Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update module github.com/prometheus/client_golang to v1.11.1 [security] #28

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Aug 6, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/prometheus/client_golang v1.11.0 -> v1.11.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-21698

This is the Go client library for Prometheus. It has two separate parts, one for instrumenting application code, and one for creating clients that talk to the Prometheus HTTP API. client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients.

Impact

HTTP server susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods.

Affected Configuration

In order to be affected, an instrumented software must

  • Use any of promhttp.InstrumentHandler* middleware except RequestsInFlight.
  • Do not filter any specific methods (e.g GET) before middleware.
  • Pass metric with method label name to our middleware.
  • Not have any firewall/LB/proxy that filters away requests with unknown method.

Patches

Workarounds

If you cannot upgrade to v1.11.1 or above, in order to stop being affected you can:

  • Remove method label name from counter/gauge you use in the InstrumentHandler.
  • Turn off affected promhttp handlers.
  • Add custom middleware before promhttp handler that will sanitize the request method given by Go http.Request.
  • Use a reverse proxy or web application firewall, configured to only allow a limited set of methods.

For more information

If you have any questions or comments about this advisory:


Release Notes

prometheus/client_golang (github.com/prometheus/client_golang)

v1.11.1: 1.11.1 / 2022-02-15

Compare Source

What's Changed

Full Changelog: prometheus/client_golang@v1.11.0...v1.11.1


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title fix(deps): update module github.com/prometheus/client_golang to v1.11.1 [security] fix(deps): update module github.com/prometheus/client_golang to v1.11.1 [security] - autoclosed Nov 21, 2024
@renovate renovate bot closed this Nov 21, 2024
@renovate renovate bot deleted the renovate/go-github.com-prometheus-client_golang-vulnerability branch November 21, 2024 05:23
@renovate renovate bot changed the title fix(deps): update module github.com/prometheus/client_golang to v1.11.1 [security] - autoclosed fix(deps): update module github.com/prometheus/client_golang to v1.11.1 [security] Nov 21, 2024
@renovate renovate bot reopened this Nov 21, 2024
@renovate renovate bot force-pushed the renovate/go-github.com-prometheus-client_golang-vulnerability branch from 4ebae64 to b56d316 Compare November 21, 2024 07:53
@renovate renovate bot changed the title fix(deps): update module github.com/prometheus/client_golang to v1.11.1 [security] fix(deps): update module github.com/prometheus/client_golang to v1.11.1 [security] - autoclosed Dec 12, 2024
@renovate renovate bot closed this Dec 12, 2024
@renovate renovate bot changed the title fix(deps): update module github.com/prometheus/client_golang to v1.11.1 [security] - autoclosed fix(deps): update module github.com/prometheus/client_golang to v1.11.1 [security] Dec 12, 2024
@renovate renovate bot reopened this Dec 12, 2024
@renovate renovate bot force-pushed the renovate/go-github.com-prometheus-client_golang-vulnerability branch from a7fe53a to b56d316 Compare December 12, 2024 23:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants