Regarding the vendored packages, I have updated our CVE tracker to try
and capture as many of these as possible in https://git.launchpad.net
/ubuntu-cve-tracker/commit/?id=e31511491f1d3258c609e449ecab26765ecf0f9f
- this should allow the security team to automatically have CVEs that
are in one of those vendored components be marked against google-guest-
agent as well. This was based on the list in
debian/extra/vendor/modules.txt so assuming that is up-to-date, consider
this an ACK for that addition.
Regarding the unconfined externally-controlled services, this feels like
a primary function of this package from what I can see, so whilst this
is clearly a prime target to attack for remote-code-execution etc, from
a cursory look, I can't see any obvious vulnerabilities in the current
implementation so I don't think it makes sense to NAK this MIR based on
that. I would definitely prefer to see these confined via an AppArmor
profile or similar if possible however I understand that this may not be
achievable.
As such, Security Team ACK (again) for promoting google-guest-agent to
main.
** Changed in: google-guest-agent (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1891929
Title:
[MIR] google-guest-agent
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gce-compute-image-packages/+bug/1891929/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
