On Thursday, July 29 2021, Emilia Torino wrote: > Hey Sergio, > > On 29/7/21 11:45, Sergio Durigan Junior wrote: >> On Tuesday, July 27 2021, security-team-toolbox-...@canonical.com wrote: >> >>> New CVEs affecting packages used to build upstream based rocks have been >>> created in the Ubuntu CVE tracker: >>> >>> * https://github.com/prometheus/prometheus: >>> * https://github.com/hashicorp/consul: CVE-2021-32574, CVE-2021-36213 >>> * https://github.com/gogo/protobuf: >>> >>> Please review your rock to understand if it is affected by these CVEs. >>> >>> Thank you for your rock and for attending to this matter. >>> >>> References: >>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-32574 >>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-36213 >> >> Hi Emi, >> >> I found the message above a bit confusing. There are three components >> listed (prometheus/prometheus, hashicorp/consul and gogo/protobuf), but >> only one (hashicorp/consul) has CVEs listed for it. Do the other two >> components also have CVEs opened against them? > > You are correct, this msg is confusing. Only CVEs affecting consul have > been created this time. > > Is there any reason why >> they're being listed in the message? > > This is a bug in our service. Since these are the 3 upstream > repositories we are monitoring, the template msg is incorrectly adding > the 3 when in this case, it should only list consul. I will add this bug > to our queue to fix it asap.
Aha! Thank you for the clarification (and for working on this!). Cheers, -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 -- Mailing list: https://launchpad.net/~ubuntu-docker-images Post to : ubuntu-docker-images@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-docker-images More help : https://help.launchpad.net/ListHelp
