Date: Tue, 1 Jun 2021 03:03:37 GMT From: Guangyuan Yang <ygy@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 6890a3c0b215 - main - security/vuxml: Document vulnerability in net-mgmt/prometheus2 Message-ID: <202106010303.15133bvi059279@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by ygy: URL: https://cgit.FreeBSD.org/ports/commit/?id=6890a3c0b215c66ee4ac27745dc8caee73dda7f8 commit 6890a3c0b215c66ee4ac27745dc8caee73dda7f8 Author: David O'Rourke <dor.bsd@xm0.uk> AuthorDate: 2021-06-01 03:02:51 +0000 Commit: Guangyuan Yang <ygy@FreeBSD.org> CommitDate: 2021-06-01 03:02:51 +0000 security/vuxml: Document vulnerability in net-mgmt/prometheus2 PR: 255976 Security: CVE-2021-29622 Approved by: lwhsu (mentor) --- security/vuxml/vuln.xml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 547d51e10b82..70fc3181c123 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,45 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="59ab72fb-bccf-11eb-a38d-6805ca1caf5c"> + <topic>Prometheus -- arbitrary redirects</topic> + <affects> + <package> + <name>prometheus2</name> + <range><ge>2.23.0</ge><lt>2.26.1</lt></range> + <range><eq>2.27.0</eq></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Prometheus reports:</p> + <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2021-29622">; + <p> + Prometheus is an open-source monitoring system and time series + database. In 2.23.0, Prometheus changed its default UI to the New + ui. To ensure a seamless transition, the URL's prefixed by /new + redirect to /. Due to a bug in the code, it is possible for an + attacker to craft an URL that can redirect to any other URL, in the + /new endpoint. If a user visits a prometheus server with a + specially crafted address, they can be redirected to an arbitrary + URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In + 2.28.0, the /new endpoint will be removed completely. The + workaround is to disable access to /new via a reverse proxy in + front of Prometheus. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-29622</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2021-29622</url>; + </references> + <dates> + <discovery>2021-05-18</discovery> + <entry>2021-06-01</entry> + </dates> + </vuln> + <vuln vid="fd24a530-c202-11eb-b217-b42e99639323"> <topic>wayland -- integer overflow</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106010303.15133bvi059279>