Security update for golang-github-prometheus-prometheus

2024-09-1707:48:51

Google

osv.dev

go 1.20 requirement

bump go-retryablehttp

cve-2024-6104

cve-2023-45142

version 2.45.6

security fixes

update enhancements

remote-write

azure monitor workspace

promql metric

ui improvements

bugfixes

labels set.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.03

Percentile

91.0%

JSON

This update for golang-github-prometheus-prometheus fixes the following issues:

Require Go > 1.20 for building
Bump go-retryablehttp to version 0.7.7
(CVE-2024-6104, bsc#1227038)
Migrate from disabled to manual service mode
Add0003-Bump-go-retryablehttp.patch
Update to 2.45.6 (jsc#PED-3577):
- Security fixes in dependencies
Update to 2.45.5:
- [BUGFIX] tsdb/agent: ensure that new series get written to WAL
  on rollback.
- [BUGFIX] Remote write: Avoid a race condition when applying
  configuration.
Update to 2.45.4:
- [BUGFIX] Remote read: Release querier resources before encoding
  the results.
Update to 2.45.3:
- Security fixes in dependencies
- [BUGFIX] TSDB: Remove double memory snapshot on shutdown.
Update to 2.45.2:
- Security fixes in dependencies
- [SECURITY] Updated otelhttp to version 0.46.1
  (CVE-2023-45142, bsc#1228556)
- [BUGFIX] TSDB: Fix PostingsForMatchers race with creating new
  series.
Update to 2.45.1:
- [ENHANCEMENT] Hetzner SD: Support larger ID’s that will be used
  by Hetzner in September.
- [BUGFIX] Linode SD: Cast InstanceSpec values to int64 to avoid
  overflows on 386 architecture.
- [BUGFIX] TSDB: Handle TOC parsing failures.
update to 2.45.0 (jsc#PED-5406):
- [FEATURE] API: New limit parameter to limit the number of items
  returned by /api/v1/status/tsdb endpoint.
- [FEATURE] Config: Add limits to global config.
- [FEATURE] Consul SD: Added support for path_prefix.
- [FEATURE] Native histograms: Add option to scrape both classic
  and native histograms.
- [FEATURE] Native histograms: Added support for two more
  arithmetic operators avg_over_time and sum_over_time.
- [FEATURE] Promtool: When providing the block id, only one block
  will be loaded and analyzed.
- [FEATURE] Remote-write: New Azure ad configuration to support
  remote writing directly to Azure Monitor workspace.
- [FEATURE] TSDB: Samples per chunk are now configurable with
  flag storage.tsdb.samples-per-chunk. By default set to its
  former value 120.
- [ENHANCEMENT] Native histograms: bucket size can now be limited
  to avoid scrape fails.
- [ENHANCEMENT] TSDB: Dropped series are now deleted from the WAL
  sooner.
- [BUGFIX] Native histograms: ChunkSeries iterator now checks if
  a new sample can be appended to the open chunk.
- [BUGFIX] Native histograms: Fix Histogram Appender
  Appendable() segfault.
- [BUGFIX] Native histograms: Fix setting reset header to gauge
  histograms in seriesToChunkEncoder.
- [BUGFIX] TSDB: Tombstone intervals are not modified after Get()
  call.
- [BUGFIX] TSDB: Use path/filepath to set the WAL directory.
update to 2.44.0:
- [FEATURE] Remote-read: Handle native histograms.
- [FEATURE] Promtool: Health and readiness check of prometheus
  server in CLI.
- [FEATURE] PromQL: Add query_samples_total metric, the total
  number of samples loaded by all queries.
- [ENHANCEMENT] Storage: Optimise buffer used to iterate through
  samples.
- [ENHANCEMENT] Scrape: Reduce memory allocations on target
  labels.
- [ENHANCEMENT] PromQL: Use faster heap method for topk() /
  bottomk().
- [ENHANCEMENT] Rules API: Allow filtering by rule name.
- [ENHANCEMENT] Native Histograms: Various fixes and
  improvements.
- [ENHANCEMENT] UI: Search of scraping pools is now
  case-insensitive.
- [ENHANCEMENT] TSDB: Add an affirmative log message for
  successful WAL repair.
- [BUGFIX] TSDB: Block compaction failed when shutting down.
- [BUGFIX] TSDB: Out-of-order chunks could be ignored if the
  write-behind log was deleted.
