security update backport – CVE-2023-45142

[jufemaiz]

Description

CVE-2023-45142 notes that the affected versions are < 0.44.0, however v0.44.0 has breaking changes due to semconv changes for a number of packages in this repository.

Backporting the CVE fix to older releases is needed to maintain security while continuing to use specified otel semconv implementations.

Environment

• go.opentelemetry.io/contrib version: < v0.44.0

Steps To Reproduce

N/A

Expected behavior

Secured releases of older pinned semconv in use for each of the packages.

Related

https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277

https://github.com/open-telemetry/opentelemetry-go-contrib/issues/3657

[pellared]

Backporting the CVE fix to older releases is needed to maintain security while continuing to use specified otel semconv implementations.

What version(s) do you have in mind?

Cannot you use any workarounds described in https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr?

Given that:

1. The Security Policy does not tell anything about backporting
2. otelhttp is an experimental (non-stable) Go module
3. We lack "developer-power"

I honestly think that we will be not able to backport the fix, unless someone would volunteer to drive it.

Secured releases of older pinned semconv in use for each of the packages.

This is not clear. Also I am not what which semconv are you worried about. otelhttp scheme URL is not changed for a while. My guess is that the problem is with resources scheme URL. If that is the case then cannot you use https://github.com/MrAlias/otel-schema-utils to convert the resource to your expected scheme URL?