Hello everyone, Prometheus 2.37.4 and 2.40.4 are out!
Those releases fix a security issue that enabled an attacker that has access to the content of a web.yml configuration file (--web.config.file) to bypass basic authentication. This issue is about our built-in authentication mechanism. CVE-2022-46146 was assigned to this security report in our exporter toolkit: https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p We would like to thank Lei Wan for the responsible disclosure of this bug. Prometheus 2.37.4 is part of the 2.37 Long-Term Supported release of Prometheus, supported for _at least_ until January 2023. See the approximative schedule and explanations here: https://prometheus.io/docs/introduction/release-cycle/ The v2.37.4 and v2.40.4 can be found in the usual locations: - See the full changelog & grab the binaries: https://github.com/prometheus/prometheus/releases/tag/v2.37.4 https://github.com/prometheus/prometheus/releases/tag/v2.40.4 - See https://quay.io/repository/prometheus/prometheus?tab=tags and https://hub.docker.com/r/prom/prometheus/tags for container images. Best regards, -- Julien Pivotto @roidelapluie -- You received this message because you are subscribed to the Google Groups "prometheus-announce" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-announce+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/prometheus-announce/Y4X3KOqzI0MQBbs3%40nixos.