Bug 30054

Summary: golang-github-prometheus-client new security issue CVE-2022-21698
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, guillomovitch, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: golang-github-prometheus-client-1.11.0-2.mga9.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 30605    

Description David Walser 2022-02-16 15:06:24 CET 
A security issue fixed upstream in prometheus-client has been announced on February 15:
https://www.openwall.com/lists/oss-security/2022/02/15/1
https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p

The issue is fixed upstream in 1.11.1:
https://groups.google.com/g/prometheus-announce/c/zlCm4A7FwZU

Mageia 8 is also affected.
David Walser 2022-02-16 15:08:56 CET

Status comment: (none) => Fixed upstream in 1.11.1
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-02-18 11:55:21 CET 
This is good to asign to Guillaume, the packager for this thing.

Assignee: bugsquad => guillomovitch

Comment 2 David Walser 2022-03-29 15:31:53 CEST 
Fedora has issued an advisory for skopeo, mentioning this CVE:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FY3N7H6VSDZM37B4SKM2PFFCUWU7QYWN/
Comment 3 David Walser 2022-05-02 20:04:41 CEST 
openSUSE has issued an advisory for this on April 27:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DCH7WCUVWWLVX6ITJIZWAVCPF7EKZ2D6/
Comment 4 Guillaume Rousse 2022-05-11 21:55:09 CEST 
golang-github-prometheus-client-1.11.1-1.mga8.src.rpm submitted to updates_testing
Comment 5 David Walser 2022-05-11 22:28:13 CEST 
golang-github-prometheus-client-devel-1.11.1-1.mga8

from golang-github-prometheus-client-1.11.1-1.mga8.src.rpm

CC: (none) => guillomovitch
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 1.11.1 => (none)
Assignee: guillomovitch => qa-bugs

Comment 6 Herman Viaene 2022-05-12 15:04:18 CEST 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues, draws in 38 other devel-packages.
All developer's stuff, OK on clean install.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2022-05-13 14:35:59 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Dave Hodgins 2022-05-15 00:17:29 CEST 
Advisory committed to svn as ...
type: security
subject: Updated golang-github-prometheus-client packages fix security vulnerability
CVE:
 - CVE-2022-21698
src:
  8:
   core:
     - golang-github-prometheus-client-1.11.1-1.mga8
description: |
  HTTP server is susceptible to a Denial of Service through unbounded
  cardinality, and potential memory exhaustion, when handling requests with
  non-standard HTTP methods.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=30054
 - https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FY3N7H6VSDZM37B4SKM2PFFCUWU7QYWN/
 - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DCH7WCUVWWLVX6ITJIZWAVCPF7EKZ2D6/

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2022-05-15 12:07:56 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0180.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2022-07-04 21:47:47 CEST

Blocks: (none) => 30605