github-actions[bot]
commented
1 week ago This PR was marked stale due to lack of activity. It will be closed in 7 days.
Closed renovate-bot closed 25 minutes ago
github-actions[bot]
commented
1 week ago This PR was marked stale due to lack of activity. It will be closed in 7 days.
github-actions[bot]
commented
25 minutes ago Closed as inactive. Feel free to reopen if this PR is still being worked on.
forking-renovate[bot]
commented
22 minutes ago Because you closed this PR without merging, Renovate will ignore this update (1.8.1). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This PR contains the following updates:
1.7.1->1.8.1GitHub Vulnerability Alerts
CVE-2024-32028
Impact
OpenTelemetry.Instrumentation.Httpwrites theurl.fullattribute/tag on spans (Activity) when tracing is enabled for outgoing http requests andOpenTelemetry.Instrumentation.AspNetCorewrites theurl.queryattribute/tag on spans (Activity) when tracing is enabled for incoming http requests.These attributes are defined by the Semantic Conventions for HTTP Spans.
Up until the
1.8.1the values written byOpenTelemetry.Instrumentation.Http&OpenTelemetry.Instrumentation.AspNetCorewill pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.Note: Older versions of
OpenTelemetry.Instrumentation.Http&OpenTelemetry.Instrumentation.AspNetCoremay use different tag names but have the same vulnerability.Resolution
The
1.8.1versions ofOpenTelemetry.Instrumentation.Http&OpenTelemetry.Instrumentation.AspNetCorewill now redact by default all values detected on transmitted or received query strings.Example transmitted or received query sting:
?key1=value1&key2=value2Example of redacted value written on telemetry:
?key1=Redacted&key2=RedactedConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.