-
Notifications
You must be signed in to change notification settings - Fork 563
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[AUTO-CHERRYPICK] Fix CVE 2024 24786 and CVE 2022 41717 for prometheu…
…s - branch main (#10737) Co-authored-by: bhagyapathak <[email protected]>
- Loading branch information
1 parent
f7e825f
commit f43a558
Showing
4 changed files
with
41 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go | ||
| index 72924a9..2586bb3 100644 | ||
| --- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go | ||
| +++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go | ||
| @@ -348,6 +348,10 @@ func (d decoder) skipJSONValue() error { | ||
| } | ||
| } | ||
| } | ||
| + case json.EOF: | ||
| + // This can only happen if there's a bug in Decoder.Read. | ||
| + // Avoid an infinite loop if this does happen. | ||
| + return errors.New("unexpected EOF") | ||
| } | ||
| return nil | ||
| } | ||
| diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go | ||
| index b13fd29..b2be4e8 100644 | ||
| --- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go | ||
| +++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go | ||
| @@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { | ||
|
|
||
| case ObjectClose: | ||
| if len(d.openStack) == 0 || | ||
| - d.lastToken.kind == comma || | ||
| + d.lastToken.kind&(Name|comma) != 0 || | ||
| d.openStack[len(d.openStack)-1] != ObjectOpen { | ||
| return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,11 +1,11 @@ | ||
| { | ||
| "Signatures": { | ||
| "prometheus-2.37.0.tar.gz": "98892e82b97004a458e81f03d804859d485323af2d85c34f8a996e25fe1305a9", | ||
| "prometheus-2.37.9.tar.gz": "f26eba405e0836c5a53bfff91b45dc71b14900d5edc0fe8db7238d3c85ac45fb", | ||
| "prometheus.conf": "ce522e82dfb2945c520b482b15b5cf591364f7a571f0f28259b64dbeda42b043", | ||
| "prometheus.logrotate": "061b92500cd40fcaaf486ff488bcf1b09eac6743d8e840ba6966dc70d4e2067b", | ||
| "prometheus.service": "29bf1c886e1d55080e859f2afe112bb7344490e6992e946efe3360fd94d1a604", | ||
| "prometheus.sysconfig": "ec89a45641e3411478794106246aa91e7b72f86070a28a4782e3b8be955e4587", | ||
| "prometheus.yml": "0112e0bf54660c5e2391fff11a56404a25684c588caa7281677f7f8e19da6f28", | ||
| "promu-0.13.0.tar.gz": "3473b87214968c79158f553228baef6e9a37ed3e11e1a4f3e7267ffd3180a8b6" | ||
| "promu-0.14.0.tar.gz": "d71d2a0d54093f3f17dc406d7a5825b6d6acd304cd90d9c60ed3f1335fb6ed2a" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,10 +1,10 @@ | ||
| # When upgrading Prometheus, run `./generate_source_tarball.sh --pkgVersion <version>` | ||
| # The script will spit out custom tarballs for `prometheus` and `promu` (More details in the script) | ||
| %global promu_version 0.13.0 | ||
| %global promu_version 0.14.0 | ||
| Summary: Prometheus monitoring system and time series database | ||
| Name: prometheus | ||
| Version: 2.37.0 | ||
| Release: 15%{?dist} | ||
| Version: 2.37.9 | ||
| Release: 1%{?dist} | ||
| License: Apache-2.0 | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
|
|
@@ -19,6 +19,7 @@ Source6: promu-%{promu_version}.tar.gz | |
| # Debian patch for default settings | ||
| Patch0: 02-Default_settings.patch | ||
| Patch1: CVE-2024-6104.patch | ||
| Patch2: CVE-2024-24786.patch | ||
| BuildRequires: golang | ||
| BuildRequires: nodejs | ||
| BuildRequires: systemd-rpm-macros | ||
|
|
@@ -132,6 +133,10 @@ fi | |
| %doc README.md RELEASE.md documentation | ||
|
|
||
| %changelog | ||
| * Tue Oct 08 2024 Bhagyashri Pathak <[email protected]> - 2.37.0-16 | ||
| - Bump version to patch CVE-2022-41717 | ||
| - Patch for CVE-2024-24786 | ||
|
|
||
| * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 2.37.0-15 | ||
| - Bump release to rebuild with go 1.22.7 | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters