Dear Prometheans, We have released Prometheus v2.26.1 and v2.27.1. These releases fix an “Open Redirect” security issue (CWE-601) and have been assigned the CVE number CVE-2021-29622 <https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7> .
The security issue affects Prometheus v2.23.0 to v2.26.0, and v2.27.0. Please find more information here: https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7 The Prometheus team thanks Aaron Devaney from MDSec for reporting this issue. Timeline: - May 12, 2021: Issue reported privately to Prometheus team - May 12, 2021: A fix is proposed and reviewed - May 13, 2021: CVE-2021-29622 issued by GitHub staff - May 18, 2021: Bugfix released for the last two minor releases of Prometheus. The releases can be found in the usual locations: v2.26.1: https://github.com/prometheus/prometheus/releases/tag/v2.26.1 v2.27.1: https://github.com/prometheus/prometheus/releases/tag/v2.27.1 Thanks, The Prometheus Team -- You received this message because you are subscribed to the Google Groups "prometheus-announce" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-announce+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/prometheus-announce/CANVFovW5q4xPzhwQeSu0im28TjtP748qwAMtFkdo%2BqxzqBHKRw%40mail.gmail.com.