Security update for golang-github-prometheus-prometheus

Announcement ID: SUSE-SU-2020:2606-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2019-10215 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVE-2019-10215 ( NVD ): 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products:
  • SUSE Enterprise Storage 6
  • SUSE Linux Enterprise Server 15 SP1

An update that solves one vulnerability and has one security fix can now be installed.

Description:

This update for golang-github-prometheus-prometheus to version 2.18.0 fixes the following issues:

  • Fixed some building issues (bsc#1175478)
  • prometheus components systemd units should depend on network target (bsc#1143913).

Update to 2.18.0 + Features * Tracing: Added experimental Jaeger support #7148 + Changes * Federation: Only use local TSDB for federation (ignore remote read). #7096 * Rules: rule_evaluations_total and rule_evaluation_failures_total have a rule_group label now. #7094 + Enhancements * TSDB: Significantly reduce WAL size kept around after a block cut. #7098 * Discovery: Add architecture meta label for EC2. #7000 + Bug fixes * UI: Fixed wrong MinTime reported by /status. #7182 * React UI: Fixed multiselect legend on OSX. #6880 * Remote Write: Fixed blocked resharding edge case. #7122 * Remote Write: Fixed remote write not updating on relabel configs change. #7073 - Changes from 2.17.2 + Bug fixes * Federation: Register federation metrics #7081 * PromQL: Fix panic in parser error handling #7132 * Rules: Fix reloads hanging when deleting a rule group that is being evaluated #7138 * TSDB: Fix a memory leak when prometheus starts with an empty TSDB WAL #7135 * TSDB: Make isolation more robust to panics in web handlers #7129 #7136 - Changes from 2.17.1 + Bug fixes * TSDB: Fix query performance regression that increased memory and CPU usage #7051 - Changes from 2.17.0 + Features * TSDB: Support isolation #6841 * This release implements isolation in TSDB. API queries and recording rules are guaranteed to only see full scrapes and full recording rules. This comes with a certain overhead in resource usage. Depending on the situation, there might be some increase in memory usage, CPU usage, or query latency. + Enhancements * PromQL: Allow more keywords as metric names #6933 * React UI: Add normalization of localhost URLs in targets page #6794 * Remote read: Read from remote storage concurrently #6770 * Rules: Mark deleted rule series as stale after a reload #6745 * Scrape: Log scrape append failures as debug rather than warn #6852 * TSDB: Improve query performance for queries that partially hit the head #6676 * Consul SD: Expose service health as meta label #5313 * EC2 SD: Expose EC2 instance lifecycle as meta label #6914 * Kubernetes SD: Expose service type as meta label for K8s service role #6684 * Kubernetes SD: Expose label_selector and field_selector #6807 * Openstack SD: Expose hypervisor id as meta label #6962 + Bug fixes * PromQL: Do not escape HTML-like chars in query log #6834 #6795 * React UI: Fix data table matrix values #6896 * React UI: Fix new targets page not loading when using non-ASCII characters #6892 * Remote read: Fix duplication of metrics read from remote storage with external labels #6967 #7018 * Remote write: Register WAL watcher and live reader metrics for all remotes, not just the first one #6998 * Scrape: Prevent removal of metric names upon relabeling #6891 * Scrape: Fix 'superfluous response.WriteHeader call' errors when scrape fails under some circonstances #6986 * Scrape: Fix crash when reloads are separated by two scrape intervals #7011 - Changes from 2.16.0 + Features * React UI: Support local timezone on /graph #6692 * PromQL: add absent_over_time query function #6490 * Adding optional logging of queries to their own file #6520 + Enhancements * React UI: Add support for rules page and "Xs ago" duration displays #6503 * React UI: alerts page, replace filtering togglers tabs with checkboxes #6543 * TSDB: Export metric for WAL write errors #6647 * TSDB: Improve query performance for queries that only touch the most recent 2h of data. #6651 * PromQL: Refactoring in parser errors to improve error messages #6634 * PromQL: Support trailing commas in grouping opts #6480 * Scrape: Reduce memory usage on reloads by reusing scrape cache #6670 * Scrape: Add metrics to track bytes and entries in the metadata cache #6675 * promtool: Add support for line-column numbers for invalid rules output #6533 * Avoid restarting rule groups when it is unnecessary #6450 + Bug fixes * React UI: Send cookies on fetch() on older browsers #6553 * React UI: adopt grafana flot fix for stacked graphs #6603 * React UI: broken graph page browser history so that back button works as expected #6659 * TSDB: ensure compactionsSkipped metric is registered, and log proper error if one is returned from head.Init #6616 * TSDB: return an error on ingesting series with duplicate labels #6664 * PromQL: Fix unary operator precedence #6579 * PromQL: Respect query.timeout even when we reach query.max-concurrency #6712 * PromQL: Fix string and parentheses handling in engine, which affected React UI #6612 * PromQL: Remove output labels returned by absent() if they are produced by multiple identical label matchers #6493 * Scrape: Validate that OpenMetrics input ends with # EOF #6505 * Remote read: return the correct error if configs can't be marshal'd to JSON #6622 * Remote write: Make remote client Store use passed context, which can affect shutdown timing #6673 * Remote write: Improve sharding calculation in cases