suse-su-2021:2664-1
Vulnerability from csaf_suse
Published
2021-08-12 10:02
Modified
2021-08-12 10:02
Summary
Security update for golang-github-prometheus-prometheus

Notes

Title of the patch
Security update for golang-github-prometheus-prometheus
Description of the patch
This update for golang-github-prometheus-prometheus fixes the following issues: - Provide and reload firewalld configuration only for: + openSUSE Leap 15.0, 15.1, 15.2 + SUSE SLE15, SLE15 SP1, SLE15 SP2 - Upgrade to upstream version 2.27.1 (jsc#SLE-18254) + Bugfix: * SECURITY: Fix arbitrary redirects under the /new endpoint (CVE-2021-29622, bsc#1186242) + Features: * Promtool: Retroactive rule evaluation functionality. #7675 * Configuration: Environment variable expansion for external labels. Behind --enable-feature=expand-external-labels flag. #8649 * TSDB: Add a flag(--storage.tsdb.max-block-chunk-segment-size) to control the max chunks file size of the blocks for small Prometheus instances. * UI: Add a dark theme. #8604 * AWS Lightsail Discovery: Add AWS Lightsail Discovery. #8693 * Docker Discovery: Add Docker Service Discovery. #8629 * OAuth: Allow OAuth 2.0 to be used anywhere an HTTP client is used. #8761 * Remote Write: Send exemplars via remote write. Experimental and disabled by default. #8296 + Enhancements: * Digital Ocean Discovery: Add __meta_digitalocean_vpc label. #8642 * Scaleway Discovery: Read Scaleway secret from a file. #8643 * Scrape: Add configurable limits for label size and count. #8777 * UI: Add 16w and 26w time range steps. #8656 * Templating: Enable parsing strings in humanize functions. #8682 + Bugfixes: * UI: Provide errors instead of blank page on TSDB Status Page. #8654 #8659 * TSDB: Do not panic when writing very large records to the WAL. #8790 * TSDB: Avoid panic when mmaped memory is referenced after the file is closed. #8723 * Scaleway Discovery: Fix nil pointer dereference. #8737 * Consul Discovery: Restart no longer required after config update with no targets. #8766 - Add tarball with vendor modules and web assets - Uyuni: Read formula data from exporters map - Uyuni: Add support for TLS targets - Upgrade to upstream version 2.26.0 + Changes * Alerting: Using Alertmanager v2 API by default. #8626 * Prometheus/Promtool: Binaries are now printing help and usage to stdout instead of stderr. #8542 + Features * Remote: Add support for AWS SigV4 auth method for remote_write. #8509 * PromQL: Allow negative offsets. Behind --enable-feature=promql-negative-offset flag. #8487 * UI: Add advanced auto-completion, syntax highlighting and linting to graph page query input. #8634 + Enhancements * PromQL: Add last_over_time, sgn, clamp functions. #8457 * Scrape: Add support for specifying type of Authorization header credentials with Bearer by default. #8512 * Scrape: Add follow_redirects option to scrape configuration. #8546 * Remote: Allow retries on HTTP 429 response code for remote_write. #8237 #8477 * Remote: Allow configuring custom headers for remote_read. #8516 * UI: Hitting Enter now triggers new query. #8581 * UI: Better handling of long rule and names on the /rules and /targets pages. #8608 #8609 * UI: Add collapse/expand all button on the /targets page. #8486 - Upgrade to upstream version 2.25.0 + Features * Include a new `--enable-feature=` flag that enables experimental features. + Enhancements * Add optional name property to testgroup for better test failure output. #8440 * Add warnings into React Panel on the Graph page. #8427 * TSDB: Increase the number of buckets for the compaction duration metric. #8342 * Remote: Allow passing along custom remote_write HTTP headers. #8416 * Mixins: Scope grafana configuration. #8332 * Kubernetes SD: Add endpoint labels metadata. #8273 * UI: Expose total number of label pairs in head in TSDB stats page. #8343 * TSDB: Reload blocks every minute, to detect new blocks and enforce retention more often. #8343 + Bug fixes * API: Fix global URL when external address has no port. #8359 * Deprecate unused flag --alertmanager.timeout. #8407 - Upgrade to upstream version 2.24.1 + Enhancements * Cache basic authentication results to significantly improve performance of HTTP endpoints. - Upgrade to upstream version 2.24.0 + Features * Add TLS and basic authentication to HTTP endpoints. #8316 * promtool: Add check web-config subcommand to check web config files. #8319 * promtool: Add tsdb create-blocks-from openmetrics subcommand to backfill metrics data from an OpenMetrics file. + Enhancements * HTTP API: Fast-fail queries with only empty matchers. #8288 * HTTP API: Support matchers for labels API. #8301 * promtool: Improve checking of URLs passed on the command line. #7956 * SD: Expose IPv6 as a label in EC2 SD. #7086 * SD: Reuse EC2 client, reducing frequency of requesting credentials. #8311 * TSDB: Add logging when compaction takes more than the block time range. #8151 * TSDB: Avoid unnecessary GC runs after compaction. #8276 - Upgrade to upstream version 2.23.0 + Changes * UI: Make the React UI default. #8142 * Remote write: The following metrics were removed/renamed in remote write. #6815 > prometheus_remote_storage_succeeded_samples_total was removed and prometheus_remote_storage_samples_total was introduced for all the samples attempted to send. > prometheus_remote_storage_sent_bytes_total was removed and replaced with prometheus_remote_storage_samples_bytes_total and prometheus_remote_storage_metadata_bytes_total. > prometheus_remote_storage_failed_samples_total -> prometheus_remote_storage_samples_failed_total . > prometheus_remote_storage_retried_samples_total -> prometheus_remote_storage_samples_retried_total. > prometheus_remote_storage_dropped_samples_total -> prometheus_remote_storage_samples_dropped_total. > prometheus_remote_storage_pending_samples -> prometheus_remote_storage_samples_pending. * Remote: Do not collect non-initialized timestamp metrics. #8060 + Enhancements * Remote write: Added a metric prometheus_remote_storage_max_samples_per_send for remote write. #8102 * TSDB: Make the snapshot directory name always the same length. #8138 * TSDB: Create a checkpoint only once at the end of all head compactions. #8067 * TSDB: Avoid Series API from hitting the chunks. #8050 * TSDB: Cache label name and last value when adding series during compactions making compactions faster. #8192 * PromQL: Improved performance of Hash method making queries a bit faster. #8025 * promtool: tsdb list now prints block sizes. #7993 * promtool: Calculate mint and maxt per test avoiding unnecessary calculations. #8096 * SD: Add filtering of services to Docker Swarm SD. #8074 - Uyuni: `hostname` label is now set to FQDN instead of IP - Update to upstream version 2.22.1 - Update packaging * Remove systemd and shadow hard requirements * use systemd-sysusers to configure the user in a dedicated 'system-user-prometheus' subpackage * add 'prometheus' package alias + Add support for Prometheus exporters proxy - Remove prometheus.firewall.xml source file - Remove firewalld files. They are installed in the main firewalld package.
Patchnames
SUSE-2021-2664,SUSE-Storage-6-2021-2664
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for golang-github-prometheus-prometheus",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for golang-github-prometheus-prometheus fixes the following issues:\n\n- Provide and reload firewalld configuration only for:\n  + openSUSE Leap 15.0, 15.1, 15.2\n  + SUSE SLE15, SLE15 SP1, SLE15 SP2\n- Upgrade to upstream version 2.27.1 (jsc#SLE-18254)\n  + Bugfix:\n   * SECURITY: Fix arbitrary redirects under the /new endpoint (CVE-2021-29622, bsc#1186242)\n  + Features:\n    * Promtool: Retroactive rule evaluation functionality. #7675\n    * Configuration: Environment variable expansion for external labels. Behind --enable-feature=expand-external-labels flag. #8649\n    * TSDB: Add a flag(--storage.tsdb.max-block-chunk-segment-size) to control the max chunks file size of the blocks \n      for small Prometheus instances.\n    * UI: Add a dark theme. #8604\n    * AWS Lightsail Discovery: Add AWS Lightsail Discovery. #8693\n    * Docker Discovery: Add Docker Service Discovery. #8629\n    * OAuth: Allow OAuth 2.0 to be used anywhere an HTTP client is used. #8761\n    * Remote Write: Send exemplars via remote write. Experimental and disabled by default. #8296\n  + Enhancements:\n    * Digital Ocean Discovery: Add __meta_digitalocean_vpc label. #8642\n    * Scaleway Discovery: Read Scaleway secret from a file. #8643\n    * Scrape: Add configurable limits for label size and count. #8777\n    * UI: Add 16w and 26w time range steps. #8656\n    * Templating: Enable parsing strings in humanize functions. #8682\n  + Bugfixes:\n    * UI: Provide errors instead of blank page on TSDB Status Page. #8654 #8659\n    * TSDB: Do not panic when writing very large records to the WAL. #8790\n    * TSDB: Avoid panic when mmaped memory is referenced after the file is closed. #8723\n    * Scaleway Discovery: Fix nil pointer dereference. #8737\n    * Consul Discovery: Restart no longer required after config update with no targets. #8766\n- Add tarball with vendor modules and web assets\n- Uyuni: Read formula data from exporters map\n- Uyuni: Add support for TLS targets\n- Upgrade to upstream version 2.26.0\n  + Changes\n    * Alerting: Using Alertmanager v2 API by default. #8626\n    * Prometheus/Promtool: Binaries are now printing help and usage to stdout instead of stderr. #8542\n  + Features\n    * Remote: Add support for AWS SigV4 auth method for remote_write. #8509\n    * PromQL: Allow negative offsets. Behind --enable-feature=promql-negative-offset flag. #8487\n    * UI: Add advanced auto-completion, syntax highlighting and linting to graph page query input. #8634\n  + Enhancements\n    * PromQL: Add last_over_time, sgn, clamp functions. #8457\n    * Scrape: Add support for specifying type of Authorization header credentials with Bearer by default. #8512\n    * Scrape: Add follow_redirects option to scrape configuration. #8546\n    * Remote: Allow retries on HTTP 429 response code for remote_write. #8237 #8477\n    * Remote: Allow configuring custom headers for remote_read. #8516\n    * UI: Hitting Enter now triggers new query. #8581\n    * UI: Better handling of long rule and names on the /rules and /targets pages. #8608 #8609\n    * UI: Add collapse/expand all button on the /targets page. #8486\n- Upgrade to upstream version 2.25.0\n  + Features\n    * Include a new `--enable-feature=` flag that enables experimental features.\n  + Enhancements\n    * Add optional name property to testgroup for better test failure output. #8440\n    * Add warnings into React Panel on the Graph page. #8427\n    * TSDB: Increase the number of buckets for the compaction duration metric. #8342\n    * Remote: Allow passing along custom remote_write HTTP headers. #8416\n    * Mixins: Scope grafana configuration. #8332\n    * Kubernetes SD: Add endpoint labels metadata. #8273\n    * UI: Expose total number of label pairs in head in TSDB stats page. #8343\n    * TSDB: Reload blocks every minute, to detect new blocks and enforce retention more often. #8343\n  + Bug fixes\n    * API: Fix global URL when external address has no port. #8359\n    * Deprecate unused flag --alertmanager.timeout. #8407\n- Upgrade to upstream version 2.24.1\n  + Enhancements\n    * Cache basic authentication results to significantly improve performance of HTTP endpoints.\n- Upgrade to upstream version 2.24.0\n  + Features\n    * Add TLS and basic authentication to HTTP endpoints. #8316\n    * promtool: Add check web-config subcommand to check web config files. #8319\n    * promtool: Add tsdb create-blocks-from openmetrics subcommand to backfill metrics data from an OpenMetrics file.\n  + Enhancements\n    * HTTP API: Fast-fail queries with only empty matchers. #8288\n    * HTTP API: Support matchers for labels API. #8301\n    * promtool: Improve checking of URLs passed on the command line. #7956\n    * SD: Expose IPv6 as a label in EC2 SD. #7086\n    * SD: Reuse EC2 client, reducing frequency of requesting credentials. #8311\n    * TSDB: Add logging when compaction takes more than the block time range. #8151\n    * TSDB: Avoid unnecessary GC runs after compaction. #8276\n- Upgrade to upstream version 2.23.0\n  + Changes\n    * UI: Make the React UI default. #8142\n    * Remote write: The following metrics were removed/renamed in remote write. #6815\n      \u003e prometheus_remote_storage_succeeded_samples_total was removed and prometheus_remote_storage_samples_total \n      was introduced for all the samples attempted to send.\n      \u003e prometheus_remote_storage_sent_bytes_total was removed and replaced with \n      prometheus_remote_storage_samples_bytes_total and prometheus_remote_storage_metadata_bytes_total.\n      \u003e prometheus_remote_storage_failed_samples_total -\u003e prometheus_remote_storage_samples_failed_total .\n      \u003e prometheus_remote_storage_retried_samples_total -\u003e prometheus_remote_storage_samples_retried_total.\n      \u003e prometheus_remote_storage_dropped_samples_total -\u003e prometheus_remote_storage_samples_dropped_total.\n      \u003e prometheus_remote_storage_pending_samples -\u003e prometheus_remote_storage_samples_pending.\n    * Remote: Do not collect non-initialized timestamp metrics. #8060\n  + Enhancements\n    * Remote write: Added a metric prometheus_remote_storage_max_samples_per_send for remote write. #8102\n    * TSDB: Make the snapshot directory name always the same length. #8138\n    * TSDB: Create a checkpoint only once at the end of all head compactions. #8067\n    * TSDB: Avoid Series API from hitting the chunks. #8050\n    * TSDB: Cache label name and last value when adding series during compactions making compactions faster. #8192\n    * PromQL: Improved performance of Hash method making queries a bit faster. #8025\n    * promtool: tsdb list now prints block sizes. #7993\n    * promtool: Calculate mint and maxt per test avoiding unnecessary calculations. #8096\n    * SD: Add filtering of services to Docker Swarm SD. #8074\n- Uyuni: `hostname` label is now set to FQDN instead of IP\n- Update to upstream version 2.22.1\n- Update packaging\n  * Remove systemd and shadow hard requirements\n  * use systemd-sysusers to configure the user in a dedicated \u0027system-user-prometheus\u0027 subpackage\n  * add \u0027prometheus\u0027 package alias\n  + Add support for Prometheus exporters proxy\n- Remove prometheus.firewall.xml source file\n- Remove firewalld files. They are installed in the main firewalld\n  package.\n  ",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2021-2664,SUSE-Storage-6-2021-2664",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_2664-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2021:2664-1",
