A security issue fixed upstream in prometheus-client has been announced on February 15: https://www.openwall.com/lists/oss-security/2022/02/15/1 https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p The issue is fixed upstream in 1.11.1: https://groups.google.com/g/prometheus-announce/c/zlCm4A7FwZU Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.11.1Whiteboard: (none) => MGA8TOO
This is good to asign to Guillaume, the packager for this thing.
Assignee: bugsquad => guillomovitch
Fedora has issued an advisory for skopeo, mentioning this CVE: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FY3N7H6VSDZM37B4SKM2PFFCUWU7QYWN/
openSUSE has issued an advisory for this on April 27: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DCH7WCUVWWLVX6ITJIZWAVCPF7EKZ2D6/
golang-github-prometheus-client-1.11.1-1.mga8.src.rpm submitted to updates_testing
golang-github-prometheus-client-devel-1.11.1-1.mga8 from golang-github-prometheus-client-1.11.1-1.mga8.src.rpm
CC: (none) => guillomovitchVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)Status comment: Fixed upstream in 1.11.1 => (none)Assignee: guillomovitch => qa-bugs
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues, draws in 38 other devel-packages. All developer's stuff, OK on clean install.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory committed to svn as ... type: security subject: Updated golang-github-prometheus-client packages fix security vulnerability CVE: - CVE-2022-21698 src: 8: core: - golang-github-prometheus-client-1.11.1-1.mga8 description: | HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. references: - https://bugs.mageia.org/show_bug.cgi?id=30054 - https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FY3N7H6VSDZM37B4SKM2PFFCUWU7QYWN/ - https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DCH7WCUVWWLVX6ITJIZWAVCPF7EKZ2D6/
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0180.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Blocks: (none) => 30605