rebase patch 0001-Do-not-force-the-pure-Go-name-resolver.patch
onto v2.44.0
update to 2.43.1
- [BUGFIX] Labels: Set() after Del() would be ignored, which
  broke some relabeling rules.
update to 2.43.0:
- [FEATURE] Promtool: Add HTTP client configuration to query
  commands.
- [FEATURE] Scrape: Add include_scrape_configs to include
  scrape configs from different files.
- [FEATURE] HTTP client: Add no_proxy to exclude URLs from
  proxied requests.
- [FEATURE] HTTP client: Add proxy_from_enviroment to read
  proxies from env variables.
- [ENHANCEMENT] API: Add support for setting lookback delta per
  query via the API.
- [ENHANCEMENT] API: Change HTTP status code from 503/422 to 499
  if a request is canceled.
- [ENHANCEMENT] Scrape: Allow exemplars for all metric types.
- [ENHANCEMENT] TSDB: Add metrics for head chunks and WAL folders
  size.
- [ENHANCEMENT] TSDB: Automatically remove incorrect snapshot
  with index that is ahead of WAL.
- [ENHANCEMENT] TSDB: Improve Prometheus parser error outputs to
  be more comprehensible.
- [ENHANCEMENT] UI: Scope group by labels to metric in
  autocompletion.
- [BUGFIX] Scrape: Fix
  prometheus_target_scrape_pool_target_limit metric not set
  before reloading.
- [BUGFIX] TSDB: Correctly update
  prometheus_tsdb_head_chunks_removed_total and
  prometheus_tsdb_head_chunks metrics when reading WAL.
- [BUGFIX] TSDB: Use the correct unit (seconds) when recording
  out-of-order append deltas in the
  prometheus_tsdb_sample_ooo_delta metric.
update to 2.42.0:
This release comes with a bunch of feature coverage for native
histograms and breaking changes.
If you are trying native histograms already, we recommend you
remove the wal directory when upgrading.
Because the old WAL record for native histograms is not
backward compatible in v2.42.0, this will lead to some data
loss for the latest data.
Additionally, if you scrape ‘float histograms’ or use recording
rules on native histograms in v2.42.0 (which writes float
histograms), it is a one-way street since older versions do not
support float histograms.
- [CHANGE] breaking TSDB: Changed WAL record format for the
  experimental native histograms.
- [FEATURE] Add ‘keep_firing_for’ field to alerting rules.
- [FEATURE] Promtool: Add support of selecting timeseries for
  TSDB dump.
- [ENHANCEMENT] Agent: Native histogram support.
- [ENHANCEMENT] Rules: Support native histograms in recording
  rules.
- [ENHANCEMENT] SD: Add container ID as a meta label for pod
  targets for Kubernetes.
- [ENHANCEMENT] SD: Add VM size label to azure service
  discovery.
- [ENHANCEMENT] Support native histograms in federation.
- [ENHANCEMENT] TSDB: Add gauge histogram support.
- [ENHANCEMENT] TSDB/Scrape: Support FloatHistogram that
  represents buckets as float64 values.
- [ENHANCEMENT] UI: Show individual scrape pools on /targets
  page.
update to 2.41.0:
- [FEATURE] Relabeling: Add keepequal and dropequal relabel
  actions.
- [FEATURE] Add support for HTTP proxy headers.
- [ENHANCEMENT] Reload private certificates when changed on disk.
- [ENHANCEMENT] Add max_version to specify maximum TLS version in
  tls_config.
- [ENHANCEMENT] Add goos and goarch labels to
  prometheus_build_info.
- [ENHANCEMENT] SD: Add proxy support for EC2 and LightSail SDs.
- [ENHANCEMENT] SD: Add new metric
  prometheus_sd_file_watcher_errors_total.
- [ENHANCEMENT] Remote Read: Use a pool to speed up marshalling.
- [ENHANCEMENT] TSDB: Improve handling of tombstoned chunks in
  iterators.
- [ENHANCEMENT] TSDB: Optimize postings offset table reading.
- [BUGFIX] Scrape: Validate the metric name, label names, and
  label values after relabeling.
- [BUGFIX] Remote Write receiver and rule manager: Fix error
  handling.
update to 2.40.7:
- [BUGFIX] TSDB: Fix queries involving negative buckets of native
  histograms.
update to 2.40.5:
- [BUGFIX] TSDB: Fix queries involving native histograms due to
