Security update for golang-github-prometheus-prometheus

Announcement ID:	SUSE-SU-2023:2598-1
Rating:	important
References:	bsc#1204023 bsc#1208049 bsc#1208298 jsc#MSQA-665 jsc#PED-3576
Cross-References:	CVE-2022-41715 CVE-2022-41723 CVE-2022-46146
CVSS scores:	CVE-2022-41715 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-41715 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-41723 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-41723 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-46146 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-46146 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	openSUSE Leap 15.4 openSUSE Leap 15.5 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Manager Proxy 4.2 SUSE Manager Proxy 4.2 Module 4.2 SUSE Manager Proxy 4.3 SUSE Manager Proxy 4.3 Module 4.3 SUSE Manager Retail Branch Server 4.2 SUSE Manager Retail Branch Server 4.3 SUSE Package Hub 15 15-SP5

An update that solves three vulnerabilities and contains two features can now be installed.

Description:

This update for golang-github-prometheus-prometheus fixes the following issues:

golang-github-prometheus-prometheus:

• Security issues fixed in this version update to 2.37.6:
• CVE-2022-46146: Fix basic authentication bypass vulnerability (bsc#1208049, jsc#PED-3576)
• CVE-2022-41715: Update our regexp library to fix upstream (bsc#1204023)
• CVE-2022-41723: Fixed go issue to avoid quadratic complexity in HPACK decoding (bsc#1208298)
• Other non-security bugs fixed and changes in this version update to 2.37.6:
• [BUGFIX] TSDB: Turn off isolation for Head compaction to fix a memory leak.
• [BUGFIX] TSDB: Fix 'invalid magic number 0' error on Prometheus startup.
• [BUGFIX] Agent: Fix validation of flag options and prevent WAL from growing more than desired.
• [BUGFIX] Properly close file descriptor when logging unfinished queries.
• [BUGFIX] TSDB: In the WAL watcher metrics, expose the type="exemplar" label instead of type="unknown" for exemplar records.
• [BUGFIX] Alerting: Fix Alertmanager targets not being updated when alerts were queued.
• [BUGFIX] Hetzner SD: Make authentication files relative to Prometheus config file.
• [BUGFIX] Promtool: Fix promtool check config not erroring properly on failures.
• [BUGFIX] Scrape: Keep relabeled scrape interval and timeout on reloads.
• [BUGFIX] TSDB: Don't increment prometheus_tsdb_compactions_failed_total when context is canceled.
• [BUGFIX] TSDB: Fix panic if series is not found when deleting series.
• [BUGFIX] TSDB: Increase prometheus_tsdb_mmap_chunk_corruptions_total on out of sequence errors.
• [BUGFIX] Uyuni SD: Make authentication files relative to Prometheus configuration file and fix default configuration values.
• [BUGFIX] Fix serving of static assets like fonts and favicon.
• [BUGFIX] promtool: Add --lint-fatal option.
• [BUGFIX] Changing TotalQueryableSamples from int to int64.
• [BUGFIX] tsdb/agent: Ignore duplicate exemplars.
• [BUGFIX] TSDB: Fix chunk overflow appending samples at a variable rate.
• [BUGFIX] Stop rule manager before TSDB is stopped.
• [BUGFIX] Kubernetes SD: Explicitly include gcp auth from k8s.io.
• [BUGFIX] Fix OpenMetrics parser to sort uppercase labels correctly.
• [BUGFIX] UI: Fix scrape interval and duration tooltip not showing on target page.
• [BUGFIX] Tracing/GRPC: Set TLS credentials only when insecure is false.
• [BUGFIX] Agent: Fix ID collision when loading a WAL with multiple segments.
• [BUGFIX] Remote-write: Fix a deadlock between Batch and flushing the queue.
• [BUGFIX] PromQL: Properly return an error from histogram_quantile when metrics have the same labelset.
• [BUGFIX] UI: Fix bug that sets the range input to the resolution.
• [BUGFIX] TSDB: Fix a query panic when memory-snapshot-on-shutdown is enabled.
• [BUGFIX] Parser: Specify type in metadata parser errors.
• [BUGFIX] Scrape: Fix label limit changes not applying.
• [BUGFIX] Remote-write: Fix deadlock between adding to queue and getting batch.
• [BUGFIX] TSDB: Fix panic when m-mapping head chunks onto the disk.
• [BUGFIX] Azure SD: Fix a regression when public IP Address isn't set.
• [BUGFIX] Azure SD: Fix panic when public IP Address isn't set.
• [BUGFIX] Remote-write: Fix deadlock when stopping a shard.
• [BUGFIX] SD: Fix no such file or directory in K8s SD when not running inside K8s.
• [BUGFIX] Promtool: Make exit codes more consistent.
• [BUGFIX] Promtool: Fix flakiness of rule testing.
• [BUGFIX] Remote-write: Update prometheus_remote_storage_queue_highest_sent_timestamp_seconds metric when write irrecoverably fails.
• [BUGFIX] Storage: Avoid panic in BufferedSeriesIterator.
• [BUGFIX] TSDB: CompactBlockMetas should produce correct mint/maxt for overlapping blocks.
• [BUGFIX] TSDB: Fix logging of exemplar storage size.
• [BUGFIX] UI: Fix overlapping click targets for the alert state checkboxes.
• [BUGFIX] UI: Fix Unhealthy filter on target page to actually display only Unhealthy targets.
• [BUGFIX] UI: Fix autocompletion when expression is empty.
• [BUGFIX] TSDB: Fix deadlock from simultaneous GC and write.
• [CHANGE] TSDB: Delete *.tmp WAL files when Prometheus starts.
• [CHANGE] promtool: Add new flag --lint (enabled by default) for the commands check rules and check config, resulting in a new exit code (3) for linter errors.
• [CHANGE] UI: Classic UI removed.
• [CHANGE] Tracing: Migrate from Jaeger to OpenTelemetry based tracing.
• [CHANGE] PromQL: Promote negative offset and @ modifer to stable features.
• [CHANGE] Web: Promote remote-write-receiver to stable.
• [FEATURE] Nomad SD: New service discovery for Nomad built-in service discovery.
• [FEATURE] Add lowercase and uppercase relabel action.
• [FEATURE] SD: Add IONOS Cloud integration.
• [FEATURE] SD: Add Vultr integration.
• [FEATURE] SD: Add Linode SD failure count metric.
• [FEATURE] Add prometheus_ready metric.
• [FEATURE] Support for automatically setting the variable GOMAXPROCS to the container CPU limit. Enable with the flag --enable-feature=auto-gomaxprocs.
• [FEATURE] PromQL: Extend statistics with total and peak number of samples in a query. Additionally, per-step statistics are available with --enable-feature=promql-per-step-stats and using stats=all in the query API. Enable with the flag --enable-feature=per-step-stats.
• [FEATURE] Config: Add stripPort template function.
• [FEATURE] Promtool: Add cardinality analysis to check metrics, enabled by flag --extended.
• [FEATURE] SD: Enable target discovery in own K8s namespace.
• [FEATURE] SD: Add provider ID label in K8s SD.
• [FEATURE] Web: Add limit field to the rules API.
• [ENHANCEMENT] Kubernetes SD: Allow attaching node labels for endpoint role.
• [ENHANCEMENT] PromQL: Optimise creation of signature with/without labels.
• [ENHANCEMENT] TSDB: Memory optimizations.
• [ENHANCEMENT] TSDB: Reduce sleep time when reading WAL.
• [ENHANCEMENT] OAuth2: Add appropriate timeouts and User-Agent header.
• [ENHANCEMENT] Add stripDomain to template function.
• [ENHANCEMENT] UI: Enable active search through dropped targets.
• [ENHANCEMENT] promtool: support matchers when querying label
• [ENHANCEMENT] Add agent mode identifier.
• [ENHANCEMENT] TSDB: more efficient sorting of postings read from WAL at startup.
• [ENHANCEMENT] Azure SD: Add metric to track Azure SD failures.
