Hi Marc, I'm afraid a patch-fix will not work because amphora images are created by the end-user using `diskimage-create.sh` which uses pip/git to pull the agent.
Although I do understand that from a OS Maintainer's perspective this patch solves the issue outlined in the CVE and keeps aligned to the release versions. I must add that from an Operator's perspective this will either break current setups: An operator would create an image based on version 4.1.0 which is incompatible to 4.0.0 but is the earliest tag/release with the fix from upstream - Or - Remain being vulnerable by rebuilding a 4.0.0 tagged amphora-image which does not have the CVE fix and yet being suggested it would by the Ubuntu Advisory. I looked at the way `diskimage-create.sh` creates the images for Ubuntu and it does include a flag `'-p' install amphora-agent from distribution packages (default: disabled)` but this is broken because it tries to use `amphora-agent` as package and does not care about UCA. I've poked the Octavia Development Team about this as well. One possible solution to keeping a fixed release (4.0.0) and do patch- updates for security is to provide Amphora-Images by Ubuntu directly. This way you can assure that these images come with your package. The drawback is that it needs a maintainer and causes labor on Canonical/Ubuntu's side. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1847243 Title: Update Octavia-* packages as per OSSA-2019-005 / CVE-2019-17134 To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1847243/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
