Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update module github.com/prometheus/client_golang to v1.11.1 [SECURITY] #154

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update module github.com/prometheus/client_golang to v1.11.1 [SECURITY] #154

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 4, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/prometheus/client_golang v1.7.1 -> v1.11.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-21698

This is the Go client library for Prometheus. It has two separate parts, one for instrumenting application code, and one for creating clients that talk to the Prometheus HTTP API. client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients.

Impact

HTTP server susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods.

Affected Configuration

In order to be affected, an instrumented software must

  • Use any of promhttp.InstrumentHandler* middleware except RequestsInFlight.
  • Do not filter any specific methods (e.g GET) before middleware.
  • Pass metric with method label name to our middleware.
  • Not have any firewall/LB/proxy that filters away requests with unknown method.

Patches

Workarounds

If you cannot upgrade to v1.11.1 or above, in order to stop being affected you can:

  • Remove method label name from counter/gauge you use in the InstrumentHandler.
  • Turn off affected promhttp handlers.
  • Add custom middleware before promhttp handler that will sanitize the request method given by Go http.Request.
  • Use a reverse proxy or web application firewall, configured to only allow a limited set of methods.

For more information

If you have any questions or comments about this advisory:

Release Notes

prometheus/client_golang (github.com/prometheus/client_golang)

v1.11.1: 1.11.1 / 2022-02-15

Compare Source

What's Changed

Full Changelog: prometheus/client_golang@v1.11.0...v1.11.1

v1.11.0: / 2021-06-07

Compare Source

  • [CHANGE] Add new collectors package. #​862
  • [CHANGE] prometheus.NewExpvarCollector is deprecated, use collectors.NewExpvarCollector instead. #​862
  • [CHANGE] prometheus.NewGoCollector is deprecated, use collectors.NewGoCollector instead. #​862
  • [CHANGE] prometheus.NewBuildInfoCollector is deprecated, use collectors.NewBuildInfoCollector instead. #​862
  • [FEATURE] Add new collector for database/sql#DBStats. #​866
  • [FEATURE] API client: Add exemplars API support. #​861
  • [ENHANCEMENT] API client: Add newer fields to Rules API. #​855
  • [ENHANCEMENT] API client: Add missing fields to Targets API. #​856

What's Changed

New Contributors

Full Changelog: prometheus/client_golang@v1.10.0...v1.11.0

v1.10.0: 1.10.0 / 2021-03-18

Compare Source

  • [CHANGE] Minimum required Go version is now 1.13.
  • [CHANGE] API client: Add matchers to LabelNames and LabesValues. #​828
  • [FEATURE] API client: Add buildinfo call. #​841
  • [BUGFIX] Fix build on riscv64. #​833

What's Changed

New Contributors

Full Changelog: prometheus/client_golang@v1.9.0...v1.10.0

v1.9.0: 1.9.0 / 2020-12-17

Compare Source

  • [FEATURE] NewPidFileFn helper to create process collectors for processes whose PID is read from a file. #​804
  • [BUGFIX] promhttp: Prevent endless loop in InstrumentHandler... middlewares with invalid metric or label names. #​823

What's Changed

New Contributors

Full Changelog: prometheus/client_golang@v1.8.0...v1.9.0

v1.8.0: 1.8.0 / 2020-10-15

Compare Source

  • [CHANGE] API client: Use time.Time rather than string for timestamps in RuntimeinfoResult. #​777
  • [FEATURE] Export MetricVec to facilitate implementation of vectors of custom Metric types. #​803
  • [FEATURE API client: Support /status/tsdb endpoint. #​773
  • [ENHANCEMENT] API client: Enable GET fallback on status code 501. #​802
  • [ENHANCEMENT] Remove Metric references after reslicing to free up more memory. #​784

What's Changed

New Contributors

Full Changelog: prometheus/client_golang@v1.7.1...v1.8.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants