[Bug 1926321] Re: [MIR] telegraf
** Tags added: sec-753 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
Backuppc and Fence agents are done quite a while ago, and since this waited for so long we'd really appreciate getting this completed. Nevertheless - makes me sad to say - of the many reviews blocked this is one we could survive for a bit longer. Hence setting Prio:High and mid year Milestone (last is 22.04 atm). ** Changed in: telegraf (Ubuntu) Importance: Undecided => High ** Changed in: telegraf (Ubuntu) Milestone: None => ubuntu-22.04 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
Hi Seth, That's great, thank you for the update (and for the link to the Trello board; I wasn't aware of it!). Cheers! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
Hello Sergio, it's not forgotten, but it is currently behind backuppc- rsync and fence-agents in the server queue https://trello.com/b/EGj5Msfo /security-mir-backlog Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
Hi security folks, Just a gentle ping to see how things are going w.r.t. this MIR and its security review. Thank you. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
Thanks for your input, Alex. Absolutely, if you feel like this package needs a full review then let's do it; I don't want to jump any steps in the process here :-). Thank you, and let me know if you need anything from my side in order to make this review quicker/easier for the Security team. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
We have the ROCKs USN notification service which happens to monitor the telegraf ROCK but that doesn't include mean we are actively supporting the telegraf package in Ubuntu - as such, I feel this package needs an explicit security review like any other. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
Thank you Sergio, so the one bit we still need now is security to say "yes we already monitor it and it is ok to be promoted to main" which should be much quicker than a full security review from scratch. ** Changed in: telegraf (Ubuntu) Assignee: Didier Roche (didrocks) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
Phew, finally! Upstream has released a new version of telegraf this weekend, and I've just updated the Ubuntu telegraf package with it. This new version addresses all of the CVEs I'd mentioned, so I think the package is ready for the next step in the MIR process :-). Reassigning to Didier and changing the bug status to Confirmed, as requested. Thanks! ** Changed in: telegraf (Ubuntu) Assignee: Sergio Durigan Junior (sergiodj) => Didier Roche (didrocks) ** Changed in: telegraf (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
Thank you, Didier. I'm in touch with upstream and asked them if it's possible to cut a new release ASAP with the CVE fixes. I'll let you know when the update is done :-). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
(changing the status for our weekly team report, feel free to reassign it to me and reset to confirmed/triaged once done so that I can notice it) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
Thanks for the quick feebdack! Sorry for the symlink, I haven’t noticed it and you are correct about dh_installsystemd. Keep me posted once the new upstream release is done, so that I can +1 and pass the baton to security :) ** Changed in: telegraf (Ubuntu) Assignee: Didier Roche (didrocks) => Sergio Durigan Junior (sergiodj) ** Changed in: telegraf (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
FWIW, I've just completed the d/copyright update/review. I'm now waiting on the new upstream release which will fix the aforementioned CVEs -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1926321] Re: [MIR] telegraf
On Thursday, May 06 2021, Didier Roche wrote: > [Summary] > The package is in a very good shape, higher than most of the ones we > review. I have few questions but no big blocker. I feel it would be > still good for the security team (even if they already support it to > some point) to have a second look before we promote it to > main. Hopefully, as this is midly-supported already, that should be a > quick pass. Thank you very much for the review, Didier :-). > Thanks for the detailed security and CVE analysis, including the > vendored dependencies. Much appreciated :) > > Notes: > Questions: > - I think we should promote it once github.com/gogo/protobuf is fixed and an > upload with the vendored updated dep is done. It seems to be fixed in > 1.18.1+ds1-0ubuntu1, correct? That is correct. The latest version on Impish already has the fix for the gogo/protobuf CVE. Upstream has already fixed it, too. > - Same with github.com/prometheus/prometheus/, let’s wait then for the > latest version of telegraf which isn’t impacted by it (do you have the > version handy? Is it 1.18.1? and so, we can mark this as "DONE"?) The prometheus vulnerability does not affect the version of telegraf that is available on Impish, so I'd consider that "DONE" (or even "INVALID") :-). > - About the github.com/hashicorp/consul CVEs and fixes, do you have > any ETA? I think we should wait for them to be fixed before the actual > promotion (and this can give some time for the security team to assess > the package again), wdyt? Upstream has fixed the CVEs (by updating the hashicorp/consul version they're using) yesterday! I am just waiting for them to cut a release and then I will update the Impish package. > - You are patching the upstream service file in > debian/patches/adjust-service-user.patch but still provides a service > file in debian/telegraf.service. I didn’t see the later installed by > any script, and so, it seems the debian/ one is not needed anymore. Do > you mind having a look and clean that up? (Either removing the patch > which is not needed if we don’t install the upstream one or the unused > .service in debian/) The telegraf.service file under the debian/ directory is actually a symlink to the upstream one; it is needed because dh_installsystemd looks for it when deciding what to install. The patch is needed because we want the telegraf system user to be prefixed by an underscore, following the latest Debian Policy guidelines. So, in summary: both the patch and the symlink are needed :-). > Required TODOs: > - Can you check and update debian/copyright please? Some years are not > present, and copyright attribution are wrong (for instance > vendor/honnef.co/* has some files "Copyright 2014 The Go Authors"). I > think a second look would be good if you can ensure that everything is > up to date. Yes, sure. This will take some time but then again I am waiting until upstream releases a new version anyway :-). > - The package is in the list of lto-disabled list (see > https://launchpad.net/ubuntu/+source/lto-disabled-list). You need to > fix or work-around it directly in the package. If you need an example > for a go package disabling it (due to Go internals): > https://github.com/ubuntu/adsys/blob/main/debian/rules#L11 Ah, good point. I will look into this, thanks. Thanks again for the thorough review! -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
[Summary] The package is in a very good shape, higher than most of the ones we review. I have few questions but no big blocker. I feel it would be still good for the security team (even if they already support it to some point) to have a second look before we promote it to main. Hopefully, as this is midly-supported already, that should be a quick pass. Thanks for the detailed security and CVE analysis, including the vendored dependencies. Much appreciated :) Notes: Questions: - I think we should promote it once github.com/gogo/protobuf is fixed and an upload with the vendored updated dep is done. It seems to be fixed in 1.18.1+ds1-0ubuntu1, correct? - Same with github.com/prometheus/prometheus/, let’s wait then for the latest version of telegraf which isn’t impacted by it (do you have the version handy? Is it 1.18.1? and so, we can mark this as "DONE"?) - About the github.com/hashicorp/consul CVEs and fixes, do you have any ETA? I think we should wait for them to be fixed before the actual promotion (and this can give some time for the security team to assess the package again), wdyt? - You are patching the upstream service file in debian/patches/adjust-service-user.patch but still provides a service file in debian/telegraf.service. I didn’t see the later installed by any script, and so, it seems the debian/ one is not needed anymore. Do you mind having a look and clean that up? (Either removing the patch which is not needed if we don’t install the upstream one or the unused .service in debian/) Required TODOs: - Can you check and update debian/copyright please? Some years are not present, and copyright attribution are wrong (for instance vendor/honnef.co/* has some files "Copyright 2014 The Go Authors"). I think a second look would be good if you can ensure that everything is up to date. - The package is in the list of lto-disabled list (see https://launchpad.net/ubuntu/+source/lto-disabled-list). You need to fix or work-around it directly in the package. If you need an example for a go package disabling it (due to Go internals): https://github.com/ubuntu/adsys/blob/main/debian/rules#L11 [Duplication] There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: Go package, contains vendoring, but we already has some projects in main following this schema in Ubuntu, and so ok. [Security] OK: - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats - does open a port, but unpriviledge - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - history of CVEs of dependencies (statically linked) have been detailed. Some were already addressed. See the question section on how we deal with the remaining one. [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a test suite that runs as autopkgtest - The package has a team bug subscriber - no translation present, but none needed for this case (user visible)? - Go package that uses dh-golang [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control - symbols tracking not applicable for this kind of code, even if it has an internal plugin system, which is using Go interfaces. - d/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far - no Lintian warnings - d/rules is rather clean - Go Package that follows the Debian Go packaging guidelines Problems: - is on the lto-disabled list. See required todo. [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
