From nobody Mon Jan 30 10:30:43 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P54Fv4WTBz3cBT6; Mon, 30 Jan 2023 10:30:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P54Fv3xkBz3wt0; Mon, 30 Jan 2023 10:30:43 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675074643; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=B18LWtgYIeXMrPcijVWh89RSt4pgbUWcNj66Lq6ntFk=; b=ml7RxYclDR4cMTJX7ST5CouvINfb+MH7ar6+jTLfjAA3xz/v6n3vqQY20LF9qTJDWtjR+c N6k5NoSsyKWqE38PQIbBLKreDFn7z91bn+pz2AW8BgxwNGB99QEbbJHOlsJ07I8czXQLAp eiSHVXZkY5ONQYZuXrG0+8me+WiDDp47MXs10qJWQjeMkcy80DTBo0jnm6qXsYp/EBfIsV Z4Na7BNcBdg5dBlVZLkIasFpnQ1GPh2AyeWekkd25pY3nGl5IOHalhnJuClWWBYeFQRCkE 8jTmgdTLIBF7IilmAvR2JyRhIfqyEijMPrf5naop2gjt/qUm1jambakQuoGQvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675074643; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=B18LWtgYIeXMrPcijVWh89RSt4pgbUWcNj66Lq6ntFk=; b=OC+eHMn/tITMePm6YXP7YFU/FB4+/n4jpNzl2KWO76EbyPdi+9a2DTm/cje/NJHUdS+nev JrLofMAFKO36ZF68udr8RAbXXLvGuMXhJMTURRKtci4J/v+cUapoFZAsDXb6WbX3JgsR2L kxSZOSQHKMSPemC4KmOeKrba5YlVLaEPzjVsOgI3FGsb127pslmruQJNyHrsoUbciFJ2tu B44uSW4OgS1aO/z0mwYKBtRcC3I6NZ41/syFRP6TebhQfjiigJEFNvb93Wwnlij51mJ4S8 j5mlZIBYdNj0JMnMyALnjot8QoAE+vJ9SKpThH+rCwwl8Qocjpp7XvZPzzaX1A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1675074643; a=rsa-sha256; cv=none; b=S7mQrQNXjsx4BAM2gDycKMeyv8QV7O0EpZP4SY57uLZcFt4KOHoQ/bcsTCqbFkouS3tVR2 v4WL2zQo1bzw6HEvyP9OFiyFYULtGL3oU+7B2dYh5tpanzXbXDKIjdrFUuFVojI/PAtfEP ksr2XS1HiNPK2xt2EeBNLH9EUIT8CK1JOMyFFn34xmejYVQvBmPA2HA1WDYwRCzAKXbgBw l58ykh9IDUyYwxHzB+zjx2eQRhIYrcXR2MT6G+69iMRXF8Lht25evkkCP9XaTBmkarx1Cc mKCzSehLimVoWM6/RgstRr6hG1zVxD7nNApm9kc4k3J9zClrYM7mqyEG7fcUuw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P54Fv300pz14Yk; Mon, 30 Jan 2023 10:30:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 30UAUhND026018; Mon, 30 Jan 2023 10:30:43 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 30UAUhJL026017; Mon, 30 Jan 2023 10:30:43 GMT (envelope-from git) Date: Mon, 30 Jan 2023 10:30:43 GMT Message-Id: <202301301030.30UAUhJL026017@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: =?utf-8?Q?Fernando=20Apestegu=C3=ADa?= Subject: git: e4bc259a1313 - main - security/vuxml: add net-mgmt/prometheus basic authentication bypass List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fernape X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e4bc259a13130d5c9440ee6913b69baab43f48ff Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=e4bc259a13130d5c9440ee6913b69baab43f48ff commit e4bc259a13130d5c9440ee6913b69baab43f48ff Author: Fernando ApesteguĂ­a AuthorDate: 2023-01-30 10:16:35 +0000 Commit: Fernando ApesteguĂ­a CommitDate: 2023-01-30 10:26:13 +0000 security/vuxml: add net-mgmt/prometheus basic authentication bypass CVE-2022-46146 PR: 269153 Reported by: dor.bsd@xm0.uk (maintainer) --- security/vuxml/vuln/2023.xml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index bc3205cfa2aa..69a71f064588 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,44 @@ + + prometheus2 -- basic authentication bypass + + + prometheus + 0.8.1 + + + + +

Prometheus team reports:

+
+

+ Prometheus and its exporters can be secured by a web.yml file that + specifies usernames and hashed passwords for basic authentication. + Passwords are hashed with bcrypt, which means that even if you have + access to the hash, it is very hard to find the original password + back. Passwords are hashed with bcrypt, which means that even if you + have access to the hash, it is very hard to find the original + password back. However, a flaw in the way this mechanism was + implemented in the exporter toolkit makes it possible with people + who know the hashed password to authenticate against Prometheus. + A request can be forged by an attacker to poison the internal cache + used to cache the computation of hashes and make subsequent requests + successful. This cache is used in both happy and unhappy scenarios + in order to limit side channel attacks that could tell an attacker + if a user is present in the file or not. +

+
+ +
+ + CVE-2022-46146 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46146 + + + 2022-11-28 + 2023-01-30 + +
+ chromium -- multiple vulnerabilities