From d2ac7dccfbc540f94187d4d8f1d404677e348dcc Mon Sep 17 00:00:00 2001 From: mattdurham Date: Thu, 6 Jun 2024 11:19:11 -0400 Subject: [PATCH] Update custom opentelemetry branch with changes. cve-2024-36129 --- CHANGELOG.md | 7 +++++++ .../components/otelcol.receiver.jaeger.md | 2 +- .../components/otelcol.receiver.otlp.md | 2 +- .../components/otelcol.receiver.zipkin.md | 2 +- go.mod | 10 ++++++++-- go.sum | 16 ++++++++-------- 6 files changed, 26 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d3ed1055f90..2cb18f0abe2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,13 @@ internal API changes are not present. Main (unreleased) ----------------- +### Breaking changes + + +- Applied OpenTelemetry [CVE-2024-36129](https://github.com/open-telemetry/opentelemetry-collector/security/advisories/GHSA-c74f-6mfw-mm4v) fixes. (@mattdurham) + - Components `otelcol.receiver.otlp`,`otelcol.receiver.zipkin` and `otelcol.receiver.jaeger` setting `max_request_body_size` + default changed from unlimited size to `20MiB`. + v0.41.0 (2024-05-31) -------------------- diff --git a/docs/sources/flow/reference/components/otelcol.receiver.jaeger.md b/docs/sources/flow/reference/components/otelcol.receiver.jaeger.md index a77bc58c376e..b4a6e0f1058a 100644 --- a/docs/sources/flow/reference/components/otelcol.receiver.jaeger.md +++ b/docs/sources/flow/reference/components/otelcol.receiver.jaeger.md @@ -164,7 +164,7 @@ The following arguments are supported: Name | Type | Description | Default | Required ---- | ---- | ----------- | ------- | -------- `endpoint` | `string` | `host:port` to listen for traffic on. | `"0.0.0.0:14268"` | no -`max_request_body_size` | `string` | Maximum request body size the server will allow. No limit when unset. | | no +`max_request_body_size` | `string` | Maximum request body size the server will allow. | `20MiB` | no `include_metadata` | `boolean` | Propagate incoming connection metadata to downstream consumers. | | no ### cors block diff --git a/docs/sources/flow/reference/components/otelcol.receiver.otlp.md b/docs/sources/flow/reference/components/otelcol.receiver.otlp.md index 86b3633c4ac5..116591fae318 100644 --- a/docs/sources/flow/reference/components/otelcol.receiver.otlp.md +++ b/docs/sources/flow/reference/components/otelcol.receiver.otlp.md @@ -142,7 +142,7 @@ The following arguments are supported: Name | Type | Description | Default | Required ---- | ---- | ----------- | ------- | -------- `endpoint` | `string` | `host:port` to listen for traffic on. | `"0.0.0.0:4318"` | no -`max_request_body_size` | `string` | Maximum request body size the server will allow. No limit when unset. | | no +`max_request_body_size` | `string` | Maximum request body size the server will allow. | `20MiB` | no `include_metadata` | `boolean` | Propagate incoming connection metadata to downstream consumers. | | no `traces_url_path` | `string` | The URL path to receive traces on. | `"/v1/traces"`| no `metrics_url_path` | `string` | The URL path to receive metrics on. | `"/v1/metrics"` | no diff --git