File _patchinfo of Package patchinfo.11771
<patchinfo incident="11771">
<issue tracker="bnc" id="1124610">VUL-1: CVE-2019-3826: golang-github-prometheus-prometheus: Stored DOM cross-site scripting (XSS) attack via crafted URL</issue>
<category>recommended</category>
<rating>moderate</rating>
<packager>juliogonzalezgil</packager>
<description>This update for golang-github-prometheus-prometheus fixes the following issues:
- fix spec file: actually ship promtool
- Update to 2.7.1:
+ Bug Fixes:
* Fix a Stored DOM XSS vulnerability with query history (bsc#1124610)
* prometheus_rule_group_last_duration_seconds now reports seconds instead of nanoseconds
* Make sure the targets are consistently sorted in the targets page
- Update to 2.7.0:
+ cli flag depreacted: storage.tsdb.retention use storage.tsdb.retention.time
instead; depreacted flag will be removed in 3.0
+ Features:
* Add subqueries to PromQL
* Add support for disk size based retention. Note that we don't
consider the WAL size which could be significant and the time
based retention policy also applies (experimental)
* Add CORS origin flag
+ Bug Fixes:
* Don't depend on given order when comparing samples in alert unit testing
* Make sure the retention period doesn't overflow
* Don't generate blocks with no samples
- Update to 2.6.0:
+ Remove default flags from the container's entrypoint, run Prometheus from
/etc/prometheus and symlink the storage directory to /etc/prometheus/data
+ Promtool: Remove the update command
+ Features:
* Add JSON log format via the --log.format flag
* API: Add /api/v1/labels endpoint to get all label names
* Web: Allow setting the page's title via the --web.ui-title flag
+ Enhancements:
* Add prometheus_tsdb_lowest_timestamp_seconds, prometheus_tsdb_head_min_time_seconds
and prometheus_tsdb_head_max_time_seconds metrics
* Add rule_group_last_evaluation_timestamp_seconds metric
* Add prometheus_template_text_expansion_failures_total and prometheus_template_text_expansions_total metrics
* Set consistent User-Agent header in outgoing requests
* Azure SD: Error out at load time when authentication parameters are missing
* EC2 SD: Add the machine's private DNS name to the discovery metadata
* EC2 SD: Add the operating system's platform to the discovery metadata
* Kubernetes SD: Add the pod's phase to the discovery metadata
* Kubernetes SD: Log Kubernetes messages
* Promtool: Collect CPU and trace profiles
* Promtool: Support writing output as JSON
* Remote Read: Return available data if remote read fails partially
* Remote Write: Improve queue performance
* Remote Write: Add min_shards parameter to set the minimum number of shards
* TSDB: Improve WAL reading
* TSDB: Memory improvements
* Web: Log stack traces on panic
* Web UI: Add copy to clipboard button for configuration
* Web UI: Support console queries at specific times
* Web UI: group targets by job then instance
+ Bug Fixes:
* Deduplicate handler labels for HTTP metrics
* Fix leaked queriers causing shutdowns to hang
* Fix configuration loading panics on nil pointer slice elements
* API: Correctly skip mismatching targets on /api/v1/targets/metadata
* API: Better rounding for incoming query timestamps
* Discovery: Remove all targets when the scrape configuration gets empty
* PromQL: Fix a goroutine leak in the lexer/parser
* Scrape: Fix deadlock in the scrape's manager
* Scrape: Scrape targets at fixed intervals even after Prometheus restarts
* TSDB: Support restored snapshots including the head properly
* TSDB: Repair WAL when the last record in a segment is torn
- Update to 2.5.0:
+ Group targets by scrape config instead of job name
+ Marathon SD: Various changes to adapt to Marathon 1.5+
+ Discovery: Split prometheus_sd_discovered_targets metric by scrape and
notify (Alertmanager SD) as well as by section in the respective configuration
+ Enhancements:
* Support s390x platform for Linux
* API: Add prometheus_api_remote_read_queries metric tracking currently
executed or waiting remote read API requests
* Remote Read: Add prometheus_remote_storage_remote_read_queries metric
tracking currently in-flight remote read queries
* Remote Read: Reduced memory usage
* Discovery: Add prometheus_sd_discovered_targets,
prometheus_sd_received_updates_total, prometheus_sd_updates_delayed_total,
and prometheus_sd_updates_total metrics for discovery subsystem
* Discovery: Improve performance of previously slow updates of changes of targets
* Kubernetes SD: Add extended metrics
* OpenStack SD: Support discovering instances from all projects
* OpenStack SD: Discover all interfaces
* OpenStack SD: Support tls_config for the used HTTP client
* Triton SD: Add ability to filter triton_sd targets by pre-defined groups
* Web UI: Avoid browser spell-checking in expression field
* Web UI: Add scrape duration and last evaluation time in targets and rules pages
* Web UI: Improve rule view by wrapping lines
* Rules: Error out at load time for invalid templates, rather than at evaluation time
+ Bug Fixes:
* Change max/min over_time to handle NaNs properly
* Check label name for count_values PromQL function
* Ensure that vectors and matrices do not contain identical label-sets
- Update to 2.4.3:
+ Bug Fixes:
* Fix panic when using custom EC2 API for SD #4672
* Fix panic when Zookeeper SD cannot connect to servers #4669
* Make the skip_head an optional parameter for snapshot API #4674
- Update to 2.4.2:
+ Bug Fixes:
* Handle WAL corruptions properly prometheus/tsdb#389
* Handle WAL migrations correctly on Windows prometheus/tsdb#392
- Update to 2.4.1:
+ New TSDB metrics
+ [BUGFIX] Render UI correctly for Windows
- Update to 2.4.0:
+ The WAL implementation has been re-written so the storage is not forward
compatible. Prometheus 2.3 storage will work on 2.4 but not vice-versa
+ Reduce remote write default retries
+ Remove /heap endpoint
+ Features:
* Persist alert 'for' state across restarts
* Add API providing per target metric metadata
* Add API providing recording and alerting rules
+ Enhancements:
* Brand new WAL implementation for TSDB. Forwards incompatible with previous WAL.
