31804 – golang-github-prometheus, golang-github-prometheus-exporter-toolkit new security issue CVE-2022-46146

Bug 31804 - golang-github-prometheus, golang-github-prometheus-exporter-toolkit new security issue CVE-2022-46146

Summary: golang-github-prometheus, golang-github-prometheus-exporter-toolkit new secur...

Status:	NEW

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	Guillaume Rousse
QA Contact:	Sec team

URL:
Whiteboard:	MGA9TOO
Keywords:

Depends on:
Blocks:

Reported:	2023-04-17 15:14 CEST by David Walser
Modified:	2025-02-14 11:52 CET (History)
CC List:	1 user (show)

See Also:
Source RPM:	golang-github-prometheus-2.32.1-2.mga9.src.rpm, golang-github-prometheus-exporter-toolkit-0.7.1-1.mga9.src.rpm, golang-github-prometheus-alertmanager-0.23.0-4.mga9.src.rpm
CVE:
Status comment:	Fixed upstream in golang-github-prometheus-exporter-toolkit 0.7.2

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-04-17 15:14:16 CEST

SUSE has issued an advisory on April 14:
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014455.html

The issue is fixed upstream in golang-github-prometheus-exporter-toolkit 0.7.2:
https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p

According to SUSE, golang-github-prometheus-exporter-toolkit is embedded in the golang-github-prometheus package.

David Walser 2023-04-17 15:15:03 CEST

Status comment: (none) => Fixed upstream in golang-github-prometheus-exporter-toolkit 0.7.2

Comment 1 Lewis Smith 2023-04-17 20:44:36 CEST

I think this is for Guillaume.

Assignee: bugsquad => guillomovitch

Comment 2 David Walser 2023-05-15 16:35:41 CEST

exporter-toolkit is also embedded in golang-github-prometheus-alertmanager according to SUSE:
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014865.html

Source RPM: golang-github-prometheus-2.32.1-2.mga9.src.rpm, golang-github-prometheus-exporter-toolkit-0.7.1-1.mga9.src.rpm => golang-github-prometheus-2.32.1-2.mga9.src.rpm, golang-github-prometheus-exporter-toolkit-0.7.1-1.mga9.src.rpm, golang-github-prometheus-alertmanager-0.23.0-4.mga9.src.rpm

Comment 3 Nicolas Salguero 2025-02-14 11:52:50 CET

For Cauldron, golang-github-prometheus-exporter-toolkit has been updated to version 0.13.2 but golang-github-prometheus and golang-github-prometheus-alertmanager are not updated for the moment.

Whiteboard: (none) => MGA9TOO
CC: (none) => nicolas.salguero

Note You need to log in before you can comment on or make changes to this bug.