a/docs/sources/flow/reference/components/otelcol.receiver.zipkin.md b/docs/sources/flow/reference/components/otelcol.receiver.zipkin.md index 87ed3b6cedfc..077aae622d14 100644 --- a/docs/sources/flow/reference/components/otelcol.receiver.zipkin.md +++ b/docs/sources/flow/reference/components/otelcol.receiver.zipkin.md @@ -39,7 +39,7 @@ Name | Type | Description | Default | Required ---- | ---- | ----------- | ------- | -------- `parse_string_tags` | `bool` | Parse string tags and binary annotations into non-string types. | `false` | no `endpoint` | `string` | `host:port` to listen for traffic on. | `"0.0.0.0:9411"` | no -`max_request_body_size` | `string` | Maximum request body size the HTTP server will allow. No limit when unset. | | no +`max_request_body_size` | `string` | Maximum request body size the server will allow. | `20MiB` | no `include_metadata` | `boolean` | Propagate incoming connection metadata to downstream consumers. | | no If `parse_string_tags` is `true`, string tags and binary annotations are diff --git a/go.mod b/go.mod index dba9e3f36199..da9ba840cc99 100644 --- a/go.mod +++ b/go.mod @@ -768,8 +768,14 @@ replace ( // https://github.com/open-telemetry/opentelemetry-collector/pull/7696 // https://github.com/open-telemetry/opentelemetry-collector/issues/4970 replace ( - go.opentelemetry.io/collector/otelcol => github.com/grafana/opentelemetry-collector/otelcol v0.0.0-20240321103955-8919a1c85cbe - go.opentelemetry.io/collector/service => github.com/grafana/opentelemetry-collector/service v0.0.0-20240321103955-8919a1c85cbe + go.opentelemetry.io/collector/otelcol => github.com/grafana/opentelemetry-collector/otelcol v0.0.0-20240606144032-13b77f7c5603 + go.opentelemetry.io/collector/service => github.com/grafana/opentelemetry-collector/service v0.0.0-20240606144032-13b77f7c5603 +) + +// This is to fix https://opentelemetry.io/blog/2024/cve-2024-36129 +replace ( + go.opentelemetry.io/collector/config/configgrpc => github.com/grafana/opentelemetry-collector/config/configgrpc v0.0.0-20240606144032-13b77f7c5603 + go.opentelemetry.io/collector/config/confighttp => github.com/grafana/opentelemetry-collector/config/confighttp v0.0.0-20240606144032-13b77f7c5603 ) // Required to avoid an ambiguous import with github.com/tencentcloud/tencentcloud-sdk-go diff --git a/go.sum b/go.sum index 9cc619280431..ea0d93d3a82c 100644 --- a/go.sum +++ b/go.sum @@ -1051,10 +1051,14 @@ github.com/grafana/mysqld_exporter v0.12.2-0.20231005125903-364b9c41e595 h1:I9sR github.com/grafana/mysqld_exporter v0.12.2-0.20231005125903-364b9c41e595/go.mod h1:U8ifHC5pT2WuVTO7ki4KZmWLjfEKfktQiU3bh0J8scw= github.com/grafana/node_exporter v0.18.1-grafana-r01.0.20231004161416-702318429731 h1:vyyIYY2sLpmgFIckJ1vSO/oYkvB0thDF6UiFYp5PThM= github.com/grafana/node_exporter v0.18.1-grafana-r01.0.20231004161416-702318429731/go.mod h1:vOZxEzxm0nZmuNqjtIfvtmvdRtJik9POmcN5mQVLf5E= -github.com/grafana/opentelemetry-collector/otelcol v0.0.0-20240321103955-8919a1c85cbe h1:XffwtyK11B/undScvvYBi/LSWG7ob43lzkdhxmxZkJw= -github.com/grafana/opentelemetry-collector/otelcol