Debian Bug report logs -
#921615
prometheus: CVE-2019-3826: Stored DOM cross-site scripting (XSS) attack via crafted URL
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#921615; Package src:prometheus.
(Thu, 07 Feb 2019 08:18:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>.
(Thu, 07 Feb 2019 08:18:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: prometheus
Version: 2.6.0+ds-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/prometheus/prometheus/pull/5163
Hi,
The following vulnerability was published for prometheus.
CVE-2019-3826[0]:
Stored DOM cross-site scripting (XSS) attack via crafted URL
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-3826
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3826
[1] https://github.com/prometheus/prometheus/pull/5163
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#921615.
(Thu, 07 Feb 2019 17:15:10 GMT) (full text, mbox, link).
Message #8 received at 921615-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #921615 in prometheus reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/go-team/packages/prometheus/commit/1cd743bc0012935842adb5941258c9ed8bff85fe
------------------------------------------------------------------------
New upstream release. Includes fix for CVE-2019-3826 (Stored DOM cross-site scripting (XSS) attack via crafted URL). Closes: #921615
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/921615
Added tag(s) pending.
Request was from Martín Ferrari <>, @godard.debian.org
to 921615-submitter@bugs.debian.org.
(Thu, 07 Feb 2019 17:15:10 GMT) (full text, mbox, link).
Reply sent
to Martín Ferrari <tincho@debian.org>:
You have taken responsibility.
(Sun, 10 Feb 2019 05:30:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 10 Feb 2019 05:30:08 GMT) (full text, mbox, link).
Message #15 received at 921615-close@bugs.debian.org (full text, mbox, reply):
Source: prometheus
Source-Version: 2.7.1+ds-1
We believe that the bug you reported is fixed in the latest version of
prometheus, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 921615@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martín Ferrari <tincho@debian.org> (supplier of updated prometheus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 10 Feb 2019 04:45:36 +0000
Source: prometheus
Architecture: source
Version: 2.7.1+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Changed-By: Martín Ferrari <tincho@debian.org>
Closes: 921615
Changes:
prometheus (2.7.1+ds-1) unstable; urgency=medium
.
* New upstream release. Includes fix for CVE-2019-3826 (Stored DOM cross-site
scripting (XSS) attack via crafted URL). Closes: #921615
* Refresh patches.
* debian/control: Update tsdb version dependency.
* Update Standards-Version with no changes.
* Revert commit c7d83b2 as the feature it introduces pulls a new version
of a dependency. To be removed soon.
* debian/rules: Regenerate protobuf files at buildtime.
* Use a different port for tests that run prometheus.
Checksums-Sha1:
5122de3fef498685ff734c490237024a3ab9687c 3438 prometheus_2.7.1+ds-1.dsc
d3eef4c8ac99a311102590f2fac384a9e4c9ee25 634122 prometheus_2.7.1+ds.orig.tar.gz
5fc36011a3b9e3e3e32e6435b9154b3a7d23e7af 34476 prometheus_2.7.1+ds-1.debian.tar.xz
0e672515481f447314eace4a36a7040e93e530a7 11828 prometheus_2.7.1+ds-1_amd64.buildinfo
Checksums-Sha256:
e966df49a95749ecc1f452eb59c21ea9b85cb9e83a505337e9ffd8ed292cbc5c 3438 prometheus_2.7.1+ds-1.dsc
d43f86c934b98397a1431006222115a4945a9025e76ae1bdee03b997b8af42d6 634122 prometheus_2.7.1+ds.orig.tar.gz
336bf98e7dc2cafaaabd6e20b76222a0d54338cf103aca832770ebf98b3e63f7 34476 prometheus_2.7.1+ds-1.debian.tar.xz
734f05b2ae96bb997f1e904803c1b27d23af626fa7efc2d13bc74331b8d83eb9 11828 prometheus_2.7.1+ds-1_amd64.buildinfo
Files:
256138492527986881bd93d6c11fd420 3438 net optional prometheus_2.7.1+ds-1.dsc
5448d97e42a3a421c163be247cb98029 634122 net optional prometheus_2.7.1+ds.orig.tar.gz
c08ff1807fabb246a6677ba53d8e6acd 34476 net optional prometheus_2.7.1+ds-1.debian.tar.xz
8b51b3ff64e42f43c84e9f5cc4c08a18 11828 net optional prometheus_2.7.1+ds-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEETe94h4mvRsa9AoOeXdjgv5Gj09oFAlxfrTwACgkQXdjgv5Gj
09qbNg/+KqWD7qWOO9zDBTnP3KXB179PKjWv55MmLyjriTVGLT4dl7Z3HLw0IVYd
bL8BfePiEU202rgD+us4lO9vYOK1VD1ahJMbxYXxe6fyM9eROcO2uVH7sD5Gqc32
JMMLJ8Kg1ezKYWLTa7AJx4otleNTY5OUGRw2749ttVCfZsgQWv4bpwTUZjA5Ol1Q
cNzncQr1aRIeOneAoXXB19EIpre0B453AF+NuQ1AlhIVKl3GtMBo8BWeeTPwvMrs
dY6sth7iQJ0u+Cm6P88FpPfaMiqmR29ISm5fYjxf6RH4dTeIFXVcl6rf8umROypE
6B1ibuQN5ervn8c9bPsYEtIi8pazNviEAqhayBubHHqXsEgkBJgQZP8jJP/4cual
NxpZiFTOA6SEeR11KMtlChjOYqwZyrKh9iuB2zpUYc8fQhCz2fbU77Tu8YOvAwL2
egbE/48iHooP5uGW5LAh4vcsED/s7Du/8ENOP5k9IF4yHFO6ZLebB/4DWFZ2aXsn
OPDS/tgQWQWbMjkg4AjFgocjfacGy019V1FuLEvI+G0dmrWvS6Z9W0XxFt6ZGvlv
tYTMijSbMTrjxzHxKowBVBy3YHdJtbB3Tke4jogJQfMiIfJaY7Jcsc1klvjc4BVm
NGE+bUsHErnvGfdGtB2U9+XMWGMdvv167NYFz8PCtytMZx37vS4=
=OTcc
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 10 Mar 2019 07:26:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:42:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon