Bug 30605 - golang-github-prometheus-client new security issue CVE-2022-21698
Summary: golang-github-prometheus-client new security issue CVE-2022-21698
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: Pascal Terjan
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on: 30054
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-04 21:47 CEST by David Walser
Modified: 2024-01-12 10:24 CET (History)
3 users (show)

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-07-04 21:47:47 CEST 
+++ This bug was initially created as a clone of Bug #30054 +++

A security issue fixed upstream in prometheus-client has been announced on February 15:
https://www.openwall.com/lists/oss-security/2022/02/15/1
https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p

The issue is fixed upstream in 1.11.1:
https://groups.google.com/g/prometheus-announce/c/zlCm4A7FwZU

Mageia 8 is also affected.


Apparently fixing this also requires rebuilding a whole bunch of packages.

Fedora has issued several advisories for this on July 4.  Hopefully I got all of the ones that might be in Mageia 8.

Package names (in Fedora):
act
dnscrypt-proxy
containerd
clash
geoipupdate
golang-etcd-bbolt
golang-github-aryann-difflib
golang-github-andybalholm-cascadia
golang-github-aws-lambda
golang-github-cactus-statsd-client
golang-github-burntsushi-toml
golang-github-burntsushi-xgb
golang-github-cespare-xxhash
golang-github-dgrijalva-jwt
golang-github-cpuguy83-md2man
golang-github-envoyproxy-protoc-gen-validate
golang-github-google-pprof
golang-github-google-martian
golang-github-grpc-ecosystem-gateway-2
golang-github-hashicorp-serf
golang-github-hashicorp-hclog
golang-github-hashicorp-sockaddr
golang-github-jmespath
golang-github-kr-text
golang-github-mattn-colorable
golang-github-microcosm-cc-bluemonday
golang-github-mock
golang-github-nbutton23-zxcvbn
golang-github-nats-io-nkeys
golang-github-nxadm-tail
golang-github-olekukonko-tablewriter
golang-github-onsi-ginkgo-2
golang-github-pelletier-toml
golang-github-pierrec-lz4
golang-github-pelletier-toml-2
golang-github-posener-complete
golang-github-posener-complete-2
golang-github-rogpeppe-internal
golang-github-rwcarlsen-goexif
golang-github-rcrowley-metrics
golang-github-sourcegraph-syntaxhighlight
golang-github-shopify-sarama
golang-github-spf13-cobra
golang-github-snappy
golang-gopkg-src-d-git-4
golang-google-protobuf
golang-google-appengine
golang-honnef-tools
golang-mvdan-xurls
golang-x-exp
golang-sourcegraph-appdash
golang-x-mod
golang-x-perf
golist
micro
moby-engine
nats-server