** Changed in: telegraf (Ubuntu) Assignee: (unassigned) => Didier Roche (didrocks) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926321 Title: [MIR] telegraf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/telegraf/+bug/1926321/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926321] Re: [MIR] telegraf
** Description changed: [ Availability ] The telegraf package has been part of Ubuntu's universe repository since Groovy. It successfully builds and the tests pass on all supported architectures: amd64, arm64, armhf, ppc64el, riscv64 and s390x. [ Rationale ] Telegraf is part of a suite of programs referred to as LMA (Logging, Monitoring and Alert). It is responsible for the Logging; prometheus, prometheus-alertmanager and grafana are the other components of this solution. We, the Ubuntu Server team, have been maintaining the package for the last several months, and we now would like to proceed with the MIR process for it. The telegraf package is being used as the building block of the equivalent telegraf OCI image (see https://hub.docker.com/repository/docker/ubuntu/telegraf), which is an official image provided and supported by Canonical. It is important to also note that the security team is already providing tracking and notification of potential vulnerabilities and CVEs on this OCI image, which means that, indirectly, the Ubuntu telegraf package is already being treated more or less as a main package. [ Security ] Unfortunately, due to the large number of unpackaged Golang dependencies, it was not possible to package telegraf in Debian first and then sync it to Ubuntu. For this reason, the Ubuntu telegraf package contains hundreds of vendorized Golang dependencies inside its orig tarball. I could not find any CVEs for telegraf itself on http://cve.mitre.org/ (the only thing I found was related to telegraf's official OCI image, which does not apply to this MIR). While analysing the Golang dependencies, I have found the following CVEs: - For github.com/dgrijalva/jwt-go/v4: https://nvd.nist.gov/vuln/detail/CVE-2020-26160 This vulnerability does not affect the current version that is in Hirsute/Impish. - For github.com/gogo/protobuf: https://nvd.nist.gov/vuln/detail/CVE-2021-3121 This vulnerability is being addressed at the time of this writing, both by upstream and by us. - For github.com/hashicorp/consul: https://nvd.nist.gov/vuln/detail/CVE-2020-7219 https://nvd.nist.gov/vuln/detail/CVE-2018-19653 https://nvd.nist.gov/vuln/detail/CVE-2020-28053 https://nvd.nist.gov/vuln/detail/CVE-2020-13250 These vulnerabilities do affect the current version in Hirsute/Impish, but they are not trivial to fix and we are working with upstream to address them. - For github.com/prometheus/prometheus/ https://nvd.nist.gov/vuln/detail/CVE-2019-3826 - These vulnerability does affect the current version in Hirsute/Impish, - but it is not trivial to fix and we are working with upstream to - address it. + These vulnerability does *not* affect the latest upstream version of + telegraf, which is being packaged for Impish. [ Quality Assurance ] - The package is installed with a reasonable configuration file and - a proper systemd service. + a proper systemd service. - It does not ask any debconf questions during installation. - There are no long-term outstanding bugs that affect the usability of - the program. + the program. - The package is not available in Debian, so there is no bug there. - The only bug opened against the Ubuntu telegraf package right now is - the one dealing with CVE-2021-3121. + the one dealing with CVE-2021-3121. - The package is well-maintained in Ubuntu by the Ubuntu Server team. - The package does not deal with exotic hardware that is not supported - by Ubuntu. It does offer probes and code to deal with some optional - hardware that may be installed in the user's computer, but by - default this support is disabled in the configuration file. + by Ubuntu. It does offer probes and code to deal with some optional + hardware that may be installed in the user's computer, but by + default this support is disabled in the configuration file. - The package ships with a test suite which is executed during - build-time and passes on all supported architectures. It also ships - with a simple dep8 test. + build-time and passes on all supported architectures. It also ships + with a simple dep8 test. - The package provides a debian/watch file. - The package is lintian-free (including with --pedantic). [ UI standards ] N/A [ Dependencies ] As it is a Golang package, the telegraf binary is statically compiled and doesn't depend on anything else other than libc6. The only extra dependency that was added (due to the postinst script) is adduser, which is also in main. [ Standards compliance ] The package follows FHS and Debian Policy standards to the maximum extent. The only clear violation to the policy, as mentioned above, is the fact that all Golang modules are vendorized (bundled) in the source package. Otherwise,