where we would always be consistently behind by tracking pendingSamples #6511 * Ensure prometheus_rule_group metrics are deleted when a rule group is removed #6693 - Changes from 2.15.2 + Bug fixes * TSDB: Fixed support for TSDB blocks built with Prometheus before 2.1.0. #6564 * TSDB: Fixed block compaction issues on Windows. #6547 - Changes from 2.15.1 + Bug fixes * TSDB: Fixed race on concurrent queries against same data. #6512 - Changes from 2.15.0 + Features * API: Added new endpoint for exposing per metric metadata /metadata. #6420 #6442 + Changes * Discovery: Removed prometheus_sd_kubernetes_cache_* metrics. Additionally prometheus_sd_kubernetes_workqueue_latency_seconds and prometheus_sd_kubernetes_workqueue_work_duration_seconds metrics now show correct values in seconds. #6393 * Remote write: Changed query label on prometheus_remote_storage_* metrics to remote_name and url. #6043 + Enhancements * TSDB: Significantly reduced memory footprint of loaded TSDB blocks. #6418 #6461 * TSDB: Significantly optimized what we buffer during compaction which should result in lower memory footprint during compaction. #6422 #6452 #6468 #6475 * TSDB: Improve replay latency. #6230 * TSDB: WAL size is now used for size based retention calculation. #5886 * Remote read: Added query grouping and range hints to the remote read request #6401 * Remote write: Added prometheus_remote_storage_sent_bytes_total counter per queue. #6344 * promql: Improved PromQL parser performance. #6356 * React UI: Implemented missing pages like /targets #6276, TSDB status page #6281 #6267 and many other fixes and performance improvements. * promql: Prometheus now accepts spaces between time range and square bracket. e.g [ 5m] #6065
+ Bug fixes * Config: Fixed alertmanager configuration to not miss targets when configurations are similar. #6455 * Remote write: Value of prometheus_remote_storage_shards_desired gauge shows raw value of desired shards and it's updated correctly. #6378 * Rules: Prometheus now fails the evaluation of rules and alerts where metric results collide with labels specified in labels field. #6469 * API: Targets Metadata API /targets/metadata now accepts empty match_targets parameter as in the spec. #6303 - Changes from 2.14.0 + Features * API: /api/v1/status/runtimeinfo and /api/v1/status/buildinfo endpoints added for use by the React UI. #6243 * React UI: implement the new experimental React based UI. #5694 and many more * Can be found by under /new. * Not all pages are implemented yet. * Status: Cardinality statistics added to the Runtime & Build Information page. #6125 + Enhancements * Remote write: fix delays in remote write after a compaction. #6021 * UI: Alerts can be filtered by state. #5758 + Bug fixes * Ensure warnings from the API are escaped. #6279 * API: lifecycle endpoints return 403 when not enabled. #6057 * Build: Fix Solaris build. #6149 * Promtool: Remove false duplicate rule warnings when checking rule files with alerts. #6270 * Remote write: restore use of deduplicating logger in remote write. #6113 * Remote write: do not reshard when unable to send samples. #6111 * Service discovery: errors are no longer logged on context cancellation. #6116, #6133 * UI: handle null response from API properly. #6071 - Changes from 2.13.1 + Bug fixes * Fix panic in ARM builds of Prometheus. #6110 * promql: fix potential panic in the query logger. #6094 * Multiple errors of http: superfluous response.WriteHeader call in the logs. #6145 - Changes from 2.13.0 + Enhancements * Metrics: renamed prometheus_sd_configs_failed_total to prometheus_sd_failed_configs and changed to Gauge #5254 * Include the tsdb tool in builds. #6089 * Service discovery: add new node address types for kubernetes. #5902 * UI: show warnings if query have returned some warnings. #5964 * Remote write: reduce memory usage of the series cache. #5849 * Remote read: use remote read streaming to reduce memory usage. #5703 * Metrics: added metrics for remote write max/min/desired shards to queue manager. #5787 * Promtool: show the warnings during label query. #5924 * Promtool: improve error messages when parsing bad rules. #5965 * Promtool: more promlint rules. #5515 + Bug fixes * UI: Fix a Stored DOM XSS vulnerability with query history CVE-2019-10215. #6098 * Promtool: fix recording inconsistency due to duplicate labels. #6026 * UI: fixes service-discovery view when accessed from unhealthy targets. #5915 * Metrics format: OpenMetrics parser crashes on short input. #5939 * UI: avoid truncated Y-axis values. #6014 - Changes from 2.12.0 + Features * Track currently active PromQL queries in a log file. #5794 * Enable and provide binaries for mips64 / mips64le architectures. #5792 + Enhancements * Improve responsiveness of targets web UI and API endpoint. #5740 * Improve remote write desired shards calculation. #5763 * Flush TSDB pages more precisely. tsdb#660 * Add prometheus_tsdb_retention_limit_bytes metric. tsdb#667 * Add logging during TSDB WAL replay on startup. tsdb#662 * Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654, tsdb#642, tsdb#627 + Bug fixes * Check for duplicate label names in remote read. #5829 * Mark deleted rules' series as stale on next evaluation. #5759 * Fix JavaScript error when showing warning about out-of-sync server time. #5833 * Fix promtool test rules panic when providing empty exp_labels. #5774 * Only check last directory when discovering checkpoint number. #5756 * Fix error propagation in WAL watcher helper functions. #5741 * Correctly handle empty labels from alert templates. #5845

