Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Upgrade prometheus client_golang to v1.12.2 to fix CVE-2022-21698 #20579

Merged
merged 1 commit into from Jun 16, 2023
Merged

[fix][sec] Upgrade prometheus client_golang to v1.12.2 to fix CVE-2022-21698 #20579

merged 1 commit into from Jun 16, 2023

Conversation

ericsyh
Copy link
Contributor

@ericsyh ericsyh commented Jun 14, 2023

Fixes #xyz

Master Issue: #xyz

PIP: #xyz

Motivation

Prometheus client_golang v1.11.1 is impacted by the CVE-2022-21698

Modifications

Upgrade the Prometheus client_golang to v1.12.2

Verifying this change

  • Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

  • Added integration tests for end-to-end deployment with large payloads (10MB)
  • Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository:

My local repo CI result:
https://github.com/ericsyh/pulsar/pull/2

@ericsyh
[improve][function-go]: upgrade prom client_golang to v1.12.2
acea6c7 
Signed-off-by: ericsyh <ericshenyuhao@outlook.com>
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Jun 14, 2023
@ericsyh
Copy link
Contributor Author

ericsyh commented Jun 14, 2023

@codelipenghui @freeznet PTAL

@freeznet freeznet requested a review from nlu90 June 15, 2023 15:16
@ericsyh ericsyh changed the title [improve][function-go]: upgrade prom client_golang to v1.12.2 to fix CVE-2022-21698 [improve][fn]: upgrade prom client_golang to v1.12.2 to fix CVE-2022-21698 Jun 16, 2023
@codecov-commenter
Copy link

Codecov Report

Merging #20579 (acea6c7) into master (3069464) will increase coverage by 41.08%.
The diff coverage is n/a.

Impacted file tree graph

@@              Coverage Diff              @@
##             master   #20579       +/-   ##
=============================================
+ Coverage     31.93%   73.01%   +41.08%     
- Complexity    11776    31978    +20202     
=============================================
  Files          1498     1867      +369     
  Lines        114571   138636    +24065     
  Branches      12422    15231     +2809     
=============================================
+ Hits          36583   101220    +64637     
+ Misses        73149    29383    -43766     
- Partials       4839     8033     +3194
Flag Coverage Δ
inttests 24.15% <ø> (?)
systests 24.96% <ø> (?)
unittests 72.31% <ø> (+40.38%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 1552 files with indirect coverage changes

@tisonkun
Copy link
Member

Merging...

Thank you!

I wonder what versions are expected to be cherry-picked.

@tisonkun tisonkun added this to the 3.1.0 milestone Jun 16, 2023
@tisonkun tisonkun merged commit a85e9df into apache:master Jun 16, 2023
51 of 53 checks passed
@tisonkun tisonkun changed the title [improve][fn]: upgrade prom client_golang to v1.12.2 to fix CVE-2022-21698 [fix][sec] Upgrade prometheus client_golang to v1.12.2 to fix CVE-2022-21698 Jun 16, 2023
@ericsyh
Copy link
Contributor Author

ericsyh commented Jun 16, 2023

Merging...

Thank you!

I wonder what versions are expected to be cherry-picked.

I think 3.0, 2.11, and 2.10 active branches should cherry-pick this PR.

@ericsyh ericsyh mentioned this pull request Jul 7, 2023
Closed
15 tasks
This was referenced Mar 12, 2024
Open
Merged
lhotari pushed a commit that referenced this pull request Mar 27, 2024
@ericsyh @lhotari
[fix][sec] Upgrade prometheus client_golang to v1.12.2 to fix CVE-202…
0233b70 
…2-21698 (#20579)

Signed-off-by: ericsyh <ericshenyuhao@outlook.com>
(cherry picked from commit a85e9df)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@freeznet freeznet freeznet approved these changes

@tisonkun tisonkun tisonkun approved these changes

@nlu90 nlu90 Awaiting requested review from nlu90

Assignees

@ericsyh ericsyh

Labels
area/function cherry-picked/branch-3.0 doc-not-needed Your PR changes do not impact docs ready-to-test release/3.0.4
Projects
None yet
Milestone
3.1.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@ericsyh @codecov-commenter @tisonkun @freeznet @lhotari