• [ENHANCEMENT] Azure SD: Add an optional resource_group configuration.
• [ENHANCEMENT] Kubernetes SD: Support discovery.k8s.io/v1 EndpointSlice (previously only discovery.k8s.io/v1beta1 EndpointSlice was supported).
• [ENHANCEMENT] Kubernetes SD: Allow attaching node metadata to discovered pods.
• [ENHANCEMENT] OAuth2: Support for using a proxy URL to fetch OAuth2 tokens.
• [ENHANCEMENT] Configuration: Add the ability to disable HTTP2.
• [ENHANCEMENT] Config: Support overriding minimum TLS version.
• [ENHANCEMENT] TSDB: Disable the chunk write queue by default and allow configuration with the experimental flag --storage.tsdb.head-chunks-write-queue-size.
• [ENHANCEMENT] HTTP SD: Add a failure counter.
• [ENHANCEMENT] Azure SD: Set Prometheus User-Agent on requests.
• [ENHANCEMENT] Uyuni SD: Reduce the number of logins to Uyuni.
• [ENHANCEMENT] Scrape: Log when an invalid media type is encountered during a scrape.
• [ENHANCEMENT] Scrape: Accept application/openmetrics-text;version=1.0.0 in addition to version=0.0.1.
• [ENHANCEMENT] Remote-read: Add an option to not use external labels as selectors for remote read.
• [ENHANCEMENT] UI: Optimize the alerts page and add a search bar.
• [ENHANCEMENT] UI: Improve graph colors that were hard to see.
• [ENHANCEMENT] Config: Allow escaping of $ with $$ when using environment variables with external labels.
• [ENHANCEMENT] Remote-write: Avoid allocations by buffering concrete structs instead of interfaces.
• [ENHANCEMENT] Remote-write: Log time series details for out-of-order samples in remote write receiver.
• [ENHANCEMENT] Remote-write: Shard up more when backlogged.
• [ENHANCEMENT] TSDB: Use simpler map key to improve exemplar ingest performance.
• [ENHANCEMENT] TSDB: Avoid allocations when popping from the intersected postings heap.
• [ENHANCEMENT] TSDB: Make chunk writing non-blocking, avoiding latency spikes in remote-write.
• [ENHANCEMENT] TSDB: Improve label matching performance.
• [ENHANCEMENT] UI: Optimize the service discovery page and add a search bar.
• [ENHANCEMENT] UI: Optimize the target page and add a search bar.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4
  zypper in -t patch openSUSE-SLE-15.4-2023-2598=1
• openSUSE Leap 15.5
  zypper in -t patch openSUSE-SLE-15.5-2023-2598=1
• SUSE Package Hub 15 15-SP5
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-2598=1
• SUSE Manager Proxy 4.2 Module 4.2
  zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.2-2023-2598=1
• SUSE Manager Proxy 4.3 Module 4.3
  zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2023-2598=1

Package List:

• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
  • firewalld-prometheus-config-0.1-150100.4.17.1
  • golang-github-prometheus-prometheus-2.37.6-150100.4.17.1
• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
  • firewalld-prometheus-config-0.1-150100.4.17.1
  • golang-github-prometheus-prometheus-2.37.6-150100.4.17.1
• SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-prometheus-2.37.6-150100.4.17.1
• SUSE Manager Proxy 4.2 Module 4.2 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-prometheus-2.37.6-150100.4.17.1
• SUSE Manager Proxy 4.3 Module 4.3 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-prometheus-2.37.6-150100.4.17.1

References:

• https://www.suse.com/security/cve/CVE-2022-41715.html
• https://www.suse.com/security/cve/CVE-2022-41723.html
• https://www.suse.com/security/cve/CVE-2022-46146.html
• https://bugzilla.suse.com/show_bug.cgi?id=1204023
• https://bugzilla.suse.com/show_bug.cgi?id=1208049
• https://bugzilla.suse.com/show_bug.cgi?id=1208298
• https://jira.suse.com/browse/MSQA-665
• https://jira.suse.com/browse/PED-3576