Your message dated Sun, 27 Aug 2023 16:44:19 +0200
with message-id <ZOthQx6j934/[email protected]>
and subject line Re: Accepted prometheus-alertmanager 0.26.0+ds-1 (source) into
unstable
has caused the Debian Bug report #1050558,
regarding prometheus-alertmanager: CVE-2023-40577
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1050558: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050558
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: prometheus-alertmanager
Version: 0.25.0+ds-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for prometheus-alertmanager.
CVE-2023-40577[0]:
| Alertmanager handles alerts sent by client applications such as the
| Prometheus server. An attacker with the permission to perform POST
| requests on the /api/v1/alerts endpoint could be able to execute
| arbitrary JavaScript code on the users of Prometheus Alertmanager.
| This issue has been fixed in Alertmanager version 0.2.51.
Note the above seem to contian a typo in the dscription, should be
0.25.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-40577
https://www.cve.org/CVERecord?id=CVE-2023-40577
[1]
https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: prometheus-alertmanager
Source-Version: 0.26.0+ds-1
On Sat, Aug 26, 2023 at 04:06:58PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Sat, 26 Aug 2023 15:50:44 +0000
> Source: prometheus-alertmanager
> Architecture: source
> Version: 0.26.0+ds-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Go Packaging Team <[email protected]>
> Changed-By: Daniel Swarbrick <[email protected]>
> Changes:
> prometheus-alertmanager (0.26.0+ds-1) unstable; urgency=medium
> .
> * New upstream release (fixes CVE-2023-40577)
> * Add new dependency golang-github-hashicorp-golang-lru-v2-dev
> * debian/copyright: drop superfluous trailing slashes in Files-Excluded
> * debian/rules: modernize style to match other exporter packages
> * Drop obsolete 09-Avoid_port_clash.patch
> * Convert patches to gbp-pq format
> * Add new 0007-Revert-kingpin.v2-import-path.patch
> * Drop obsolete lintian overrides
> * Refresh default alertmanager.yml config
> Checksums-Sha1:
> e41ed5d7bacc8e2f8845d49745cc442b7fadd576 3871
> prometheus-alertmanager_0.26.0+ds-1.dsc
> 8aa8138ed145ea81c0470e286ad56d92c1d44802 1509595
> prometheus-alertmanager_0.26.0+ds.orig.tar.gz
> 03f50efdcc4ede24c439a0fa5f3e7f7e2ae50cda 20272
> prometheus-alertmanager_0.26.0+ds-1.debian.tar.xz
> eae194886954c3d5830659a569991dc28e0c7397 14540
> prometheus-alertmanager_0.26.0+ds-1_amd64.buildinfo
> Checksums-Sha256:
> b1d0fcca8b857214feb759f17d723b4b9da3bc451ae557e9ece49721c4b3c875 3871
> prometheus-alertmanager_0.26.0+ds-1.dsc
> 26db3766a358d34e165fbbd176b1345a13368fa338956a70b0bc37915ded1b7e 1509595
> prometheus-alertmanager_0.26.0+ds.orig.tar.gz
> e4df34d93a3cbc43d06779e6a24d795106a00683523b5b365144d2daddd7c191 20272
> prometheus-alertmanager_0.26.0+ds-1.debian.tar.xz
> 211f114126c304bf8af6902ff6789edca3724cac8ee7f2d553ca843e0968d0a6 14540
> prometheus-alertmanager_0.26.0+ds-1_amd64.buildinfo
> Files:
> 251255697330451b80623c7f86b9b6fb 3871 net optional
> prometheus-alertmanager_0.26.0+ds-1.dsc
> 6f9e3957a115aca761eaf0b441dafa36 1509595 net optional
> prometheus-alertmanager_0.26.0+ds.orig.tar.gz
> 66e50225e47bffa6da0a4cd61364d43a 20272 net optional
> prometheus-alertmanager_0.26.0+ds-1.debian.tar.xz
> 0a7998ce415a5c048db4de006280eca3 14540 net optional
> prometheus-alertmanager_0.26.0+ds-1_amd64.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQJKBAEBCgA0FiEEMD9oek78sa58GjWjtwAXP7uAWikFAmTqH9YWHGRzd2FyYnJp
> Y2tAZGViaWFuLm9yZwAKCRC3ABc/u4BaKfgLD/0WFcuc05QbgyLyaDgm08vY8Dd7
> MsW4eOya2aoNtqkHRY1k4B8hsnsbdCasdOunPrxhlrQK7ayEm7EMuAv2IA1XvHRP
> 120f7e1y7NjrtPcJOjQbpLyfOYRZCNSiZ5/sIefMr9Kon36u0SiOtjjly0vvhOJT
> OSMx9H+bcHdOQIhlu0+ybghBfqyrpDC+5triH/qSzQ7B3sCZv7ycJeOCIWWaoRVU
> DCdlxKEyWjGMCRxM7ryiG1EpyIDrGOi6fdl24JSrTCoRzyaglR5wi3QPo2d8mpr8
> alZ5QIsQM4CHahiWkg6907IaKMgL1nmV1kqCc3fsvMjhJqyiUCd503VNVONWmxWk
> 26XFkVO2WXydSjjA11/V7P1XmdqIctewh98IPhfyermxn9yau53uZ9wXJxOYB+sn
> ITenTJM4A3uvEENS3rx22hr6hKqUT7nANQ4CU6/rrsQQMUrzbBYUss9s6vlM4gZv
> gq39tKV39yK8HyK5vy6IB1HLIIqFWC0SSFbkgAdnceJrxxb4GKOTYNAB84cnwMrB
> pC6TpM/I9Wm8oQQm1fZy/prW4SpmRUhPNEAHlxJjG9S7v/KOhTDpMvEJCKgM0t/h
> ZksNzUVBp6mnjeTE5wYorzO6GGb9mn/iQS0zsZrCYa6JTMfnE0QwqiEthRBCu5wd
> Rdu6a+6ISbg8CS2O6g==
> =t37U
> -----END PGP SIGNATURE-----
>
--- End Message ---
