <mailto:[email protected]>>, > >> <[email protected] <mailto:[email protected]>>, > >> <[email protected] <mailto:[email protected]>>, > >> <[email protected] <mailto:[email protected]>>, > >> <[email protected] <mailto:[email protected]>>, > >> <[email protected] > >> <mailto:[email protected]>> > >> > >> > >> New CVEs affecting packages used to build upstream based rocks have been > >> created in the Ubuntu CVE tracker: > >> > >> * https://github.com/gogo/protobuf <https://github.com/gogo/protobuf>: > >> * https://github.com/hashicorp/consul > >> <https://github.com/hashicorp/consul>: CVE-2023-0845 > >> * https://github.com/prometheus/prometheus > >> <https://github.com/prometheus/prometheus>: > >> > >> Please review your rock to understand if it is affected by these CVEs. > >> > >> Thank you for your rock and for attending to this matter. > >> > >> References: > >> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 > >> <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845 > > > >> > >> > >> > >> -- > >> Mailing list: https://launchpad.net/~ubuntu-docker-images > >> <https://launchpad.net/~ubuntu-docker-images> > >> Post to : [email protected] > >> <mailto:[email protected]> > >> Unsubscribe : https://launchpad.net/~ubuntu-docker-images > >> <https://launchpad.net/~ubuntu-docker-images> > >> More help : https://help.launchpad.net/ListHelp > >> <https://help.launchpad.net/ListHelp> > >> > >> > >> -- > >> Cris > -- Cris
-- Mailing list: https://launchpad.net/~observability Post to : [email protected] Unsubscribe : https://launchpad.net/~observability More help : https://help.launchpad.net/ListHelp