  improper reset of iterators.
update to 2.40.3:
- [BUGFIX] TSDB: Fix compaction after a deletion is called.
update to 2.40.2:
- [BUGFIX] UI: Fix black-on-black metric name color in dark mode.
update to 2.40.1:
- [BUGFIX] TSDB: Fix alignment for atomic int64 for 32 bit
  architecture.
- [BUGFIX] Scrape: Fix accept headers.
update to 2.40.0:
- [FEATURE] Add experimental support for native histograms.
  Enable with the flag --enable-feature=native-histograms.
- [FEATURE] SD: Add service discovery for OVHcloud.
- [ENHANCEMENT] Kubernetes SD: Use protobuf encoding.
- [ENHANCEMENT] TSDB: Use golang.org/x/exp/slices for improved
  sorting speed.
- [ENHANCEMENT] Consul SD: Add enterprise admin partitions. Adds
  __meta_consul_partition label. Adds partition config in
  consul_sd_config.
- [BUGFIX] API: Fix API error codes for /api/v1/labels and
  /api/v1/series.
update to 2.39.1:
- [BUGFIX] Rules: Fix notifier relabel changing the labels on
  active alerts.
update to 2.39.0:
- [FEATURE] experimental TSDB: Add support for ingesting
  out-of-order samples. This is configured via
  out_of_order_time_window field in the config file; check config
  file docs for more info.
- [ENHANCEMENT] API: /-/healthy and /-/ready API calls now also
  respond to a HEAD request on top of existing GET support.
- [ENHANCEMENT] PuppetDB SD: Add __meta_puppetdb_query label.
- [ENHANCEMENT] AWS EC2 SD: Add __meta_ec2_region label.
- [ENHANCEMENT] AWS Lightsail SD: Add __meta_lightsail_region
  label.
- [ENHANCEMENT] Scrape: Optimise relabeling by re-using memory.
- [ENHANCEMENT] TSDB: Improve WAL replay timings.
- [ENHANCEMENT] TSDB: Optimise memory by not storing unnecessary
  data in the memory.
- [ENHANCEMENT] TSDB: Allow overlapping blocks by default.
  –storage.tsdb.allow-overlapping-blocks now has no effect.
- [ENHANCEMENT] UI: Click to copy label-value pair from query
  result to clipboard.
- [BUGFIX] TSDB: Turn off isolation for Head compaction to fix a
  memory leak.
- [BUGFIX] TSDB: Fix ‘invalid magic number 0’ error on Prometheus
  startup.
- [BUGFIX] PromQL: Properly close file descriptor when logging
  unfinished queries.
- [BUGFIX] Agent: Fix validation of flag options and prevent WAL
  from growing more than desired.
update to 2.38.0:
- [FEATURE]: Web: Add a /api/v1/format_query HTTP API endpoint
  that allows pretty-formatting PromQL expressions.
- [FEATURE]: UI: Add support for formatting PromQL expressions in
  the UI.
- [FEATURE]: DNS SD: Support MX records for discovering targets.
- [FEATURE]: Templates: Add toTime() template function that
  allows converting sample timestamps to Go time.Time values.
- [ENHANCEMENT]: Kubernetes SD: Add
  __meta_kubernetes_service_port_number meta label indicating the
  service port number.
- [ENHANCEMENT]: Kubernetes SD: Add
  __meta_kubernetes_pod_container_image meta label indicating the
  container image.
- [ENHANCEMENT]: PromQL: When a query panics, also log the query
  itself alongside the panic message.
- [ENHANCEMENT]: UI: Tweak colors in the dark theme to improve
  the contrast ratio.
- [ENHANCEMENT]: Web: Speed up calls to /api/v1/rules by avoiding
  locks and using atomic types instead.
- [ENHANCEMENT]: Scrape: Add a no-default-scrape-port feature
  flag, which omits or removes any default HTTP (:80) or HTTPS
  (:443) ports in the target’s scrape address.
- [BUGFIX]: TSDB: In the WAL watcher metrics, expose the
  type=‘exemplar’ label instead of type=‘unknown’ for exemplar
  records.
- [BUGFIX]: TSDB: Fix race condition around allocating series IDs
  during chunk snapshot loading.
Remove npm_licenses.tar.bz2 during ‘make clean’
Remove web-ui archives during ‘make clean’.
- [SECURITY] CVE-2022-41715: Limit memory used by parsing regexps
  (bsc#1204023).
Fix uncontrolled resource consumption by updating Go to version
1.20.1 (CVE-2022-41723, bsc#1208298)