  • Update to Prometheus 2.11.2

  • Fixes crashes when systems have no FQDN

  • Adds Parallel calls to Uyuni API, meaningful performance increase
  • Adds Support for system group labels

  • Build with PIE

  • Only package required files (reduces rpm size by 4 MB)

  • Add sysconfig file
  • Add firewall config file
  • Use variables for defining user and group

  • Add support for Uyuni/SUSE Manager service discovery

  • readded _service file removed in error.

  • Update to 2.11.1
  • Bug Fix:
    • Fix potential panic when prometheus is watching multiple zookeeper paths.
  • Update to 2.11.0
  • Bug Fix:
    • resolve race condition in maxGauge.
    • Fix ZooKeeper connection leak.
    • Improved atomicity of .tmp block replacement during compaction for usual case.
    • Fix "unknown series references" after clean shutdown.
    • Re-calculate block size when calling block.Delete.
    • Fix unsafe snapshots with head block.
    • prometheus_tsdb_compactions_failed_total is now incremented on any compaction failure.
  • Changes:
    • Remove max_retries from queue_config (it has been unused since rewriting remote-write to utilize the write-ahead-log)
    • The meta file BlockStats no longer holds size information. This is now dynamically calculated and kept in memory. It also includes the meta file size which was not included before
    • Renamed metric from prometheus_tsdb_wal_reader_corruption_errors to prometheus_tsdb_wal_reader_corruption_errors_total
  • Features:
    • Add option to use Alertmanager API v2.
    • Added humanizePercentage function for templates.
    • Include InitContainers in Kubernetes Service Discovery.
    • Provide option to compress WAL records using Snappy.
  • Enhancements:

    • Create new clean segment when starting the WAL.
    • Reduce allocations in PromQL aggregations.
    • Add storage warnings to LabelValues and LabelNames API results.
    • Add prometheus_http_requests_total metric.
    • Enable openbsd/arm build.
    • Remote-write allocation improvements.
    • Query performance improvement: Efficient iteration and search in HashForLabels and HashWithoutLabels.
    • Allow injection of arbitrary headers in promtool.
    • Allow passing external_labels in alert unit tests groups.
    • Allows globs for rules when unit testing.
    • Improved postings intersection matching.
    • Reduced disk usage for WAL for small setups.
    • Optimize queries using regexp for set lookups.
  • Update to 2.10.0:

