Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update module github.com/prometheus/client_golang to v1.11.1 [SECURITY] #83

Merged

Conversation

lunar-renovate
Copy link
Contributor

This PR contains the following updates:

Package Type Update Change
github.com/prometheus/client_golang require minor v1.10.0 -> v1.11.1

GitHub Vulnerability Alerts

CVE-2022-21698

This is the Go client library for Prometheus. It has two separate parts, one for instrumenting application code, and one for creating clients that talk to the Prometheus HTTP API. client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients.

Impact

HTTP server susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods.

Affected Configuration

In order to be affected, an instrumented software must

  • Use any of promhttp.InstrumentHandler* middleware except RequestsInFlight.
  • Do not filter any specific methods (e.g GET) before middleware.
  • Pass metric with method label name to our middleware.
  • Not have any firewall/LB/proxy that filters away requests with unknown method.

Patches

Workarounds

If you cannot upgrade to v1.11.1 or above, in order to stop being affected you can:

  • Remove method label name from counter/gauge you use in the InstrumentHandler.
  • Turn off affected promhttp handlers.
  • Add custom middleware before promhttp handler that will sanitize the request method given by Go http.Request.
  • Use a reverse proxy or web application firewall, configured to only allow a limited set of methods.

For more information

If you have any questions or comments about this advisory:


Release Notes

prometheus/client_golang (github.com/prometheus/client_golang)

v1.11.1: 1.11.1 / 2022-02-15

Compare Source

What's Changed

Full Changelog: prometheus/client_golang@v1.11.0...v1.11.1

v1.11.0: / 2021-06-07

Compare Source

  • [CHANGE] Add new collectors package. #​862
  • [CHANGE] prometheus.NewExpvarCollector is deprecated, use collectors.NewExpvarCollector instead. #​862
  • [CHANGE] prometheus.NewGoCollector is deprecated, use collectors.NewGoCollector instead. #​862
  • [CHANGE] prometheus.NewBuildInfoCollector is deprecated, use collectors.NewBuildInfoCollector instead. #​862
  • [FEATURE] Add new collector for database/sql#DBStats. #​866
  • [FEATURE] API client: Add exemplars API support. #​861
  • [ENHANCEMENT] API client: Add newer fields to Rules API. #​855
  • [ENHANCEMENT] API client: Add missing fields to Targets API. #​856

What's Changed

New Contributors

Full Changelog: prometheus/client_golang@v1.10.0...v1.11.0


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@lunar-renovate lunar-renovate requested a review from a team as a code owner October 12, 2023 06:58
@lunar-renovate lunar-renovate added the dependencies Pull requests that update a dependency file label Oct 12, 2023
@cablunar cablunar merged commit 691de31 into master Oct 12, 2023
2 checks passed
@cablunar cablunar deleted the renovate/go-github.com/prometheus/client_golang-vulnerability branch October 12, 2023 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants