Bug#988804: prometheus: CVE-2021-29622
Hi Martina,
On Thu, May 20, 2021 at 06:16:34AM +0100, Martina Ferrari wrote:
> On 20/05/2021 05:11, Salvatore Bonaccorso wrote:
>
> > Thanks, so I have to assume we are protected since 63d6cb569d4e
> > ("Refresh patches and patch out react-app URL handlers") in the
> > packaging repository, which would be in debian/2.15.2+ds-1.
> >
> > Is this correct?
>
> To be precise, that commit patched out the whole `/new` prefix when it first
> appeared, and before this vulnerability was introduced. The vuln appears at
> 3470ee1fbf9d424784eb2613bab5ab0f14b4d222 (3/11/2020), released as part of
> 2.23.0, and a few days later it is merged into Debian, and removed when
> refreshing patches in 7f0d9ba6d.
>
> In a nutshell: we never released this code :)
Perfect, thanks a lot for confirming that. I tried to reflect so the
status in https://security-tracker.debian.org/tracker/CVE-2021-29622
which now then should be good.
Regards,
Salvatore
Bug#988804: prometheus: CVE-2021-29622
On 20/05/2021 05:11, Salvatore Bonaccorso wrote:
Thanks, so I have to assume we are protected since 63d6cb569d4e
("Refresh patches and patch out react-app URL handlers") in the
packaging repository, which would be in debian/2.15.2+ds-1.
Is this correct?
To be precise, that commit patched out the whole `/new` prefix when it
first appeared, and before this vulnerability was introduced. The vuln
appears at 3470ee1fbf9d424784eb2613bab5ab0f14b4d222 (3/11/2020),
released as part of 2.23.0, and a few days later it is merged into
Debian, and removed when refreshing patches in 7f0d9ba6d.
In a nutshell: we never released this code :)
--
Martina Ferrari (Tina)
Bug#988804: prometheus: CVE-2021-29622
Hi Martina,
On Wed, May 19, 2021 at 11:36:01PM +0100, Martina Ferrari wrote:
> Hi Salvatore,
>
> On 19/05/2021 19:40, Salvatore Bonaccorso wrote:
> >
> > The following vulnerability was published for prometheus.
> >
> > CVE-2021-29622[0]:
> > | Open Redirect under the /new endpoint
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
>
> Thanks for sending this for our attention. Luckily, one of our patches had
> disabled this functionality (due to lack of React support in Debian), and so
> we are not vulnerable.
>
> This is the relevant part of the patch
> (debian/patches/01-Do_not_embed_blobs.patch ):
>
>
> - // Redirect the original React UI's path (under "/new") to its new path
> at
> the root.
> - router.Get("/new/*path", func(w http.ResponseWriter, r *http.Request) {
> - p := route.Param(r.Context(), "path")
> - http.Redirect(w, r, path.Join(o.ExternalURL.Path,
> strings.TrimPrefix(p,
> "/new"))+"?"+r.URL.RawQuery, http.StatusFound)
> + // Catch requests to legacy URLs that would try to hit the "new" web UI
> + router.Get("/graph/", func(w http.ResponseWriter, r *http.Request) {
> + http.Redirect(w, r, path.Join(o.ExternalURL.Path,
> "/classic/graph")+"?"+r.URL.RawQuery, http.StatusFound)
> })
Thanks, so I have to assume we are protected since 63d6cb569d4e
("Refresh patches and patch out react-app URL handlers") in the
packaging repository, which would be in debian/2.15.2+ds-1.
Is this correct?
Regards,
Salvatore
Bug#988804: prometheus: CVE-2021-29622
Source: prometheus Version: 2.24.1+ds-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for prometheus. CVE-2021-29622[0]: | Open Redirect under the /new endpoint If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-29622 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29622 [1] https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