        "url": "https://www.suse.com/support/update/announcement/2021/suse-su-20212664-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2021:2664-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2021-August/009286.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1186242",
        "url": "https://bugzilla.suse.com/1186242"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-29622 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-29622/"
      }
    ],
    "title": "Security update for golang-github-prometheus-prometheus",
    "tracking": {
      "current_release_date": "2021-08-12T10:02:35Z",
      "generator": {
        "date": "2021-08-12T10:02:35Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2021:2664-1",
      "initial_release_date": "2021-08-12T10:02:35Z",
      "revision_history": [
        {
          "date": "2021-08-12T10:02:35Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-prometheus-2.27.1-3.8.1.aarch64",
                "product": {
                  "name": "golang-github-prometheus-prometheus-2.27.1-3.8.1.aarch64",
                  "product_id": "golang-github-prometheus-prometheus-2.27.1-3.8.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-prometheus-2.27.1-3.8.1.i586",
                "product": {
                  "name": "golang-github-prometheus-prometheus-2.27.1-3.8.1.i586",
                  "product_id": "golang-github-prometheus-prometheus-2.27.1-3.8.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-prometheus-2.27.1-3.8.1.ppc64le",
                "product": {
                  "name": "golang-github-prometheus-prometheus-2.27.1-3.8.1.ppc64le",
                  "product_id": "golang-github-prometheus-prometheus-2.27.1-3.8.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-prometheus-2.27.1-3.8.1.s390x",
                "product": {
                  "name": "golang-github-prometheus-prometheus-2.27.1-3.8.1.s390x",
                  "product_id": "golang-github-prometheus-prometheus-2.27.1-3.8.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "golang-github-prometheus-prometheus-2.27.1-3.8.1.x86_64",
                "product": {
                  "name": "golang-github-prometheus-prometheus-2.27.1-3.8.1.x86_64",
                  "product_id": "golang-github-prometheus-prometheus-2.27.1-3.8.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Enterprise Storage 6",
                "product": {
                  "name": "SUSE Enterprise Storage 6",
                  "product_id": "SUSE Enterprise Storage 6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:ses:6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-github-prometheus-prometheus-2.27.1-3.8.1.aarch64 as component of SUSE Enterprise Storage 6",
          "product_id": "SUSE Enterprise Storage 6:golang-github-prometheus-prometheus-2.27.1-3.8.1.aarch64"
        },
        "product_reference": "golang-github-prometheus-prometheus-2.27.1-3.8.1.aarch64",
        "relates_to_product_reference": "SUSE Enterprise Storage 6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "golang-github-prometheus-prometheus-2.27.1-3.8.1.x86_64 as component of SUSE Enterprise Storage 6",
          "product_id": "SUSE Enterprise Storage 6:golang-github-prometheus-prometheus-2.27.1-3.8.1.x86_64"
        },
        "product_reference": "golang-github-prometheus-prometheus-2.27.1-3.8.1.x86_64",
        "relates_to_product_reference": "SUSE Enterprise Storage 6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-29622",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-29622"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL\u0027s prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Enterprise Storage 6:golang-github-prometheus-prometheus-2.27.1-3.8.1.aarch64",
          "SUSE Enterprise Storage 6:golang-github-prometheus-prometheus-2.27.1-3.8.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-29622",
          "url": "https://www.suse.com/security/cve/CVE-2021-29622"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1186242 for CVE-2021-29622",
          "url": "https://bugzilla.suse.com/1186242"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Enterprise Storage 6:golang-github-prometheus-prometheus-2.27.1-3.8.1.aarch64",
            "SUSE Enterprise Storage 6:golang-github-prometheus-prometheus-2.27.1-3.8.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Enterprise Storage 6:golang-github-prometheus-prometheus-2.27.1-3.8.1.aarch64",
            "SUSE Enterprise Storage 6:golang-github-prometheus-prometheus-2.27.1-3.8.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2021-08-12T10:02:35Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-29622"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.