Bug 31804

Summary: golang-github-prometheus, golang-github-prometheus-exporter-toolkit new security issue CVE-2022-46146
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Guillaume Rousse <guillomovitch>
Status: NEW --- QA Contact: Sec team <security>
Severity: critical    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: golang-github-prometheus-2.32.1-2.mga9.src.rpm, golang-github-prometheus-exporter-toolkit-0.7.1-1.mga9.src.rpm, golang-github-prometheus-alertmanager-0.23.0-4.mga9.src.rpm CVE:
Status comment: Fixed upstream in golang-github-prometheus-exporter-toolkit 0.7.2

Description David Walser 2023-04-17 15:14:16 CEST 
SUSE has issued an advisory on April 14:
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014455.html

The issue is fixed upstream in golang-github-prometheus-exporter-toolkit 0.7.2:
https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p

According to SUSE, golang-github-prometheus-exporter-toolkit is embedded in the golang-github-prometheus package.
David Walser 2023-04-17 15:15:03 CEST

Status comment: (none) => Fixed upstream in golang-github-prometheus-exporter-toolkit 0.7.2

Comment 1 Lewis Smith 2023-04-17 20:44:36 CEST 
I think this is for Guillaume.

Assignee: bugsquad => guillomovitch

Comment 2 David Walser 2023-05-15 16:35:41 CEST 
exporter-toolkit is also embedded in golang-github-prometheus-alertmanager according to SUSE:
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014865.html

Source RPM: golang-github-prometheus-2.32.1-2.mga9.src.rpm, golang-github-prometheus-exporter-toolkit-0.7.1-1.mga9.src.rpm => golang-github-prometheus-2.32.1-2.mga9.src.rpm, golang-github-prometheus-exporter-toolkit-0.7.1-1.mga9.src.rpm, golang-github-prometheus-alertmanager-0.23.0-4.mga9.src.rpm