forked from pool/golang-github-prometheus-prometheus
Accepting request 1184874 from server:monitoring
OBS-URL: https://build.opensuse.org/request/show/1184874 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/golang-github-prometheus-prometheus?expand=0&rev=45
This commit is contained in:
Ana Guerrero
Git OBS Bridge
commit
9c4087f36b
61
0003-Bump-go-retryablehttp.patch
Normal file
61
0003-Bump-go-retryablehttp.patch
Normal file
@ -0,0 +1,61 @@
|
||||
From 4d25a94faa74e0a16e4bb7874c1d82faaf911d85 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Mellado <dmellado@redhat.com>
|
||||
Date: Tue, 25 Jun 2024 16:31:03 +0200
|
||||
Subject: [PATCH] Bump go-retryablehttp to fix basic auth creds leak
|
||||
|
||||
This PR updates go-retryablehttp to version 0.7.7, even if it's used as
|
||||
an indirect import. Versions previous to that can didn't sanitize urls,
|
||||
discussed at HDCSEC-2024-12 [1]
|
||||
|
||||
[1] https://discuss.hashicorp.com/t/hcsec-2024-12-go-retryablehttp-can-leak-basic-auth-credentials-to-log-files/68027
|
||||
|
||||
Signed-off-by: Daniel Mellado <dmellado@redhat.com>
|
||||
---
|
||||
go.mod | 4 ++--
|
||||
go.sum | 9 ++++-----
|
||||
2 files changed, 6 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/go.mod b/go.mod
|
||||
index ac8b4f469d0..ce2f0714a0a 100644
|
||||
--- a/go.mod
|
||||
+++ b/go.mod
|
||||
@@ -146,10 +146,10 @@ require (
|
||||
github.com/hashicorp/cronexpr v1.1.2 // indirect
|
||||
github.com/hashicorp/errwrap v1.1.0 // indirect
|
||||
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
|
||||
- github.com/hashicorp/go-hclog v1.5.0 // indirect
|
||||
+ github.com/hashicorp/go-hclog v1.6.3 // indirect
|
||||
github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
|
||||
github.com/hashicorp/go-multierror v1.1.1 // indirect
|
||||
- github.com/hashicorp/go-retryablehttp v0.7.4 // indirect
|
||||
+ github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
|
||||
github.com/hashicorp/go-rootcerts v1.0.2 // indirect
|
||||
github.com/hashicorp/golang-lru v0.6.0 // indirect
|
||||
github.com/hashicorp/serf v0.10.1 // indirect
|
||||
diff --git a/go.sum b/go.sum
|
||||
index 06db002f55b..956b9d89492 100644
|
||||
--- a/go.sum
|
||||
+++ b/go.sum
|
||||
@@ -369,9 +369,8 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng
|
||||
github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
|
||||
github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
|
||||
github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
|
||||
-github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
|
||||
-github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
|
||||
-github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
|
||||
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
|
||||
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
|
||||
github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
|
||||
github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc=
|
||||
github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
|
||||
@@ -383,8 +382,8 @@ github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+
|
||||
github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
|
||||
github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
|
||||
github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
|
||||
-github.com/hashicorp/go-retryablehttp v0.7.4 h1:ZQgVdpTdAL7WpMIwLzCfbalOcSUdkDZnpUv3/+BxzFA=
|
||||
-github.com/hashicorp/go-retryablehttp v0.7.4/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
|
||||
+github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
|
||||
+github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
|
||||
github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
|
||||
github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
|
||||
github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
|
||||
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 28 15:31:44 UTC 2024 - Witek Bedyk <witold.bedyk@suse.com>
|
||||
|
||||
- Bump go-retryablehttp to version 0.7.7
|
||||
(CVE-2024-6104, bsc#1227038)
|
||||
- Add 0003-Bump-go-retryablehttp.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 19 10:54:30 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
|
||||
|
||||
|
||||
@ -47,6 +47,8 @@ Source9: PACKAGING_README.md
|
||||
Patch1: 0001-Do-not-force-the-pure-Go-name-resolver.patch
|
||||
# Lifted from Debian's prometheus package
|
||||
Patch2: 0002-Default-settings.patch
|
||||
# https://github.com/prometheus/prometheus/pull/14345 (CVE-2024-6104)
|
||||
Patch3: 0003-Bump-go-retryablehttp.patch
|
||||
BuildRequires: fdupes
|
||||
%if 0%{?suse_version} == 1500 && 0%{?sle_version} < 150300
|
||||
BuildRequires: firewall-macros
|
||||
|
||||
@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:094296528d7c81e038999c8ed4889f9a6d5590ab5b508c0c90a6ffb0f70d4719
|
||||
size 14453467
|
||||
oid sha256:e2b0c9f3ae8bc6f0bca709480472cc891f1537c218d4d4b9bbc9dbae2aefcf8f
|
||||
size 15117166
|
||||
|
||||
Loading…
Reference in New Issue
Block a user