v0.0.0-20240321103955-8919a1c85cbe/go.mod h1:Xo58hEmoZFLyOIs9Wk400ME9gEFV+ttxCGcls6NxbhI= -github.com/grafana/opentelemetry-collector/service v0.0.0-20240321103955-8919a1c85cbe h1:LEmmaAnTjtp7pWCsnc8iMfuHIHzDbYIiCXnxpMTOLms= -github.com/grafana/opentelemetry-collector/service v0.0.0-20240321103955-8919a1c85cbe/go.mod h1:9El7PPhnV+2xPXLlyileLaUa5mOE+vw6sswmcZBaUlc= +github.com/grafana/opentelemetry-collector/config/configgrpc v0.0.0-20240606144032-13b77f7c5603 h1:F3jPOSv2BEO9kuCmlC02pyykcUPkDvgEfWC2pbcWq9M= +github.com/grafana/opentelemetry-collector/config/configgrpc v0.0.0-20240606144032-13b77f7c5603/go.mod h1:uUxDCwvWvyf331boTH8/gZhUXXST2r1ps5+ZAvxZl4o= +github.com/grafana/opentelemetry-collector/config/confighttp v0.0.0-20240606144032-13b77f7c5603 h1:f/rfuBzUEi7zV/bgazSeBH+I4z7a5JoeuhrZEl6ftic= +github.com/grafana/opentelemetry-collector/config/confighttp v0.0.0-20240606144032-13b77f7c5603/go.mod h1:KWac7J9mNFjtN4dQz8AUmFVBr7c2UOfo5OM7wfdPToI= +github.com/grafana/opentelemetry-collector/otelcol v0.0.0-20240606144032-13b77f7c5603 h1:g0fFX99XCDM8BOHnvJ3yLaRd4GPz9BcmiuDzB29GteM= +github.com/grafana/opentelemetry-collector/otelcol v0.0.0-20240606144032-13b77f7c5603/go.mod h1:Xo58hEmoZFLyOIs9Wk400ME9gEFV+ttxCGcls6NxbhI= +github.com/grafana/opentelemetry-collector/service v0.0.0-20240606144032-13b77f7c5603 h1:ItTHpGwsZ1JvHKUZ0OzMI9KseTE29fHf/sHhC+86BjM= +github.com/grafana/opentelemetry-collector/service v0.0.0-20240606144032-13b77f7c5603/go.mod h1:9El7PPhnV+2xPXLlyileLaUa5mOE+vw6sswmcZBaUlc= github.com/grafana/postgres_exporter v0.15.1-0.20240417113938-9358270470dd h1:vNHdecaOmYgSHMEQRgyzWacV++N38Jp8qLZg0RCsfFo= github.com/grafana/postgres_exporter v0.15.1-0.20240417113938-9358270470dd/go.mod h1:kR16GJ0ZwWVQ2osW3pgtDJU1a/GXpufrwio0kLG14cg= github.com/grafana/prometheus v1.8.2-0.20240130142130-51b39f24d406 h1:LVIOYe5j92m10wluP5hgeHqSkOLnZzcPxhYCkdbLXCE= @@ -2312,10 +2316,6 @@ go.opentelemetry.io/collector/config/configauth v0.96.0 h1:nnRLtaPVafazVij60/Q6q go.opentelemetry.io/collector/config/configauth v0.96.0/go.mod h1:XABE3s1OiLzjhHv6R/eMOp8fYFweF6/Naa9NgDD+Ntg= go.opentelemetry.io/collector/config/configcompression v0.96.0 h1:mbP0YbYTfbpovxcZE6JrBYmWg5G1Dozj7eOuLAdqcI4= go.opentelemetry.io/collector/config/configcompression v0.96.0/go.mod h1:owL6s04LI1fPrNZvXiRm6o4B0jaxb3z/oFEcgrakFK4= -go.opentelemetry.io/collector/config/configgrpc v0.96.0 h1:FxCtsN8V4zYYq5wlSYAjBs3OEI1AbjfzmzSPkHYZKkY= -go.opentelemetry.io/collector/config/configgrpc v0.96.0/go.mod h1:uUxDCwvWvyf331boTH8/gZhUXXST2r1ps5+ZAvxZl4o= -go.opentelemetry.io/collector/config/confighttp v0.96.0 h1:/piTkhB+UhhkvHc2PmHBuZzvp0okWTGiL/kZIh+zMmQ= -go.opentelemetry.io/collector/config/confighttp v0.96.0/go.mod h1:KWac7J9mNFjtN4dQz8AUmFVBr7c2UOfo5OM7wfdPToI= go.opentelemetry.io/collector/config/confignet v0.96.0 h1:ZUwziVVxWgcRMqukfKfdEjxfgmfhGsX6J3GEzF/Pupk= go.opentelemetry.io/collector/config/confignet v0.96.0/go.mod h1:BVw5xkQ7TH2wH75cbph+dtOoxq1baWLuhdSYIAvuVu0= go.opentelemetry.io/collector/config/configopaque v1.3.0 h1:J60RL/XxGmBF+OX2+Gx+yAo/p7YwjSsOOlPlo1yXotA=