Fix for CVE-2022-21698

Question

Fix for CVE-2022-21698

bschoenbach opened this issue 2 years ago · 7 comments

Please Please update client_golang to v1.11.0 in order to fix https://nvd.nist.gov/vuln/detail/CVE-2022-21698

Answer 1 · 2022-05-05T09:40:13.000Z

you can find 1.11.1 in v0.10.0 already.

But if I'm reading that right the CVE you're referring to was fixed in v1.11.1 and you can find it in our edge version of the Docker image.

We don't have a date for the next release yet, I'll let you know when that happens in case you're not able to use edge.

Answer 2 · 2022-08-26T09:55:08.000Z

Hi @lucacome
Are there any updates on the date of the new release v0.11.0 yet? Unfortunately we can not use the Edge version and would be very happy about an update. Thank you very much!
Best, Timo

Answer 3 · 2022-08-26T13:55:04.000Z

We generally follow a quarterly release cycle for this and the related projects.
The current target for that is the start of October.
Is there a belief that through how this project functions as a read-only endpoint that the vulnerability could be easily exploited?

Answer 4 · 2022-08-27T01:30:57.000Z

Hi @TimoBuechert
I'd like to at least merge the outstanding PRs before a new release

Answer 5 · 2022-08-30T12:28:50.000Z

All right, thank you guys! From our point of view the vulnerability is not harmful for us, however we have a general policy in our project that certain vulnerabilities should be fixed in a timely manner, if possible - thats why we are interested in the new Release :)

Answer 6 · 2022-09-06T23:12:15.000Z

Looks like it might take a while to address the open PRs and it doesn't really make sense to leave a CVE out in the wild while we resolve them.

The new plan is to release tomorrow (Sept 07), stay tuned 🙂

Answer 7 · 2022-09-07T21:38:56.000Z

https://github.com/nginxinc/nginx-prometheus-exporter/releases/tag/v0.11.0 is released