+++ This bug was initially created as a clone of Bug #30054 +++ A security issue fixed upstream in prometheus-client has been announced on February 15: https://www.openwall.com/lists/oss-security/2022/02/15/1 https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p The issue is fixed upstream in 1.11.1: https://groups.google.com/g/prometheus-announce/c/zlCm4A7FwZU Mageia 8 is also affected. Apparently fixing this also requires rebuilding a whole bunch of packages. Fedora has issued several advisories for this on July 4. Hopefully I got all of the ones that might be in Mageia 8. Package names (in Fedora): act dnscrypt-proxy containerd clash geoipupdate golang-etcd-bbolt golang-github-aryann-difflib golang-github-andybalholm-cascadia golang-github-aws-lambda golang-github-cactus-statsd-client golang-github-burntsushi-toml golang-github-burntsushi-xgb golang-github-cespare-xxhash golang-github-dgrijalva-jwt golang-github-cpuguy83-md2man golang-github-envoyproxy-protoc-gen-validate golang-github-google-pprof golang-github-google-martian golang-github-grpc-ecosystem-gateway-2 golang-github-hashicorp-serf golang-github-hashicorp-hclog golang-github-hashicorp-sockaddr golang-github-jmespath golang-github-kr-text golang-github-mattn-colorable golang-github-microcosm-cc-bluemonday golang-github-mock golang-github-nbutton23-zxcvbn golang-github-nats-io-nkeys golang-github-nxadm-tail golang-github-olekukonko-tablewriter golang-github-onsi-ginkgo-2 golang-github-pelletier-toml golang-github-pierrec-lz4 golang-github-pelletier-toml-2 golang-github-posener-complete golang-github-posener-complete-2 golang-github-rogpeppe-internal golang-github-rwcarlsen-goexif golang-github-rcrowley-metrics golang-github-sourcegraph-syntaxhighlight golang-github-shopify-sarama golang-github-spf13-cobra golang-github-snappy golang-gopkg-src-d-git-4 golang-google-protobuf golang-google-appengine golang-honnef-tools golang-mvdan-xurls golang-x-exp golang-sourcegraph-appdash golang-x-mod golang-x-perf golist micro moby-engine nats-server Fedora advisories: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/44IMLT4T2RMA22J4Z7F3WX2P7DGY3ETO/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PJHZMHCJNFWOYYRG6ZEMNCOTJEUSBF7C/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V3WUELSH5KMHQPCH6UHDFGBMSW3QQENS/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EUFJFACPQWAJXKNEG6K3VSB2IH7WFLRF/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AJ7AMLRXFJPO3OC5M73QAF2YXHDGP5J7/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WHOMQ5NDU5FLWNXAVVRHWUZPYVFGG4XW/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3DSZYNMKA2DVGPBTAMJQL4E27OICRPVZ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NUPDN2MJJW4I7AIXWDTR2VQXTRHIPZMF/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IHNJAIJJLKQXVIRDNVSHPVQNSDFSBPXE/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KWWJ4SMQUVKD3YWRG5AGTP6V4YELPYSE/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3K7C4XBZQWZGMZ3AF3GZPX4RC7CRQPOP/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UZAPRM2NE6TF4U5KQNAQFUTU5GS2DIAG/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3NDFAIYSP3SPP6P5CH5CQA3RW55S6GOB/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CXMOHAAYF6DNQTUC6L6U3GQRISC3IH4Z/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/M7QYMFBOIDSOPGLWS6C5SYHU6ZGBWTXT/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HG3BIIRLDGSLCKHVJIAZULKZ2R5IFT6R/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/65VGNGEP3WRU2ZO42EHP3Y5UWRSWFBXB/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SA3PXYVVR4USWT6K7YVZK7IEAFRAUE7G/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EP67YWXAOWVEBF7MIWGB3W6NPRRQB6ZC/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U5EMCTTKBXB66FJE4WYA67SJISLQBVGW/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/W7NP2II4APIHY5QNAZA6G54TJVN5Y2LY/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PSEKRCCLNNPKT4RWONI5YGAVBLYISQCT/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IJETGS5CK7I44IFB5HAKNUDAI4TPMMAZ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BBQ6FYCQYXHV2NVJSA6WNP3IKKZUPJOC/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OAGDI2NV4QZDQOGQD66R7WQAAORNIAOL/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FXTC6FW73R5BCABMX3JD6F5UUGO73H2M/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2VG55M3VCGA5FKS3J6HTWZXFABXSO3WX/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EYUUFWRDZEUIO333NITATI5NNNTU4XYL/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WPKWV2T5XSTIP5ZZFATRAV7G4EMLII47/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7DBAPUQPJRU3QPVITAPWLGPSN4YWUGKW/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IEHQTPIE2XBABAUAE5PQUXXMPWBVI3Q6/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LBQJ2FYYMTIXDGINOT7QW433FWL7UWBY/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VAY4DJ6KV4FW5IDQRNVVAN3HPWA5OBZ4/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QB3AEF2RRYXXM764DYC3PJRY4ITQWMHH/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