fix(deps): Update module go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to v0.19.0 [SECURITY]#22490
Merged
kodiakhq[bot] merged 1 commit intomainfrom Apr 8, 2026
Conversation
…log/otlploghttp to v0.19.0 [SECURITY]
Contributor
Author
ℹ️ Artifact update noticeFile name: cli/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
Contributor
Author
|
/gen sha=9e81f06c1fd66cc4d485c2364a8862da4a803b59 dir=cli |
kodiakhq bot
pushed a commit
that referenced
this pull request
Apr 15, 2026
🤖 I have created a release *beep* *boop* --- ## [6.35.6](cli-v6.35.5...cli-v6.35.6) (2026-04-15) ### Bug Fixes * **deps:** Update module go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp to v0.19.0 [SECURITY] ([#22490](#22490)) ([3bcdbde](3bcdbde)) * Preserve custom doc sections across generated reference updates ([#22486](#22486)) ([046f37e](046f37e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.18.0→v0.19.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2026-39882
overview:
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory
bytes.Bufferwithout a size cap.this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).
severity
HIGH
not claiming: this is a remote dos against every default deployment.
claiming: if the exporter sends traces to an untrusted collector endpoint (or over a network segment where mitm is realistic), that endpoint can crash the process via a large response body.
callsite (pinned):
permalinks (pinned):
root cause:
each exporter client reads
resp.Bodyusingio.Copy(&respData, resp.Body)into abytes.Bufferon both success and error paths, with no upper bound.impact:
a malicious collector can force large transient heap allocations during export (peak memory scales with attacker-chosen response size) and can potentially crash the instrumented process (oom).
affected component:
repro (local-only):
unzip poc.zip -d poc cd poc make canonical resp_bytes=33554432 chunk_delay_ms=0expected output contains:
control (same env, patched target):
unzip poc.zip -d poc cd poc make control resp_bytes=33554432 chunk_delay_ms=0expected control output contains:
attachments: poc.zip (attached)
PR_DESCRIPTION.md
attack_scenario.md
poc.zip
Fixed in: https://github.com/open-telemetry/opentelemetry-go/pull/8108
Release Notes
open-telemetry/opentelemetry-go (go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp)
v0.19.0Compare Source
Added
Marshalerconfig option tootlphttpto enable otlp over json or protobufs. (#1586)ForceFlushmethod to the"go.opentelemetry.io/otel/sdk/trace".TracerProviderto flush all registeredSpanProcessors. (#1608)WithSamplerandWithSpanLimitsto tracer provider. (#1633, #1702)"go.opentelemetry.io/otel/trace".SpanContextnow has aremoteproperty, andIsRemote()predicate, that is true when theSpanContexthas been extracted from remote context data. (#1701)Validmethod to the"go.opentelemetry.io/otel/attribute".KeyValuetype. (#1703)Changed
trace.SpanContextis now immutable and has no exported fields. (#1573)trace.NewSpanContext()can be used in conjunction with thetrace.SpanContextConfigstruct to initialize a newSpanContextwhere all values are known.ForceFlushmethod signature to the"go.opentelemetry.io/otel/sdk/trace".SpanProcessorto accept acontext.Contextand return an error. (#1608)Shutdownmethod to the"go.opentelemetry.io/otel/sdk/trace".TracerProviderreturn an error on shutdown failure. (#1608)SpanExporterand gracefully ignore subsequent calls toOnEndafterShutdownis called. (#1612)"go.opentelemetry.io/sdk/metric/controller.basic".WithPusheris replaced withWithExporterto provide consistent naming across project. (#1656)Attributekeys. (#1659)descriptionto SpanStatus only whenStatusCodeis set to error. (#1662)resource.Default'sservice.nameif the exported Span does not have one. (#1673)LabelSetmethod of"go.opentelemetry.io/otel/sdk/resource".ResourcetoSet. (#1692)WithSDKtoWithSDKOptionsto accept variadic arguments ofTracerProviderOptiontype ingo.opentelemetry.io/otel/exporters/trace/jaegerpackage. (#1693)WithSDKtoWithSDKOptionsto accept variadic arguments ofTracerProviderOptiontype ingo.opentelemetry.io/otel/exporters/trace/zipkinpackage. (#1693)"go.opentelemetry.io/otel/sdk/resource".NewWithAttributeswill now drop any invalid attributes passed. (#1703)"go.opentelemetry.io/otel/sdk/resource".StringDetectorwill now error if the produced attribute is invalid. (#1703)Removed
