Prometheus v2.26.1 / v2.27.1 (Security Release)

72 views

Skip to first unread message

Chris Marchbanks

unread,

May 18, 2021, 10:48:07 AM5/18/21

to prometheu...@googlegroups.com

Dear Prometheans,

We have released Prometheus v2.26.1 and v2.27.1. These releases fix an “Open Redirect” security issue (CWE-601) and have been assigned the CVE number CVE-2021-29622.

The security issue affects Prometheus v2.23.0 to v2.26.0, and v2.27.0.

Please find more information here: https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7

The Prometheus team thanks Aaron Devaney from MDSec for reporting this issue.

Timeline:

May 12, 2021: Issue reported privately to Prometheus team
May 12, 2021: A fix is proposed and reviewed
May 13, 2021: CVE-2021-29622 issued by GitHub staff
May 18, 2021: Bugfix released for the last two minor releases of Prometheus.

The releases can be found in the usual locations:

v2.26.1: https://github.com/prometheus/prometheus/releases/tag/v2.26.1

v2.27.1: https://github.com/prometheus/prometheus/releases/tag/v2.27.1

Thanks,

The Prometheus Team

Reply all

Reply to author

Forward

0 new messages