Dear Prometheans, There is another bugfix release for the Prometheus server: v2.33.5. The only change in our code is a fix for a deadlock in remote-write. However, the binaries published with this release have been built with Go1.17.9, which fixes CVE-2022-24921 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921>. Therefore, if you use our pre-built binaries or container images, you should update to enjoy this security fix.
I should also note that this bugfix release updates the github.com/containerd/containerd dependency from v1.5.9 to v1.6.1. We usually don’t update dependencies in bugfix releases, unless, well, it fixes a bug. v1.5.9 has a number of security issues, none of which affects Prometheus, but the mere existence of the (indirect) dependency triggers security scanners. It is somewhat questionable if we should take the risk of an update to avoid false positives reported by imperfect tools rather than fixing an actual issue. In this case, the risk was pretty low, so we went for it. But let me make use of this opportunity to ask you all to not send us raw reports from automated security scanners without first validating that there is any impact. Those reports are very noisy with many false positives, and we run automated scans ourselves anyway. Binaries are available on the GitHub release page <https://github.com/prometheus/prometheus/releases/tag/v2.33.5>. You can find container images at Quay <https://quay.io/repository/prometheus/prometheus?tab=tags> and Docker Hub <https://hub.docker.com/r/prom/prometheus/tags>. 2.33.5 / 2022-03-08 The binaries published with this release are built with Go1.17.8 to avoid CVE-2022-24921 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921>. - [BUGFIX] Remote-write: Fix deadlock between adding to queue and getting batch. #10395 -- Björn Rabenstein [PGP-ID] 0x851C3DA17D748D03 [email] bjo...@rabenste.in -- You received this message because you are subscribed to the Google Groups "prometheus-announce" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-announce+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/prometheus-announce/CAMrVKsx%3DQUJZRF49yMqbonKNPOg8u8jHOXBwPO-piHNbWhJ1gQ%40mail.gmail.com.
