Merge branch 'release-1.8'.

Signed-off-by: Peter Štibraný <peter.stibrany@grafana.com>

Author: pstibrany

CHANGELOG.md

@@ -78,6 +78,10 @@
 
 * [ENHANCEMENT] Builder: add `-builder.timestamp-tolerance` option which may reduce block size by rounding timestamps to make difference whole seconds. #3891
 
+## 1.8.1 / 2021-04-27
+
+* [CHANGE] Fix for CVE-2021-31232: Local file disclosure vulnerability when `-experimental.alertmanager.enable-api` is used. The HTTP basic auth `password_file` can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list.
+
 ## 1.8.0 / 2021-03-24
 
 * [CHANGE] Alertmanager: Don't expose cluster information to tenants via the `/alertmanager/api/v1/status` API endpoint when operating with clustering enabled. #3903
@@ -181,6 +185,10 @@
 * [BUGFIX] Alertmanager: Ensure that experimental `/api/v1/alerts` endpoints work when `-http.prefix` is empty. #3905
 * [BUGFIX] Chunk store: fix panic in inverted index when deleted fingerprint is no longer in the index. #3543
 
+## 1.7.1 / 2021-04-27
+
+* [CHANGE] Fix for CVE-2021-31232: Local file disclosure vulnerability when `-experimental.alertmanager.enable-api` is used. The HTTP basic auth `password_file` can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list.
+
 ## 1.7.0 / 2021-02-23
 
 Note the blocks storage compactor runs a migration task at startup in this version, which can take many minutes and use a lot of RAM.

VERSION

@@ -1 +1 @@
-1.8.0
+1.8.1

docs/chunks-storage/running-chunks-storage-with-cassandra.md

@@ -109,12 +109,12 @@ storage:
 ```
 
 The latest tag is not published for the Cortex docker image. Visit quay.io/repository/cortexproject/cortex
-to find the latest stable version tag and use it in the command below (currently it is `v1.8.0`).
+to find the latest stable version tag and use it in the command below (currently it is `v1.8.1`).
 
 Run Cortex using the latest stable version:
 
 ```
-docker run -d --name=cortex -v $(pwd)/single-process-config.yaml:/etc/single-process-config.yaml -p 9009:9009  quay.io/cortexproject/cortex:v1.8.0 -config.file=/etc/single-process-config.yaml
+docker run -d --name=cortex -v $(pwd)/single-process-config.yaml:/etc/single-process-config.yaml -p 9009:9009  quay.io/cortexproject/cortex:v1.8.1 -config.file=/etc/single-process-config.yaml
 ```
 In case you prefer to run the master version, please follow this [documentation](./chunks-storage-getting-started.md) on how to build Cortex from source.
 

k8s/alertmanager-dep.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: alertmanager
-        image: quay.io/cortexproject/cortex:v1.8.0
+        image: quay.io/cortexproject/cortex:v1.8.1
         imagePullPolicy: IfNotPresent
         args:
         - -target=alertmanager

k8s/configs-dep.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: configs
-        image: quay.io/cortexproject/cortex:v1.8.0
+        image: quay.io/cortexproject/cortex:v1.8.1
         imagePullPolicy: IfNotPresent
         args:
         - -target=configs

k8s/distributor-dep.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: distributor
-        image: quay.io/cortexproject/cortex:v1.8.0
+        image: quay.io/cortexproject/cortex:v1.8.1
         imagePullPolicy: IfNotPresent
         args:
         - -target=distributor

k8s/ingester-dep.yaml

@@ -37,7 +37,7 @@ spec:
 
       containers:
       - name: ingester
-        image: quay.io/cortexproject/cortex:v1.8.0
+        image: quay.io/cortexproject/cortex:v1.8.1
         imagePullPolicy: IfNotPresent
         args:
         - -target=ingester

k8s/querier-dep.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: querier
-        image: quay.io/cortexproject/cortex:v1.8.0
+        image: quay.io/cortexproject/cortex:v1.8.1
         imagePullPolicy: IfNotPresent
         args:
         - -target=querier

k8s/query-frontend-dep.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: query-frontend
-        image: quay.io/cortexproject/cortex:v1.8.0
+        image: quay.io/cortexproject/cortex:v1.8.1
         imagePullPolicy: IfNotPresent
         args:
         - -target=query-frontend

k8s/ruler-dep.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: ruler
-        image: quay.io/cortexproject/cortex:v1.8.0
+        image: quay.io/cortexproject/cortex:v1.8.1
         imagePullPolicy: IfNotPresent
         args:
         - -target=ruler

k8s/table-manager-dep.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: table-manager
-        image: quay.io/cortexproject/cortex:v1.8.0
+        image: quay.io/cortexproject/cortex:v1.8.1
         imagePullPolicy: IfNotPresent
         args:
         - -target=table-manager

pkg/alertmanager/api_test.go

@@ -396,6 +396,25 @@ alertmanager_config: |
 `,
 			err: errors.Wrap(errVictorOpsAPIKeyFileNotAllowed, "error validating Alertmanager config"),
 		},
+		{
+			name: "should return error if template is wrong",
+			cfg: `
+alertmanager_config: |
+  route:
+    receiver: 'default-receiver'
+    group_wait: 30s
+    group_interval: 5m
+    repeat_interval: 4h
+    group_by: [cluster, alertname]
+  receivers:
+    - name: default-receiver
+  templates:
+    - "*.tmpl"
+template_files:
+  "test.tmpl": "{{ invalid Go template }}"
+`,
+			err: fmt.Errorf(`error validating Alertmanager config: template: test.tmpl:1: function "invalid" not defined`),
+		},
 	}
 
 	am := &MultitenantAlertmanager{