Bug#1025127: marked as done (golang-github-prometheus-exporter-toolkit: CVE-2022-46146)

Debian Bug Tracking System Tue, 29 Nov 2022 21:57:16 -0800

Your message dated Wed, 30 Nov 2022 06:52:50 +0100
with message-id <Y4bvsv1z/[email protected]>
and subject line Re: Accepted golang-github-prometheus-exporter-toolkit 0.8.2-1 
(source) into unstable
has caused the Debian Bug report #1025127,
regarding golang-github-prometheus-exporter-toolkit: CVE-2022-46146
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1025127: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025127
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: golang-github-prometheus-exporter-toolkit
Version: 0.8.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for
golang-github-prometheus-exporter-toolkit.

CVE-2022-46146[0]:
| Prometheus Exporter Toolkit is a utility package to build exporters.
| Prior to versions 0.7.2 and 0.8.2, i someone has access to a
| Prometheus web.yml file and users' bcrypted passwords, they can bypass
| security by poisoning the built-in authentication cache. Versions
| 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround,
| but attacker must have access to the hashed password to use this
| functionality.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-46146
    https://www.cve.org/CVERecord?id=CVE-2022-46146
[1] 
https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: golang-github-prometheus-exporter-toolkit
Source-Version: 0.8.2-1

On Wed, Nov 30, 2022 at 04:49:54AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Wed, 30 Nov 2022 04:25:05 +0000
> Source: golang-github-prometheus-exporter-toolkit
> Architecture: source
> Version: 0.8.2-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Go Packaging Team <[email protected]>
> Changed-By: Daniel Swarbrick <[email protected]>
> Changes:
>  golang-github-prometheus-exporter-toolkit (0.8.2-1) unstable; urgency=medium
>  .
>    * New upstream release (fixes CVE-2022-46146)
>    * Add a Breaks prometheus-node-exporter (<< 1.4.1-1) for API break
> Checksums-Sha1:
>  94ecbe02d14564708dd2b8623583d493b134bf89 2711 
> golang-github-prometheus-exporter-toolkit_0.8.2-1.dsc
>  55abc57e634ced69b52de851b696b18e8cefac9a 62245 
> golang-github-prometheus-exporter-toolkit_0.8.2.orig.tar.gz
>  83f3ea97a3bae7a94bb3308dcf35e1431f15fb59 3528 
> golang-github-prometheus-exporter-toolkit_0.8.2-1.debian.tar.xz
>  b399f79fb5389397faf02c7009a00fdb57b6b2c3 8786 
> golang-github-prometheus-exporter-toolkit_0.8.2-1_amd64.buildinfo
> Checksums-Sha256:
>  edba30486fd59879f12653125e54f7b1055c540cbc97843fa83fac46146b9bdb 2711 
> golang-github-prometheus-exporter-toolkit_0.8.2-1.dsc
>  f5b32491fc9daca575c4989f6ab2f347ded21d1ca3994503128b97a0211517fd 62245 
> golang-github-prometheus-exporter-toolkit_0.8.2.orig.tar.gz
>  57ed1affa257e2397aed1bd5bbf65e92b4781f9582e1870302e42bbb47ec0858 3528 
> golang-github-prometheus-exporter-toolkit_0.8.2-1.debian.tar.xz
>  392409a1b7c4fdd3d098d8a627fbc2832b1600d13242e3311c3090a10cd0bf97 8786 
> golang-github-prometheus-exporter-toolkit_0.8.2-1_amd64.buildinfo
> Files:
>  b61b49277dedf1b77ffb4eabb040bbec 2711 golang optional 
> golang-github-prometheus-exporter-toolkit_0.8.2-1.dsc
>  9b3d2e9bd9a5d2741f2ca1b5077ad5c6 62245 golang optional 
> golang-github-prometheus-exporter-toolkit_0.8.2.orig.tar.gz
>  da93bd3ea5ca7eaed836208f884e6d40 3528 golang optional 
> golang-github-prometheus-exporter-toolkit_0.8.2-1.debian.tar.xz
>  cae8a13df5bb8e65dfd347fd5cbe6f92 8786 golang optional 
> golang-github-prometheus-exporter-toolkit_0.8.2-1_amd64.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQJKBAEBCgA0FiEEMD9oek78sa58GjWjtwAXP7uAWikFAmOG2+0WHGRzd2FyYnJp
> Y2tAZGViaWFuLm9yZwAKCRC3ABc/u4BaKV7QD/9ttqtcO4284q11LrnuQTbcvRXu
> ttcchdHPTwvtbXDGZnOPfR/qxkgRAXxMS2d0BzxVf2fPXASMZKyLojrXHXn9MmEk
> ixq/jpNXjfW7JArbB7vRwEpXdBeksZ28nWol2W/0mn5CLPpSPp2MgGqRXdEu3EAX
> B3+qwzPVD3R8UPCVlEIp2h+mnDQsiWlwRABYrQ3n6LEwoso4A8PP9YqxqcWqzE1o
> niB1ADVaVAzea1ZUhKFRxDJ1il1UaK2mJjF/xqaChDk4omnHffVzdbH60VT2pPTL
> iqX4Y9HBo/c6rvtV2RNFSmIbKpfRehHd65lPKEIdecspe7CL7kIloCrn/F9DpDaZ
> PPsyyOxCYVXNjZPhciSLfSYEycOEPprFCcjQ2AGld9ht7pi1FtV6gtej9WHEmmO+
> BGorWh4EcUhUTDYFdUR30Yrg1Dk70fZEwX9Ht4TS04+v052Ozk2eAniUIbg3wZ0D
> hcOb6JJFvUb1XXV0d5Vw8JPZnq9V3HPjOC12eNpUFQ4YtCR+ES42CkdxFm4JrNId
> IZvkRygCPpm3wdBwvz7Tue7tXGcLoKV4QFl8HpsljIMSP+O107p9jD9kQLQjMx0z
> JjPPQxQowxPDmcM8KEl1dcpg+PD+vxJM6cPeq7j9iADbScCrUNN83i1M0wf3uz+9
> qDtHkFR/uk+8RRnSkg==
> =ATPp
> -----END PGP SIGNATURE-----
>

--- End Message ---

Bug#1025127: marked as done (golang-github-prometheus-exporter-toolkit: CVE-2022-46146)

Reply via email to