Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2022:1435-1

Опубликовано: 27 апр. 2022
Источник: suse-cvrf

Описание

Security update for firewalld, golang-github-prometheus-prometheus

This update for firewalld, golang-github-prometheus-prometheus fixes the following issues:

Security fixes for golang-github-prometheus-prometheus:

  • CVE-2022-21698: Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods (bsc#1196338).

Other non security changes for golang-github-prometheus-prometheus:

  • Build firewalld-prometheus-config only for SUSE Linux Enterprise 15, 15-SP1 and 15-SP2, and require firewalld.
  • Only recommends firewalld-prometheus-config as prometheus does not require it to run.
  • Create firewalld-prometheus-config subpackage (bsc#1197042, jsc#SLE-24373, jsc#SLE-24374, jsc#SLE-24375)

Other non security changes for firewalld:

  • Provide dummy firewalld-prometheus-config package (bsc#1197042)

Список пакетов

Container ses/7.1/ceph/prometheus-server:latest
golang-github-prometheus-prometheus-2.32.1-150100.4.9.2
Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
Image SLES15-SP3-Manager-4-2-Proxy-BYOS-GCE
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
Image SLES15-SP3-SAP-Azure-LI-BYOS-Production
firewall-macros-0.9.3-150300.3.6.1
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production
firewall-macros-0.9.3-150300.3.6.1
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
Image SLES15-SP3-SAP-BYOS-Azure
firewall-macros-0.9.3-150300.3.6.1
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
Image SLES15-SP3-SAP-BYOS-EC2-HVM
firewall-macros-0.9.3-150300.3.6.1
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
Image SLES15-SP3-SAP-BYOS-GCE
firewall-macros-0.9.3-150300.3.6.1
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
Image SLES15-SP3-SAPCAL-Azure
firewall-macros-0.9.3-150300.3.6.1
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
Image SLES15-SP3-SAPCAL-EC2-HVM
firewall-macros-0.9.3-150300.3.6.1
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
Image SLES15-SP3-SAPCAL-GCE
firewall-macros-0.9.3-150300.3.6.1
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
SUSE Enterprise Storage 6
firewalld-prometheus-config-0.1-150100.4.9.2
golang-github-prometheus-prometheus-2.32.1-150100.4.9.2
SUSE Linux Enterprise Micro 5.1
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
SUSE Linux Enterprise Micro 5.2
firewalld-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
SUSE Linux Enterprise Module for Basesystem 15 SP3
firewall-macros-0.9.3-150300.3.6.1
firewalld-0.9.3-150300.3.6.1
firewalld-lang-0.9.3-150300.3.6.1
python3-firewall-0.9.3-150300.3.6.1
SUSE Linux Enterprise Module for Desktop Applications 15 SP3
firewall-applet-0.9.3-150300.3.6.1
firewall-config-0.9.3-150300.3.6.1
SUSE Manager Proxy Module 4.1
firewalld-prometheus-config-0.1-150100.4.9.2
golang-github-prometheus-prometheus-2.32.1-150100.4.9.2
SUSE Manager Proxy Module 4.2
golang-github-prometheus-prometheus-2.32.1-150100.4.9.2
openSUSE Leap 15.3
firewall-applet-0.9.3-150300.3.6.1
firewall-config-0.9.3-150300.3.6.1
firewall-macros-0.9.3-150300.3.6.1
firewalld-0.9.3-150300.3.6.1
firewalld-lang-0.9.3-150300.3.6.1
golang-github-prometheus-prometheus-2.32.1-150100.4.9.2
python3-firewall-0.9.3-150300.3.6.1
openSUSE Leap 15.4
golang-github-prometheus-prometheus-2.32.1-150100.4.9.2

Ссылки

Описание

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

Затронутые продукты
Container ses/7.1/ceph/prometheus-server:latest:golang-github-prometheus-prometheus-2.32.1-150100.4.9.2
Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure:firewalld-0.9.3-150300.3.6.1
Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure:python3-firewall-0.9.3-150300.3.6.1
Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM:firewalld-0.9.3-150300.3.6.1
Ссылки