nginx-prometheus-exporter Fix for CVE-2022-21698

Please Please update client_golang to v1.11.0 in order to fix https://nvd.nist.gov/vuln/detail/CVE-2022-21698

Apr 27 '22 12:04 bschoenbach

Hi @bschoenbach

you can find 1.11.1 in v0.10.0 already.

But if I'm reading that right the CVE you're referring to was fixed in v1.11.1 and you can find it in our edge version of the Docker image.

We don't have a date for the next release yet, I'll let you know when that happens in case you're not able to use edge.

May 05 '22 09:05 lucacome

Hi @lucacome Are there any updates on the date of the new release v0.11.0 yet? Unfortunately we can not use the Edge version and would be very happy about an update. Thank you very much! Best, Timo

Aug 26 '22 09:08 TimoBuechert

We generally follow a quarterly release cycle for this and the related projects. The current target for that is the start of October. Is there a belief that through how this project functions as a read-only endpoint that the vulnerability could be easily exploited?

Aug 26 '22 13:08 brianehlert

Hi @TimoBuechert I'd like to at least merge the outstanding PRs before a new release

Aug 27 '22 01:08 lucacome

All right, thank you guys! From our point of view the vulnerability is not harmful for us, however we have a general policy in our project that certain vulnerabilities should be fixed in a timely manner, if possible - thats why we are interested in the new Release :)

Aug 30 '22 12:08 TimoBuechert

Looks like it might take a while to address the open PRs and it doesn't really make sense to leave a CVE out in the wild while we resolve them.

The new plan is to release tomorrow (Sept 07), stay tuned 🙂

Sep 06 '22 23:09 lucacome

https://github.com/nginxinc/nginx-prometheus-exporter/releases/tag/v0.11.0 is released

Sep 07 '22 21:09 lucacome