Giters

aws-observability / aws-otel-collector

AWS Distro for OpenTelemetry Collector (see ADOT Roadmap at https://github.com/orgs/aws-observability/projects/4)

Home Page:https://aws-otel.github.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2024-36129 in upstream OTEL Collector

conor-naranjo opened this issue · comments

commented

Describe the question
A DoS vulnerability was identified in the upstream OTEL Collector as documented here:
GHSA-c74f-6mfw-mm4v
https://opentelemetry.io/blog/2024/cve-2024-36129/

Is the AWS Distro affected by this issue and if so when can a patch downstream be expected?

E: I see the patches applied - when can they be expected in a release?:
d5ff217

Steps to reproduce if your question is related to an action
N/A

What did you expect to see?
N/A

Environment
N/A

Additional context
N/A

commented

the patch wouldn't resolve the problem but there is a PR already open: #2748

commented

The patch that was applied here does fix the problem and has been released with v0.39.1. Because this patch is backported scanning tools that only look to module versions may incorrectly report it as not fixed. #2748 will be followed by a v0.40.0 release that will allow scanning tools that only look to module versions to correctly report it as fixed.

I'd also like to take this time to remind everyone that reporting security concerns through public issues is not in alignment with our security policy or general best practices.