* Show rule evaluation errors in UI
* Throttle resends of alerts to Alertmanager
* Send EndsAt along with the alert to Alertmanager
* Limit the samples returned by remote read endpoint
* Limit the data read in through remote read
* Coalesce identical SD configuations
* promtool: Add new commands for debugging and querying
* Update console examples for node_exporter v0.16.0
* Optimize PromQL aggregations
* Remote read: Add Offset to hints
* consul_sd: Add support for ServiceMeta field
* ec2_sd: Maintain order of subnet_id label
* ec2_sd: Add support for custom endpoint to support EC2 compliant APIs
* ec2_sd: Add instance_owner label
* azure_sd: Add support for VMSS discovery and multiple environments
* gce_sd: Add instance_id label
* Forbid rule-abiding robots from indexing
* Log virtual memory limits on startup
+ Bug Fixes:
* Wait for service discovery to stop before exiting
* Render SD configs properly
* Only add LookbackDelta to vector selectors
* ec2_sd: Handle panic-ing nil pointer
* consul_sd: Stop leaking connections
* Use templated labels also to identify alerts
* Reduce floating point errors in stddev and related functions
* Log errors while encoding responses
- Update to 2.3.2:
+ Bug Fixes:
* Fix various tsdb bugs
* Reorder startup and shutdown to prevent panics.
* Exit with non-zero code on error
* discovery/kubernetes/ingress: fix scheme discovery
* Fix race in zookeeper sd
* Better timeout handling in promql
* Propogate errors when selecting series from the tsdb
- Update to 2.3.1:
+ Bug Fixes:
* Avoid infinite loop on duplicate NaN values.
* Fix nil pointer deference when using various API endpoints
* config: set target group source index during unmarshalling
* discovery/file: fix logging
* kubernetes_sd: fix namespace filtering
* web: restore old path prefix behavior
* web: remove security headers added in 2.3.0
- Update to 2.3.0
+ marathon_sd: use auth_token and auth_token_file for token-based authentication
instead of bearer_token and bearer_token_file respectively
+ Metric names for HTTP server metrics changed
+ Features:
* Add query commands to promtool
* Add security headers to HTTP server responses
* Pass query hints via remote read API
* Basic auth passwords can now be configured via file across all configuration
+ Enhancements:
* Optimise PromQL and API serialization for memory usage and allocations
* Limit number of dropped targets in web UI
* Consul and EC2 service discovery allow using server-side filtering for performance improvement
* Add advanced filtering configuration to EC2 service discovery
* marathon_sd: adds support for basic and bearer authentication, plus all
other common HTTP client options (TLS config, proxy URL, etc.)
* Provide machine type metadata and labels in GCE service discovery
* Add pod controller kind and name to Kubernetes service discovery data
* Move TSDB to flock-based log file that works with Docker containers
+ Bug Fixes:
* Properly propagate storage errors in PromQL
* Fix path prefix for web pages
* Fix goroutine leak in Consul service discovery
* Fix races in scrape manager
* Fix OOM for very large k in PromQL topk() queries
* Make remote write more resilient to unavailable receivers
* Make remote write shutdown cleanly
* Don't leak files on errors in TSDB's tombstone cleanup
* Unary minus expressions now removes the metric name from results
* Fix bug that lead to wrong amount of samples considered for time range expressions
- Update to 2.2.1
+ Bug Fixes:
* Fix data loss in TSDB on compaction
* Correctly stop timer in remote-write path
* Fix deadlock triggered by loading targets page
* Fix incorrect buffering of samples on range selection queries
* Handle large index files on windows properly
- Update to 2.2.0
+ This release introduces improvements to the storage format and fixes a
regression introduced in 2.1. As a result Prometheus servers upgraded
to 2.2 cannot be downgraded to a lower version anymore!
+ Rename file SD mtime metric
+ Send target update on empty pod IP in Kubernetes SD
+ Features:
* Add API endpoint for flags.
* Add API endpoint for dropped targets.
* Display annotations on alerts page.
* Add option to skip head data when taking snapshots
+ Enhancements:
* Federation performance improvement.
* Read bearer token file on every scrape.
* Improve typeahead on /graph page.
* Change rule file formatting.
* Set consul server default to localhost:8500.
* Add dropped Alertmanagers to API info endpoint.
* Add OS type meta label to Azure SD.
* Validate required fields in SD configuration.
+ Bug Fixes:
* Prevent stack overflow on deep recursion in TSDB.
* Correctly read offsets in index files that are greater than 4GB.
* Fix scraping behavior for empty labels.
* Drop metric name for bool modifier.
* Fix races in discovery.
* Fix Kubernetes endpoints SD for empty subsets.
* Throttle updates from SD providers, which caused increased CPU usage and allocations.
* Fix TSDB block reload issue.
* Fix PromQL printing of empty without().
* Don't reset FiredAt for inactive alerts.
* Fix erroneous file version changes and repair existing data.
</description>
<summary>Recommended update for golang-github-prometheus-prometheus</summary>
</patchinfo>
