Debian Bug report logs -
#1008008
CVE-2022-21698: denial of service in client_golang
Reported by: Markus Koschany <apo@debian.org>
Date: Sun, 20 Mar 2022 14:30:02 UTC
Severity: important
Tags: security, upstream
Fixed in version golang-github-prometheus-client-golang/1.11.1-1
Done: Guillem Jover <gjover@sipwise.com>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>:
Bug#1008008; Package golang-github-prometheus-client-golang.
(Sun, 20 Mar 2022 14:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>.
(Sun, 20 Mar 2022 14:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: golang-github-prometheus-client-golang
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for golang-github-prometheus-client-
golang.
CVE-2022-21698[0]:
| client_golang is the instrumentation library for Go applications in
| Prometheus, and the promhttp package in client_golang provides tooling
| around HTTP servers and clients. In client_golang prior to version
| 1.11.1, HTTP server is susceptible to a Denial of Service through
| unbounded cardinality, and potential memory exhaustion, when handling
| requests with non-standard HTTP methods. In order to be affected, an
| instrumented software must use any of `promhttp.InstrumentHandler*`
| middleware except `RequestsInFlight`; not filter any specific methods
| (e.g GET) before middleware; pass metric with `method` label name to
| our middleware; and not have any firewall/LB/proxy that filters away
| requests with unknown `method`. client_golang version 1.11.1 contains
| a patch for this issue. Several workarounds are available, including
| removing the `method` label name from counter/gauge used in the
| InstrumentHandler; turning off affected promhttp handlers; adding
| custom middleware before promhttp handler that will sanitize the
| request method given by Go http.Request; and using a reverse proxy or
| web application firewall, configured to only allow a limited set of
| methods.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-21698
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21698
Please adjust the affected versions in the BTS as needed.
Regards,
Markus
[signature.asc (application/pgp-signature, inline)]
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 20 Mar 2022 14:39:03 GMT) (full text, mbox, link).
Reply sent
to Guillem Jover <gjover@sipwise.com>:
You have taken responsibility.
(Mon, 21 Mar 2022 11:39:09 GMT) (full text, mbox, link).
Notification sent
to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer.
(Mon, 21 Mar 2022 11:39:09 GMT) (full text, mbox, link).
Message #12 received at 1008008-close@bugs.debian.org (full text, mbox, reply):
Source: golang-github-prometheus-client-golang
Source-Version: 1.11.1-1
Done: Guillem Jover <gjover@sipwise.com>
We believe that the bug you reported is fixed in the latest version of
golang-github-prometheus-client-golang, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1008008@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <gjover@sipwise.com> (supplier of updated golang-github-prometheus-client-golang package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 21 Mar 2022 12:19:40 +0100
Source: golang-github-prometheus-client-golang
Architecture: source
Version: 1.11.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Guillem Jover <gjover@sipwise.com>
Closes: 1008008
Changes:
golang-github-prometheus-client-golang (1.11.1-1) unstable; urgency=medium
.
* Team upload.
.
[ Guillem Jover ]
* New upstream release.
- Fixes denial of service through unbounded credentials (CVE-2022-21698).
Closes: #1008008
.
[ Daniel Swarbrick ]
* Drop nonexistent alternative build-dep golang-github-golang-protobuf-dev
Checksums-Sha1:
cc3c7755b4a623a20fbaabe03deb9064a6e985ff 2754 golang-github-prometheus-client-golang_1.11.1-1.dsc
c2a610dd699fb191afe589405b9105b446b885db 170256 golang-github-prometheus-client-golang_1.11.1.orig.tar.gz
7e92d16ea8ccc0e463856eb8eb55b0071d89c68e 4784 golang-github-prometheus-client-golang_1.11.1-1.debian.tar.xz
9a78e4de96066087a04c6220722ed38a722d21b5 7958 golang-github-prometheus-client-golang_1.11.1-1_amd64.buildinfo
Checksums-Sha256:
130dce5397a090c22a25bd22453b575cd5262a18159318afecb387a610ec7093 2754 golang-github-prometheus-client-golang_1.11.1-1.dsc
edf216320f3e12f5d60e3df52948e73a95b6b3759b45f1970d750016583d052a 170256 golang-github-prometheus-client-golang_1.11.1.orig.tar.gz
ce52951ffdac284576170e3c63f4e8f3ab78c65c6bbd122acb6aa65c919d1387 4784 golang-github-prometheus-client-golang_1.11.1-1.debian.tar.xz
415ba9ee762ac3ee767927a3a5a5e76b5a6498f6086a0369596fa35fa984b9f1 7958 golang-github-prometheus-client-golang_1.11.1-1_amd64.buildinfo
Files:
524285298cae3aec068727df71feab24 2754 golang optional golang-github-prometheus-client-golang_1.11.1-1.dsc
fdae72e754f5c534e056cd47245f93d2 170256 golang optional golang-github-prometheus-client-golang_1.11.1.orig.tar.gz
47b82c182b0e3fee1bc4d43e200223fd 4784 golang optional golang-github-prometheus-client-golang_1.11.1-1.debian.tar.xz
fc1f43d13afbd31a81fb50d578b9d6e4 7958 golang optional golang-github-prometheus-client-golang_1.11.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETz509DYFDBD1aWV0uXK/PqSuV6MFAmI4YDwACgkQuXK/PqSu
V6MbVA//Tp8k4+HlGVyErjfZTgJB1bHEEQ6d8rgydicdF68krrvvnn1SaUiSKEfL
OO+8iw7bNp6mYELjFJsMwqwPOAvxue2VI6qFLjwigUQtjpX47lZqwUjmAlDZBqQU
qP0WysKBlpGdqBA0mRSW13Dw2U5LBZbXRVtkHb77A3GRNyIoHzTNUAsrjwReWT9x
kQeRPOW+fRKd/8fkyteGJDtMBavgK2Ra86dcpoprP63RAgA88bgw46F0W8xooAvL
W6k0a0+lk3SwJlbr7+qewHSzYnL6rIAx8bG49arTSHhdOgR9zV0j4JhtGS1cg4x8
Y1py7SzDmV1r+DVhC5CQWuXFPlrn6Ycl/10DChJQhOiTmLkhGVA8ZDEznanvrGj+
Z2SxJycH4rgbw71wEldELGdBP5q+Dkf7pY/eoMtZaocCJllv8IJGK8OftC+P//pz
DsuoKvgye66qz7nAHKSkluwrVAC2cK5yCCIKgQGEHek1es5tqsq/IoDTPY/QFo0/
8mll4Jn99Z8ZEdWVfJ8C2KRgCjpAmNHzxhpRIQG1RtGexQPz/AAZKIpe8O0OjQWL
d7rQ8pNHYQWwPnOIQHiiPu1/6XyDHV2HShRf4ms0UT/ioVXtqGSIAxQomQJIR2j+
PV5c7uAjLfCA6X7R3ono0nbow+SriHVEzdBaRHUZsiieKm45wgw=
=DJqT
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Mar 21 13:08:43 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon