Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: update prometheus/exporter-toolkit for CVE-2022-46146 #3675

Merged
merged 2 commits into from
Dec 12, 2022
Merged

security: update prometheus/exporter-toolkit for CVE-2022-46146 #3675

merged 2 commits into from
Dec 12, 2022

Conversation

bboreham
Copy link
Contributor

@bboreham bboreham commented Dec 8, 2022
edited
Loading

More details at https://github.com/grafana/mimir/security/dependabot/12

Many other libraries have updates forced by this change:

        github.com/prometheus/alertmanager c60fafa6025c
        github.com/prometheus/client_golang v1.14.0 (histogram updates)
        github.com/spf13/afero v1.8.2
        github.com/weaveworks/common 7c2720a9024d
        golang.org/x/crypto v0.1.0
        golang.org/x/net v0.1.0
        golang.org/x/sync v0.1.0
        go.opentelemetry.io/otel v1.11.1
        go.opentelemetry.io/otel/trace v1.11.1
        golang.org/x/sys v0.1.0

(Indirect dependencies)
        github.com/coreos/go-systemd/v22 v22.4.0
        github.com/go-openapi/runtime v0.25.0
        github.com/gofrs/uuid v4.3.1
        github.com/hashicorp/go-hclog v1.2.0
        github.com/matttproud/golang_protobuf_extensions v1.0.4
        go.mongodb.org/mongo-driver v1.11.0
        golang.org/x/mod v0.6.0
        golang.org/x/text v0.4.0
        golang.org/x/tools v0.2.0
        gopkg.in/ini.v1 v1.67.0
        gopkg.in/telebot.v3 v3.1.2

I have scanned (by eye) all the diffs and see nothing that should create a backwards-compatibility problem.
One exception: I did not read all the alertmanager changes.

Builds on work done for #3524

Checklist

  • Tests updated
  • Documentation added
  • CHANGELOG.md updated

@bboreham bboreham requested a review from a team as a code owner December 8, 2022 10:04
bboreham and others added 2 commits December 12, 2022 12:45
@bboreham
security: update prometheus/exporter-toolkit for CVE-2022-46146
5d2d6d5 
More details at https://github.com/grafana/mimir/security/dependabot/12

Many other libraries have updates forced by this change:

	github.com/prometheus/alertmanager c60fafa6025c
	github.com/prometheus/client_golang v1.14.0
	github.com/spf13/afero v1.8.2
	github.com/weaveworks/common 7c2720a9024d
	golang.org/x/crypto v0.1.0
	golang.org/x/net v0.1.0
	golang.org/x/sync v0.1.0
	go.opentelemetry.io/otel v1.11.1
	go.opentelemetry.io/otel/trace v1.11.1
	golang.org/x/sys v0.1.0

(Indirect dependencies)
	github.com/coreos/go-systemd/v22 v22.4.0
	github.com/go-openapi/runtime v0.25.0
	github.com/gofrs/uuid v4.3.1
	github.com/hashicorp/go-hclog v1.2.0
	github.com/matttproud/golang_protobuf_extensions v1.0.4
	go.mongodb.org/mongo-driver v1.11.0
	golang.org/x/mod v0.6.0
	golang.org/x/text v0.4.0
	golang.org/x/tools v0.2.0
	gopkg.in/ini.v1 v1.67.0
	gopkg.in/telebot.v3 v3.1.2
@krajorama @bboreham
Follow up weaveworks/common update to fix protobuf definitions
da05c26 
New weaveworks common explicitly includes gogo protobuf on a more
generic location.
See weaveworks/common#265

Signed-off-by: György Krajcsovits <gyorgy.krajcsovits@grafana.com>
pstibrany
pstibrany approved these changes Dec 12, 2022
View reviewed changes
Copy link
Member

@pstibrany pstibrany left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@bboreham bboreham merged commit 0d31655 into main Dec 12, 2022
@bboreham bboreham deleted the update-exporter-tk branch December 12, 2022 13:46
masonmei pushed a commit to udmire/mimir that referenced this pull request Dec 16, 2022
@bboreham @krajorama
security: update prometheus/exporter-toolkit for CVE-2022-46146 (graf…
bb6cfec 
…ana#3675)

More details at https://github.com/grafana/mimir/security/dependabot/12

Many other libraries have updates forced by this change:

	github.com/prometheus/alertmanager c60fafa6025c
	github.com/prometheus/client_golang v1.14.0
	github.com/spf13/afero v1.8.2
	github.com/weaveworks/common 7c2720a9024d
	golang.org/x/crypto v0.1.0
	golang.org/x/net v0.1.0
	golang.org/x/sync v0.1.0
	go.opentelemetry.io/otel v1.11.1
	go.opentelemetry.io/otel/trace v1.11.1
	golang.org/x/sys v0.1.0

(Indirect dependencies)
	github.com/coreos/go-systemd/v22 v22.4.0
	github.com/go-openapi/runtime v0.25.0
	github.com/gofrs/uuid v4.3.1
	github.com/hashicorp/go-hclog v1.2.0
	github.com/matttproud/golang_protobuf_extensions v1.0.4
	go.mongodb.org/mongo-driver v1.11.0
	golang.org/x/mod v0.6.0
	golang.org/x/text v0.4.0
	golang.org/x/tools v0.2.0
	gopkg.in/ini.v1 v1.67.0
	gopkg.in/telebot.v3 v3.1.2

* Follow up weaveworks/common update to fix protobuf definitions

New weaveworks common explicitly includes gogo protobuf on a more
generic location.
See weaveworks/common#265

Co-authored-by: György Krajcsovits <gyorgy.krajcsovits@grafana.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pstibrany pstibrany pstibrany approved these changes

@krajorama krajorama krajorama approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bboreham @pstibrany @krajorama