Hi Martina,
On Wed, May 19, 2021 at 11:36:01PM +0100, Martina Ferrari wrote:
> Hi Salvatore,
>
> On 19/05/2021 19:40, Salvatore Bonaccorso wrote:
> >
> > The following vulnerability was published for prometheus.
> >
> > CVE-2021-29622[0]:
> > | Open Redirect under the /new endpoint
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
>
> Thanks for sending this for our attention. Luckily, one of our patches had
> disabled this functionality (due to lack of React support in Debian), and so
> we are not vulnerable.
>
> This is the relevant part of the patch
> (debian/patches/01-Do_not_embed_blobs.patch ):
>
>
> - // Redirect the original React UI's path (under "/new") to its new path
> at
> the root.
> - router.Get("/new/*path", func(w http.ResponseWriter, r *http.Request) {
> - p := route.Param(r.Context(), "path")
> - http.Redirect(w, r, path.Join(o.ExternalURL.Path,
> strings.TrimPrefix(p,
> "/new"))+"?"+r.URL.RawQuery, http.StatusFound)
> + // Catch requests to legacy URLs that would try to hit the "new" web UI
> + router.Get("/graph/", func(w http.ResponseWriter, r *http.Request) {
> + http.Redirect(w, r, path.Join(o.ExternalURL.Path,
> "/classic/graph")+"?"+r.URL.RawQuery, http.StatusFound)
> })
Thanks, so I have to assume we are protected since 63d6cb569d4e
("Refresh patches and patch out react-app URL handlers") in the
packaging repository, which would be in debian/2.15.2+ds-1.
Is this correct?
Regards,
Salvatore
