Dear Prometheans,

There is another bugfix release for the Prometheus server: v2.33.5. The
only change in our code is a fix for a deadlock in remote-write. However,
the binaries published with this release have been built with Go1.17.9,
which fixes CVE-2022-24921
<>. Therefore,
if you use our pre-built binaries or container images, you should update to
enjoy this security fix.

I should also note that this bugfix release updates the dependency from v1.5.9 to v1.6.1. We
usually don’t update dependencies in bugfix releases, unless, well, it
fixes a bug. v1.5.9 has a number of security issues, none of which affects
Prometheus, but the mere existence of the (indirect) dependency triggers
security scanners. It is somewhat questionable if we should take the risk
of an update to avoid false positives reported by imperfect tools rather
than fixing an actual issue. In this case, the risk was pretty low, so we
went for it. But let me make use of this opportunity to ask you all to not
send us raw reports from automated security scanners without first
validating that there is any impact. Those reports are very noisy with many
false positives, and we run automated scans ourselves anyway.

Binaries are available on the GitHub release page

You can find container images at Quay
<> and Docker Hub
2.33.5 / 2022-03-08

The binaries published with this release are built with Go1.17.8 to avoid

   - [BUGFIX] Remote-write: Fix deadlock between adding to queue and
   getting batch. #10395

Björn Rabenstein
[PGP-ID] 0x851C3DA17D748D03

You received this message because you are subscribed to the Google Groups 
"prometheus-announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To view this discussion on the web, visit

Reply via email to