Closed harsimranmaan closed 3 days ago
SuperQ
commented
3 days ago Please do not report raw vulnerability scanner results. They are prone to false positives and cause the Prometheus team toil in verifying. Please verify vulnerability reports and include specific details as to which components are directly exploitable.
harsimranmaan
commented
3 days ago I am sorry if this came across as asking the prom team to verify something. I am mostly talking about publicly disclosed CVEs with patches available. Generally critical CVEs are tracked as part of the dev process. The question is not about reporting CVEs but more on when patches can be expected for CVEs. eg: https://nvd.nist.gov/vuln/detail/CVE-2024-24790 has been flagged on node-exported and fixed in go 1.21.11+
Are these any plans to do a patch release with the latest golang patches? Some critical CVEs get flagged on the current binary.
TIA.