Details in tracker. This package bundles the vulnerable Go package, is the exporter actually vulnerable?
snmp_exporter-0.21.0 in gentoo uses exporter-toolkit 0.8.1 and is vulnerable. Please update to a newer version of snmp_exporter. snmp-exporter 0.23.0 appears to be the first version with fixed exporter-toolkit 0.8.2.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3448245ff66ebd4df46bcef57da81492fcedd6df commit 3448245ff66ebd4df46bcef57da81492fcedd6df Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-10-29 17:15:19 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-10-29 17:21:50 +0000 app-metrics/snmp_exporter: add 0.24.1 Bug: https://bugs.gentoo.org/883649 Signed-off-by: John Helmert III <ajak@gentoo.org> app-metrics/snmp_exporter/Manifest | 2 + .../snmp_exporter/snmp_exporter-0.24.1.ebuild | 52 ++++++++++++++++++++++ 2 files changed, 54 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b37d32ef5866c70fcf9c73329547670505bbd014 commit b37d32ef5866c70fcf9c73329547670505bbd014 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2024-01-07 05:23:19 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-01-07 05:23:19 +0000 app-metrics/snmp_exporter: drop 0.21.0 Bug: https://bugs.gentoo.org/883649 Signed-off-by: John Helmert III <ajak@gentoo.org> app-metrics/snmp_exporter/Manifest | 2 - .../snmp_exporter/snmp_exporter-0.21.0.ebuild | 52 ---------------------- 2 files changed, 54 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=e492570856b594062317bd546458906bb588293d commit e492570856b594062317bd546458906bb588293d Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-12 10:52:37 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-12 10:53:09 +0000 [ GLSA 202401-15 ] Prometheus SNMP Exporter: Basic Authentication Bypass Bug: https://bugs.gentoo.org/883649 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-15.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)