Bug#988804: prometheus: CVE-2021-29622
Hi Martina, On Thu, May 20, 2021 at 06:16:34AM +0100, Martina Ferrari wrote: > On 20/05/2021 05:11, Salvatore Bonaccorso wrote: > > > Thanks, so I have to assume we are protected since 63d6cb569d4e > > ("Refresh patches and patch out react-app URL handlers") in the > > packaging repository, which would be in debian/2.15.2+ds-1. > > > > Is this correct? > > To be precise, that commit patched out the whole `/new` prefix when it first > appeared, and before this vulnerability was introduced. The vuln appears at > 3470ee1fbf9d424784eb2613bab5ab0f14b4d222 (3/11/2020), released as part of > 2.23.0, and a few days later it is merged into Debian, and removed when > refreshing patches in 7f0d9ba6d. > > In a nutshell: we never released this code :) Perfect, thanks a lot for confirming that. I tried to reflect so the status in https://security-tracker.debian.org/tracker/CVE-2021-29622 which now then should be good. Regards, Salvatore
Bug#988804: prometheus: CVE-2021-29622
On 20/05/2021 05:11, Salvatore Bonaccorso wrote: Thanks, so I have to assume we are protected since 63d6cb569d4e ("Refresh patches and patch out react-app URL handlers") in the packaging repository, which would be in debian/2.15.2+ds-1. Is this correct? To be precise, that commit patched out the whole `/new` prefix when it first appeared, and before this vulnerability was introduced. The vuln appears at 3470ee1fbf9d424784eb2613bab5ab0f14b4d222 (3/11/2020), released as part of 2.23.0, and a few days later it is merged into Debian, and removed when refreshing patches in 7f0d9ba6d. In a nutshell: we never released this code :) -- Martina Ferrari (Tina)
Bug#988804: prometheus: CVE-2021-29622
Hi Martina, On Wed, May 19, 2021 at 11:36:01PM +0100, Martina Ferrari wrote: > Hi Salvatore, > > On 19/05/2021 19:40, Salvatore Bonaccorso wrote: > > > > The following vulnerability was published for prometheus. > > > > CVE-2021-29622[0]: > > | Open Redirect under the /new endpoint > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > Thanks for sending this for our attention. Luckily, one of our patches had > disabled this functionality (due to lack of React support in Debian), and so > we are not vulnerable. > > This is the relevant part of the patch > (debian/patches/01-Do_not_embed_blobs.patch ): > > > - // Redirect the original React UI's path (under "/new") to its new path > at > the root. > - router.Get("/new/*path", func(w http.ResponseWriter, r *http.Request) { > - p := route.Param(r.Context(), "path") > - http.Redirect(w, r, path.Join(o.ExternalURL.Path, > strings.TrimPrefix(p, > "/new"))+"?"+r.URL.RawQuery, http.StatusFound) > + // Catch requests to legacy URLs that would try to hit the "new" web UI > + router.Get("/graph/", func(w http.ResponseWriter, r *http.Request) { > + http.Redirect(w, r, path.Join(o.ExternalURL.Path, > "/classic/graph")+"?"+r.URL.RawQuery, http.StatusFound) > }) Thanks, so I have to assume we are protected since 63d6cb569d4e ("Refresh patches and patch out react-app URL handlers") in the packaging repository, which would be in debian/2.15.2+ds-1. Is this correct? Regards, Salvatore
Bug#988804: prometheus: CVE-2021-29622
Source: prometheus Version: 2.24.1+ds-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for prometheus. CVE-2021-29622[0]: | Open Redirect under the /new endpoint If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-29622 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29622 [1] https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7 Please adjust the affected versions in the BTS as needed. Regards, Salvatore