[prometheus-announce] Prometheus client_golang releases v1.11.1 and v1.12.1 with security fix for CVE-2022-21698

Tue, 15 Feb 2022 03:37:34 -0800 

Hi,

Recently we released two new versions for Prometheus client_golang. Thanks 
for all your contributions!


   - Patch release v1.11.1 
   <https://github.com/prometheus/client_golang/releases/tag/v1.11.1> with 
   just security fix for just published CVE-2022-21698 
   
<https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p>
   - Minor + patch release v1.12.1 
   <https://github.com/prometheus/client_golang/releases/tag/v1.12.1> with 
   (in comparison to v1.11):
      - Improved efficiency of API client
      - Go collector now exposes much more rich Go process metrics, (plus 
      old ones). All from the new runtime/metrics 
      <https://pkg.go.dev/runtime/metrics> package). Thanks to the Go team 
      and particularly Michael <https://github.com/mknyszek> for this 
      contribution. NOTE: This might slightly increase the total series count 
      exposed about the Go process. See this discussion 
      
<https://github.com/prometheus/client_golang/issues/967#issuecomment-1028850776>
 
      for details.
      - Added client API support for TSDB Status and WAL Replay Platform API
      - Security fix for just published CVE-2022-21698 
      
<https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p>
   

*IMPORTANT:* We recommend upgrading client_golang to any of those versions, 
given the uncovered CVE. Please see details, if you are affected and 
workarounds here 
<https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p>.
 
It is also recommended to check other, non client_golang metric server 
implementations if they are vulnerable to the similar "HTTP method" issue. 
Kudos to David <https://github.com/dgl> for reporting this to us so quickly.

Kind Regards,
Bartek Plotka @bwplotka

-- 
You received this message because you are subscribed to the Google Groups 
"prometheus-announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prometheus-announce+unsubscr...@googlegroups.com.
To view this discussion on the web, visit 
https://groups.google.com/d/msgid/prometheus-announce/4792c248-e820-40e7-8d97-124af5976c95n%40googlegroups.com.

Reply via email to