ISPOUKH6D7QZ35HRWHMLFTUEIGRB6KOX/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EGCGH3UFEB7RYBZNZGYP3HOUKHQVZMCT/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EWMHZ6YVCWYJNTLW4SC3MECSP7PQB7SO/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EWMHZ6YVCWYJNTLW4SC3MECSP7PQB7SO/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NAOFM3LDAF2XDZHINASH3PA6ZBJDEDNL/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YCL62WLUIZJTDC2YDMMNLATEYGM6TI65/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KFOIN2TP5FPLZVM2BOBRPULFVIY7EJNY/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZE5BC5SZVS7JHGAO2OJWJLSJDZRTCV63/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VFAIYFQNQMQFX2TS2YFQW3TVNNFRP4XB/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QVXEU32R46LDHEL3GH4LPZSKMXAVIXPI/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F72D3FXBSDTSFJA36QBLFCG3H6OHSQDA/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UOU6HQINQPZMKR3XVNU7TWBLQZL5MZ5A/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TFHED4S342HCHA7X73O3CPZAFWNYMR3S/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KUWBKHRD7BPTOWA3KP2MM5IMXPKPTAO7/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DOH4JWPFVXZRIVHHSR6ASE6DFPWLKVXY/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5QXMDG7I5XWBTT7OEMJXD5ZNHECNLZBT/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHZYT2W7YBYNJT2HLN2UIDORHYRGLJWI/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TD7BYDIA4PB67IYLJRPTE5MCMNZEJBBE/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/43NHAMYNTJVOLMZKNKE3XIJ6IRZ6PCTL/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XOGCZCPAU3BQRS5IVWLKK3OUOCFPEGWQ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RBQ5U4XRWKYNW2DNIZ7TNOIC5HZ6JXVA/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EVINETANORK4VAUN6BGZNWFDNECFYAD2/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PPX62NU4GOE7UMFTRBN6U7RXZOXSED4B/
Seems pterjan is the maintainer of golang-github-prometheus-client now Assigning to him, CC'ing guillomovitch
CC: (none) => guillomovitch, marja11Assignee: bugsquad => pterjan
Finding the exact list of packages to rebuild for a go update is hard :( Everything is statically linked, and built from source, so most packages contain only sources. The safe way which Fedora seems to have done is to rebuild everything which is not noarch and which has indirect build dependencies on this one in case they would use it, but that's a lot and most of those have no reason to be using any promotheus code, especially not that one. They just use something which uses something with some support for promotheus which they don't use and so don't link in... If I understand correctly Fedora rebuilt at once all packages where one of the indirect golang dependencies had got a security update.
For geoipupdate our old version is not using go at all.
I was confused by the list but that is because it was a single "Rebuilt for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327, CVE-2022-27191, CVE-2022-29526, CVE-2022-30629" so most of the packages listed here don't have any dependencies on promotheus-client but some others with other fixes.
More confusion, more advisories with that same advisory message, but no mention of prometheus: buildah cri-o git-lfs golang go-bindata golang-rsc-pdf singularity podman skopeo runc https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VFVK34BIRQO4QCWMRG7EEWEDD6VFNOXX/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CA2EILDCZN6TXALMMCW4QVRQO6MJD62H/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DL5FCDFOMVWCJX3MXNZJJEQYBNI2NVQU/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XWKURJGBTT6L6RN4QDSNG7RTJUJAV22Q/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KEUEN7G6IWGXMY37GZ6Q33K3LYD4CWBI/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BYZDFF35N4QBN7CRXUAZUFK4DLIYQUXF/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OVIXTPLASCDQPO2LWEPRRSZCQ5EG6JUH/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VIJZWIJZ5DA2DOH2MWXH3LFGRVVDHPDP/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QXPKBOAQIM4JJ5JOLPRPNZ6Z2PPJAOSQ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DF2QS4MJQRCP6PLXCM5HURXYV35JFWNC/
More golang rebuilds. android-tools ceph buildah go-bindata golang-rsc-pdf podman singularity https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MFQMDQPNFIR4EAQGJML5AWMHNBLKECHB/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V5WIZVHKHVGW6M7VIW7UWWZODXE7M7Z5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YVFVTRFJ4XFJ2WSOW4QHI7S66YZPI46E/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4CCZKS5UUJGJDBBDZABOFIVWCKPVEEYN/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LYACZT2MR3T32W2IETM4Z2ZVVWHRUZ3N/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/B2C6LAWR7SE6ZEE5U53ZZLFH4ZRE7U32/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KRZDDKXCR44PGH6UIUKPFXRQYO3HCB2D/
Mageia 8 EOL
CC: (none) => nicolas.salgueroResolution: (none) => OLDStatus: NEW => RESOLVED