Re: [Observability] Fwd: [Ubuntu-docker-images] CVEs potentially affecting cortex and telegraf

[Luca Bello]

Hi everyone,

as said in the thread already, the prometheus image is indeed a ROCK 
based on the *prometheus/prometheus* repository.

We're in the process of updating all of our ROCKs in a similar way, 
meaning we want to make sure we are complying with any guidelines you 
might have on them.
We have about 10 ROCKs at the moment, mostly based on upstream projects 
just like this one. Should I share the full list, so you can track them?


Cheers,

Luca


On 31/05/2023 08:12, Cristovao Cordeiro wrote:
Thank you for the swift action, Emilia!

> Does this
> relate to a question being asked some hours ago in
> ~Security 
https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo?

Yes, precisely. @Luca Bello <mailto:luca.be...@canonical.com> is in 
the process of updating that image and we're re-doing our due diligence.
Luca can confirm, but this seems to be a ROCK based precisely on that 
upstream Prometheus repository that you are already monitoring 
(https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19).

Can we then add this image to your list of tracked ROCKs?


On Tue, May 30, 2023 at 9:45 PM Emilia Torino 
<emilia.tor...@canonical.com> wrote:

    Hey all,

    On 30/5/23 13:14, Emilia Torino wrote:
    > Hi Cristovao,
    >
    > On 30/5/23 09:41, Cristovao Cordeiro wrote:
    >> Hi Emilia,
    >>
    >> could you please confirm the `prometheus` container image is being
    >> monitored?
    >
    > I don't see prometheus being monitored by our services (not as a
    rock
    > based on upstream source code nor as a rock based on debs). Does
    this
    > relate to a question being asked some hours ago in
    > ~Security
    https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo?
    >
    >
    > These emails' subject only mentions cortex and telegraf, but
    >> I can see "https://github.com/prometheus/prometheus
    >> <https://github.com/prometheus/prometheus>" in the body of the
    email.
    >
    > Apologize for the confusion, this sounds like a bug in the email
    content
    > generator code. I will take a look at it later.

    I investigated this bug and it should be solved already. There was an
    issue in the past, but we fixed it already. I thought it could be
    related but I see this notification you are asking is from March.
    If you
    check the last notification sent on Thu, May 4, 2:03 AM is correctly
    reporting about a single package (cortex only).

    Let me know if you have any further question.

      In this case, only a new
    > CVE affecting consul has been created in our tracker
    >
    https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845.
    >
    > Still, this does not mean cortex and telegraf are affected,
    since this
    > needs triage (i.e. understand if the code/version present in the
    rocks
    > are indeed vulnerable).
    >
    > FYI the reason why https://github.com/prometheus/prometheus (and
    also
    > https://github.com/gogo/protobuf) are listed in this email, is
    because
    > these 3 are the *only* upstream projects we are monitoring
    (because of
    > the bug the 3 are incorrectly listed in the email, only consul
    should
    > be). In other words, we are not scanning every upstream source
    project
    > which is used to build cortex and telegraf.
    >
    > There are reasons why this service is very limited, and I hope this
    > is/was clear. Let me know if you need more information.
    >
    > Emilia
    >
    >
    >>
    >> ---------- Forwarded message ---------
    >> From: <security-team-toolbox-...@canonical.com
    >> <mailto:security-team-toolbox-...@canonical.com>>
    >> Date: Sat, Mar 11, 2023 at 6:03 AM
    >> Subject: [Ubuntu-docker-images] CVEs potentially affecting
    cortex and
    >> telegraf
    >> To: <ubuntu-docker-ima...@lists.launchpad.net
    >> <mailto:ubuntu-docker-ima...@lists.launchpad.net>>,
    >> <sergio.duri...@canonical.com
    <mailto:sergio.duri...@canonical.com>>,
    >> <emilia.tor...@canonical.com
    <mailto:emilia.tor...@canonical.com>>,
    >> <alex.mur...@canonical.com <mailto:alex.mur...@canonical.com>>,
    >> <simon.arons...@canonical.com
    <mailto:simon.arons...@canonical.com>>,
    >> <dylan.stephano-shach...@canonical.com
    >> <mailto:dylan.stephano-shach...@canonical.com>>
    >>
    >>
    >> New CVEs affecting packages used to build upstream based rocks
    have been
    >> created in the Ubuntu CVE tracker:
    >>
    >> * https://github.com/gogo/protobuf
    <https://github.com/gogo/protobuf>:
    >> * https://github.com/hashicorp/consul
    >> <https://github.com/hashicorp/consul>: CVE-2023-0845
    >> * https://github.com/prometheus/prometheus
    >> <https://github.com/prometheus/prometheus>:
    >>
    >> Please review your rock to understand if it is affected by
    these CVEs.
    >>
    >> Thank you for your rock and for attending to this matter.
    >>
    >> References:
    >>
    https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845

    >>
    <https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>
    >>
    >>
    >>
    >> --
    >> Mailing list: https://launchpad.net/~ubuntu-docker-images
    >> <https://launchpad.net/~ubuntu-docker-images>
    >> Post to     : ubuntu-docker-ima...@lists.launchpad.net
    >> <mailto:ubuntu-docker-ima...@lists.launchpad.net>
    >> Unsubscribe : https://launchpad.net/~ubuntu-docker-images
    >> <https://launchpad.net/~ubuntu-docker-images>
    >> More help   : https://help.launchpad.net/ListHelp
    >> <https://help.launchpad.net/ListHelp>
    >>
    >>
    >> --
    >> Cris



--
Cris-- 
Mailing list: https://launchpad.net/~observability
Post to     : observability@lists.launchpad.net
Unsubscribe : https://launchpad.net/~observability
More help   : https://help.launchpad.net/ListHelp