I'm afraid a patch-fix will not work because amphora images are created by the end-user using `diskimage-create.sh` which uses pip/git to pull the agent.
Although I do understand that from a OS Maintainer's perspective this patch solves the issue outlined in the CVE and keeps aligned to the release versions.
I must add that from an Operator's perspective this will either break current setups:
An operator would create an image based on version 4.1.0 which is incompatible to 4.0.0 but is the earliest tag/release with the fix from upstream
- Or -
Remain being vulnerable by rebuilding a 4.0.0 tagged amphora-image which does not have the CVE fix and yet being suggested it would by the Ubuntu Advisory.
I looked at the way `diskimage-create.sh` creates the images for Ubuntu and it does include a flag `'-p' install amphora-agent from distribution packages (default: disabled)` but this is broken because it tries to use `amphora-agent` as package and does not care about UCA.
I've poked the Octavia Development Team about this as well.
One possible solution to keeping a fixed release (4.0.0) and do patch-updates for security is to provide Amphora-Images by Ubuntu directly. This way you can assure that these images come with your package. The drawback is that it needs a maintainer and causes labor on Canonical/Ubuntu's side.
Hi Marc,
I'm afraid a patch-fix will not work because amphora images are created by the end-user using `diskimage- create. sh` which uses pip/git to pull the agent.
Although I do understand that from a OS Maintainer's perspective this patch solves the issue outlined in the CVE and keeps aligned to the release versions.
I must add that from an Operator's perspective this will either break current setups:
An operator would create an image based on version 4.1.0 which is incompatible to 4.0.0 but is the earliest tag/release with the fix from upstream
- Or -
Remain being vulnerable by rebuilding a 4.0.0 tagged amphora-image which does not have the CVE fix and yet being suggested it would by the Ubuntu Advisory.
I looked at the way `diskimage- create. sh` creates the images for Ubuntu and it does include a flag `'-p' install amphora-agent from distribution packages (default: disabled)` but this is broken because it tries to use `amphora-agent` as package and does not care about UCA.
I've poked the Octavia Development Team about this as well.
One possible solution to keeping a fixed release (4.0.0) and do patch-updates for security is to provide Amphora-Images by Ubuntu directly. This way you can assure that these images come with your package. The drawback is that it needs a maintainer and causes labor on Canonical/Ubuntu's side.