====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN285
_____________________________________________________________________

DATE                : 20/05/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):Systems running Prometheus versions prior to 2.26.1,
                                            2.27.1.

=====================================================================
https://groups.google.com/g/prometheus-announce/c/09rxCnx2teE
_____________________________________________________________________

Prometheus v2.26.1 / v2.27.1 (Security Release)

18 mai 2021, 16:48:07 (avant-hier)



Dear Prometheans,

We have released Prometheus v2.26.1 and v2.27.1. These releases fix an
“Open Redirect” security issue (CWE-601) and have been assigned the CVE
number CVE-2021-29622.

The security issue affects Prometheus v2.23.0 to v2.26.0, and v2.27.0.

Please find more information here:
https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7

The Prometheus team thanks Aaron Devaney from MDSec for reporting this
issue.

Timeline:

    May 12, 2021: Issue reported privately to Prometheus team

    May 12, 2021: A fix is proposed and reviewed

    May 13, 2021: CVE-2021-29622 issued by GitHub staff

    May 18, 2021: Bugfix released for the last two minor releases of
     Prometheus.


The releases can be found in the usual locations:

v2.26.1: https://github.com/prometheus/prometheus/releases/tag/v2.26.1

v2.27.1: https://github.com/prometheus/prometheus/releases/tag/v2.27.1


Thanks,

The Prometheus Team


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================