  • Bug Fixes:
    • TSDB: Don't panic when running out of disk space and recover nicely from the condition
    • TSDB: Correctly handle empty labels.
    • TSDB: Don't crash on an unknown tombstone reference.
    • Storage/remote: Remove queue-manager specific metrics if queue no longer exists.
    • PromQL: Correctly display {name="a"}.
    • Discovery/kubernetes: Use service rather than ingress as the name for the service workqueue.
    • Discovery/azure: Don't panic on a VM with a public IP.
    • Web: Fixed Content-Type for js and css instead of using /etc/mime.types.
    • API: Encode alert values as string to correctly represent Inf/NaN.
  • Features:
    • Template expansion: Make external labels available as $externalLabels in alert and console template expansion.
    • TSDB: Add prometheus_tsdb_wal_segment_current metric for the WAL segment index that TSDB is currently writing to. tsdb
    • Scrape: Add scrape_series_added per-scrape metric. #5546
  • Enhancements
    • Discovery/kubernetes: Add labels __meta_kubernetes_endpoint_node_name and __meta_kubernetes_endpoint_hostname.
    • Discovery/azure: Add label __meta_azure_machine_public_ip.
    • TSDB: Simplify mergedPostings.Seek, resulting in better performance if there are many posting lists. tsdb
    • Log filesystem type on startup.
    • Cmd/promtool: Use POST requests for Query and QueryRange. client_golang
    • Web: Sort alerts by group name.
    • Console templates: Add convenience variables $rawParams, $params, $path.
  • Upadte to 2.9.2
  • Bug Fixes:
    • Make sure subquery range is taken into account for selection
    • Exhaust every request body before closing it
    • Cmd/promtool: return errors from rule evaluations
    • Remote Storage: string interner should not panic in release
    • Fix memory allocation regression in mergedPostings.Seek tsdb
  • Update to 2.9.1
  • Bug Fixes:
    • Discovery/kubernetes: fix missing label sanitization
    • Remote_write: Prevent reshard concurrent with calling stop
  • Update to 2.9.0
  • Feature:
    • Add honor_timestamps scrape option.
  • Enhancements:
    • Update Consul to support catalog.ServiceMultipleTags.
    • Discovery/kubernetes: add present labels for labels/annotations.
    • OpenStack SD: Add ProjectID and UserID meta labels.
    • Add GODEBUG and retention to the runtime page.
    • Add support for POSTing to /series endpoint.
    • Support PUT methods for Lifecycle and Admin APIs.
    • Scrape: Add global jitter for HA server.
    • Check for cancellation on every step of a range evaluation.
    • String interning for labels & values in the remote_write path.
    • Don't lose the scrape cache on a failed scrape.
    • Reload cert files from disk automatically. common
    • Use fixed length millisecond timestamp format for logs. common
    • Performance improvements for postings. Bug Fixes:
    • Remote Write: fix checkpoint reading.
    • Check if label value is valid when unmarshaling external labels from YAML.
    • Promparse: sort all labels when parsing.
    • Reload rules: copy state on both name and labels.
    • Exponentation operator to drop metric name in result of operation.
    • Config: resolve more file paths.
    • Promtool: resolve relative paths in alert test files.
    • Set TLSHandshakeTimeout in HTTP transport. common
    • Use fsync to be more resilient to machine crashes.
    • Keep series that are still in WAL in checkpoints.
  • Update to 2.8.1
  • Bug Fixes
    • Display the job labels in /targets which was removed accidentally
  • Update to 2.8.0
  • Change:
    • This release uses Write-Ahead Logging (WAL) for the remote_write API. This currently causes a slight increase in memory usage, which will be addressed in future releases.
    • Default time retention is used only when no size based retention is specified. These are flags where time retention is specified by the flag --storage.tsdb.retention and size retention by --storage.tsdb.retention.size.
    • prometheus_tsdb_storage_blocks_bytes_total is now prometheus_tsdb_storage_blocks_bytes.
  • Feature:
    • (EXPERIMENTAL) Time overlapping blocks are now allowed; vertical compaction and vertical query merge. It is an optional feature which is controlled by the --storage.tsdb.allow-overlapping-blocks flag, disabled by default.
  • Enhancements:
    • Use the WAL for remote_write API.
    • Query performance improvements.
    • UI enhancements with upgrade to Bootstrap 4.
    • Reduce time that Alertmanagers are in flux when reloaded.
    • Limit number of metrics displayed on UI to 10000.
    • (1) Remember All/Unhealthy choice on target-overview when reloading page. (2) Resize text-input area on Graph page on mouseclick.
    • In histogram_quantile merge buckets with equivalent le values.
    • Show list of offending labels in the error message in many-to-many scenarios.
    • Show Storage Retention criteria in effect on /status page.
  • Bug Fixes:
    • Fix sorting of rule groups.
    • Fix support for password_file and bearer_token_file in Kubernetes SD.
    • Scrape: catch errors when creating HTTP clients
    • Adds new metrics: prometheus_target_scrape_pools_total prometheus_target_scrape_pools_failed_total prometheus_target_scrape_pool_reloads_total prometheus_target_scrape_pool_reloads_failed_total
    • Fix panic when aggregator param is not a literal.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Enterprise Storage 6
    zypper in -t patch SUSE-Storage-6-2020-2606=1

Package List:

  • SUSE Enterprise Storage 6 (aarch64 x86_64)
    • golang-github-prometheus-prometheus-2.18.0-3.3.1

References: