|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-24535: golang-github-prometheus-prometheus: google.golang.org/protobuf: panic leading to denial of service | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Thomas Leroy <thomas.leroy> |
| Component: | Security | Assignee: | Johannes Kastl <kastl> |
| Status: | IN_PROGRESS --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | opensuse_buildservice, security-team, witold.bedyk |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/368858/ | ||
| Whiteboard: | |||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | 1212218 | ||
| Bug Blocks: | |||
|
Description
Thomas Leroy
2023-06-12 08:05:20 UTC
openSUSE:Factory/golang-github-prometheus-prometheus embeds a vulnerable version of the google.golang.org/protobuf module. As far as I can tell, this is already fixed in Tumbleweed: v2.43.0 contained the 1.29.0 version of google.golang.org/protobuf https://github.com/prometheus/prometheus/blob/v2.43.0/go.mod#L73 v2.44.0 and later contain the 1.30.0 version (or later): https://github.com/prometheus/prometheus/blob/v2.44.0/go.mod#L73 https://github.com/prometheus/prometheus/blob/v2.45.0/go.mod#L75 https://github.com/prometheus/prometheus/blob/v2.46.0/go.mod#L76 https://github.com/prometheus/prometheus/blob/v2.47.0/go.mod#L79 v2.44.0 hit Factory in SR#1087896 on 21st of May https://build.opensuse.org/request/show/1087896 Adding Witek for awareness. |