Prometheus client_golang releases v1.11.1 and v1.12.1 with security fix for CVE-2022-21698

[Bartłomiej Płotka]

Hi,

Recently we released two new versions for Prometheus client_golang. Thanks for all your contributions!

• Patch release v1.11.1 with just security fix for just published CVE-2022-21698
• Minor + patch release v1.12.1 with (in comparison to v1.11):
  • Improved efficiency of API client
  • Go collector now exposes much more rich Go process metrics, (plus old ones). All from the new runtime/metrics package). Thanks to the Go team and particularly Michael for this contribution. NOTE: This might slightly increase the total series count exposed about the Go process. See this discussion for details.
  • Added client API support for TSDB Status and WAL Replay Platform API
  • Security fix for just published CVE-2022-21698

IMPORTANT: We recommend upgrading client_golang to any of those versions, given the uncovered CVE. Please see details, if you are affected and workarounds here. It is also recommended to check other, non client_golang metric server implementations if they are vulnerable to the similar "HTTP method" issue. Kudos to David for reporting this to us so quickly.

Kind Regards,

Bartek Plotka @bwplotka