Fedora advisories:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/44IMLT4T2RMA22J4Z7F3WX2P7DGY3ETO/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PJHZMHCJNFWOYYRG6ZEMNCOTJEUSBF7C/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V3WUELSH5KMHQPCH6UHDFGBMSW3QQENS/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EUFJFACPQWAJXKNEG6K3VSB2IH7WFLRF/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AJ7AMLRXFJPO3OC5M73QAF2YXHDGP5J7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WHOMQ5NDU5FLWNXAVVRHWUZPYVFGG4XW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3DSZYNMKA2DVGPBTAMJQL4E27OICRPVZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NUPDN2MJJW4I7AIXWDTR2VQXTRHIPZMF/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IHNJAIJJLKQXVIRDNVSHPVQNSDFSBPXE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KWWJ4SMQUVKD3YWRG5AGTP6V4YELPYSE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3K7C4XBZQWZGMZ3AF3GZPX4RC7CRQPOP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UZAPRM2NE6TF4U5KQNAQFUTU5GS2DIAG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3NDFAIYSP3SPP6P5CH5CQA3RW55S6GOB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CXMOHAAYF6DNQTUC6L6U3GQRISC3IH4Z/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/M7QYMFBOIDSOPGLWS6C5SYHU6ZGBWTXT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HG3BIIRLDGSLCKHVJIAZULKZ2R5IFT6R/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/65VGNGEP3WRU2ZO42EHP3Y5UWRSWFBXB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SA3PXYVVR4USWT6K7YVZK7IEAFRAUE7G/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EP67YWXAOWVEBF7MIWGB3W6NPRRQB6ZC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U5EMCTTKBXB66FJE4WYA67SJISLQBVGW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/W7NP2II4APIHY5QNAZA6G54TJVN5Y2LY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PSEKRCCLNNPKT4RWONI5YGAVBLYISQCT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IJETGS5CK7I44IFB5HAKNUDAI4TPMMAZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BBQ6FYCQYXHV2NVJSA6WNP3IKKZUPJOC/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OAGDI2NV4QZDQOGQD66R7WQAAORNIAOL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FXTC6FW73R5BCABMX3JD6F5UUGO73H2M/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2VG55M3VCGA5FKS3J6HTWZXFABXSO3WX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EYUUFWRDZEUIO333NITATI5NNNTU4XYL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WPKWV2T5XSTIP5ZZFATRAV7G4EMLII47/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7DBAPUQPJRU3QPVITAPWLGPSN4YWUGKW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IEHQTPIE2XBABAUAE5PQUXXMPWBVI3Q6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LBQJ2FYYMTIXDGINOT7QW433FWL7UWBY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VAY4DJ6KV4FW5IDQRNVVAN3HPWA5OBZ4/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QB3AEF2RRYXXM764DYC3PJRY4ITQWMHH/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ISPOUKH6D7QZ35HRWHMLFTUEIGRB6KOX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EGCGH3UFEB7RYBZNZGYP3HOUKHQVZMCT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EWMHZ6YVCWYJNTLW4SC3MECSP7PQB7SO/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EWMHZ6YVCWYJNTLW4SC3MECSP7PQB7SO/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NAOFM3LDAF2XDZHINASH3PA6ZBJDEDNL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YCL62WLUIZJTDC2YDMMNLATEYGM6TI65/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KFOIN2TP5FPLZVM2BOBRPULFVIY7EJNY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZE5BC5SZVS7JHGAO2OJWJLSJDZRTCV63/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VFAIYFQNQMQFX2TS2YFQW3TVNNFRP4XB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QVXEU32R46LDHEL3GH4LPZSKMXAVIXPI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F72D3FXBSDTSFJA36QBLFCG3H6OHSQDA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UOU6HQINQPZMKR3XVNU7TWBLQZL5MZ5A/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TFHED4S342HCHA7X73O3CPZAFWNYMR3S/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KUWBKHRD7BPTOWA3KP2MM5IMXPKPTAO7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DOH4JWPFVXZRIVHHSR6ASE6DFPWLKVXY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5QXMDG7I5XWBTT7OEMJXD5ZNHECNLZBT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHZYT2W7YBYNJT2HLN2UIDORHYRGLJWI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TD7BYDIA4PB67IYLJRPTE5MCMNZEJBBE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/43NHAMYNTJVOLMZKNKE3XIJ6IRZ6PCTL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XOGCZCPAU3BQRS5IVWLKK3OUOCFPEGWQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RBQ5U4XRWKYNW2DNIZ7TNOIC5HZ6JXVA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EVINETANORK4VAUN6BGZNWFDNECFYAD2/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PPX62NU4GOE7UMFTRBN6U7RXZOXSED4B/
Comment 1 Marja Van Waes 2022-07-06 11:15:09 CEST 
Seems pterjan is the maintainer of golang-github-prometheus-client now

Assigning to him, CC'ing guillomovitch

CC: (none) => guillomovitch, marja11
Assignee: bugsquad => pterjan

Comment 2 Pascal Terjan 2022-07-08 16:17:32 CEST 
Finding the exact list of packages to rebuild for a go update is hard :(

Everything is statically linked, and built from source, so most packages contain only sources. 

The safe way which Fedora seems to have done is to rebuild everything which is not noarch and which has indirect build dependencies on this one in case they would use it, but that's a lot and most of those have no reason to be using any promotheus code, especially not that one. They just use something which uses something with some support for promotheus which they don't use and so don't link in...

If I understand correctly Fedora rebuilt at once all packages where one of the indirect golang dependencies had got a security update.
Comment 3 Pascal Terjan 2022-07-08 16:30:30 CEST 
For geoipupdate our old version is not using go at all.
Comment 4 Pascal Terjan 2022-07-08 18:18:13 CEST 
I was confused by the list but that is because it was a single "Rebuilt for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327, CVE-2022-27191, CVE-2022-29526, CVE-2022-30629" so most of the packages listed here don't have any dependencies on promotheus-client but some others with other fixes.
Comment 5 David Walser 2022-07-13 15:33:45 CEST 
More confusion, more advisories with that same advisory message, but no mention of prometheus:
buildah
cri-o
git-lfs
golang
go-bindata
golang-rsc-pdf
singularity
podman
skopeo
runc

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VFVK34BIRQO4QCWMRG7EEWEDD6VFNOXX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CA2EILDCZN6TXALMMCW4QVRQO6MJD62H/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DL5FCDFOMVWCJX3MXNZJJEQYBNI2NVQU/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XWKURJGBTT6L6RN4QDSNG7RTJUJAV22Q/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KEUEN7G6IWGXMY37GZ6Q33K3LYD4CWBI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BYZDFF35N4QBN7CRXUAZUFK4DLIYQUXF/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OVIXTPLASCDQPO2LWEPRRSZCQ5EG6JUH/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VIJZWIJZ5DA2DOH2MWXH3LFGRVVDHPDP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QXPKBOAQIM4JJ5JOLPRPNZ6Z2PPJAOSQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DF2QS4MJQRCP6PLXCM5HURXYV35JFWNC/
Comment 7 Nicolas Salguero 2024-01-12 10:24:32 CET 
Mageia 8 EOL

CC: (none) => nicolas.salguero
Resolution: (none) => OLD
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.