serviceNameparameter from Zipkin exporter and uses resource instead. (#1549)WithConfigfrom tracer provider to avoid overriding configuration. (#1633)SimpleSpanProcessorandBatchSpanProcessorstructs.These are now returned as a SpanProcessor interface from their respective constructors. (#1638)
WithRecord()fromtrace.SpanOptionwhen creating a span. (#1660)Errorwhile recording an error as a span event inRecordError. (#1663)jaeger.WithProcessconfiguration option. (#1673)ApplyConfigmethod from"go.opentelemetry.io/otel/sdk/trace".TracerProviderand the now unneededConfigstruct. (#1693)Fixed
SamplingResult.TraceStateis correctly propagated to a newly created span'sSpanContext. (#1655)otel-collectorexample now correctly flushes metric events prior to shutting down the exporter. (#1678)SpanStatusFromHTTPStatusCodeif it can be inferred fromhttp.status_code. (#1681)TracerProvider. (#1687)Raw changes made between v0.18.0 and v0.19.0
2b4fa96(HEAD -> main, tag: v0.19.0, tag: trace/v0.19.0, tag: sdk/v0.19.0, tag: sdk/metric/v0.19.0, tag: sdk/export/metric/v0.19.0, tag: oteltest/v0.19.0, tag: metric/v0.19.0, tag: exporters/trace/zipkin/v0.19.0, tag: exporters/trace/jaeger/v0.19.0, tag: exporters/stdout/v0.19.0, tag: exporters/otlp/v0.19.0, tag: exporters/metric/prometheus/v0.19.0, tag: example/zipkin/v0.19.0, tag: example/prometheus/v0.19.0, tag: example/prom-collector/v0.19.0, tag: example/otel-collector/v0.19.0, tag: example/opencensus/v0.19.0, tag: example/namedtracer/v0.19.0, tag: example/jaeger/v0.19.0, tag: bridge/opentracing/v0.19.0, tag: bridge/opencensus/v0.19.0, upstream/main, origin/main) Release v0.19.0 (#1710)4beb704sdk/trace: removing ApplyConfig and Config (#1693)1d42be1Rename WithDefaultSampler TracerProvider option to WithSampler and update docs (#1702)860d5d8Add flag to determine whether SpanContext is remote (#1701)0fe65e6Comply with OpenTelemetry attributes specification (#1703)8888435Bump google.golang.org/api from 0.40.0 to 0.41.0 in /exporters/trace/jaeger (#1700)345f264(global-docs) breaking(zipkin): removes servicName from zipkin exporter. (#1697)62cbf0fPopulate Jaeger's Span.Process from Resource (#1673)28eaaa9Add a test to prove the Tracer is safe for concurrent calls (#1665)8b1be11Rename resource pkg label vars and methods (#1692)a1539d4OpenCensus metric exporter bridge (#1444)77aa218Fix issue #1490, apply same logic as in the SDK (#1687)9d3416cFix synchronization issues in global trace delegate implementation (#1686)58f69f0Span status from HTTP code: Do not set status message if it can be inferred (#1681)9c305bdFlush metric events prior to shutdown in OTLP example (#1678)66b1135Fix CHANGELOG (#1680)90bd4abUpdate employer information for maintainers (#1683)3684191Remove WithRecord() option from trace.SpanOption when starting a span (#1660)65c7de2Remove trace prefix from NoOp src files. (#1679)e88a091Make SpanContext Immutable (#1573)d75e268Avoid overriding configuration of tracer provider (#1633)2b4d5acBump github.com/golangci/golangci-lint in /internal/tools (#1671)150b868Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (#1667)76aa924Fix the examples target info messaging (#1676)a3aa9fdBump github.com/itchyny/gojq from 0.12.1 to 0.12.2 in /internal/tools (#1672)a5edd79Removed setting error status while recording err as span event (#1663)e981475chore(zipkin): improves zipkin example to not to depend on timeouts. (#1566)3dc91f2Add ForceFlush method to TracerProvider (#1608)bd0bba4exporter: swap pusher for exporter (#1656)5690485Update the SimpleSpanProcessor (#1612)a7f7abaSpanStatus description set only when status code is set to Error (#1662)05252f4Jaeger Exporter: Fix minor mapping discrepancies (#1626)238e7c6Add non-empty string check for attribute keys (#1659)e9b9acaAdd tests for propagation of Sampler Tracestate changes (#1655)875a258Add docs on when reviews should be cleared (#1556)7153ef2Add HTTP/JSON to the otlp exporter (#1586)62e2a0fUnexport the simple and batch SpanProcessors (#1638)992837fAdd TracerProvider tests to oteltest harness (#1607)Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.