Login
Newsletter
Werbung

Sicherheit: Denial of Service in golang-github-prometheus-prometheus
Aktuelle Meldungen Distributionen
Name: Denial of Service in golang-github-prometheus-prometheus
ID: SUSE-SU-2020:2606-1
Distribution: SUSE
Plattformen: SUSE Enterprise Storage 6
Datum: Fr, 11. September 2020, 13:55
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215
Applikationen: golang-github-prometheus-prometheus

Originalnachricht


SUSE Security Update: Security update for
golang-github-prometheus-prometheus
______________________________________________________________________________

Announcement ID: SUSE-SU-2020:2606-1
Rating: moderate
References: #1143913 #1175478
Cross-References: CVE-2019-10215
Affected Products:
SUSE Enterprise Storage 6
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for golang-github-prometheus-prometheus to version 2.18.0
fixes the following issues:

- Fixed some building issues (bsc#1175478)
- prometheus components systemd units should depend on network target
(bsc#1143913).

Update to 2.18.0
+ Features
* Tracing: Added experimental Jaeger support #7148
+ Changes
* Federation: Only use local TSDB for federation (ignore remote read).
#7096
* Rules: `rule_evaluations_total` and `rule_evaluation_failures_total`
have a `rule_group` label now. #7094
+ Enhancements
* TSDB: Significantly reduce WAL size kept around after a block cut.
#7098
* Discovery: Add `architecture` meta label for EC2. #7000
+ Bug fixes
* UI: Fixed wrong MinTime reported by /status. #7182
* React UI: Fixed multiselect legend on OSX. #6880
* Remote Write: Fixed blocked resharding edge case. #7122
* Remote Write: Fixed remote write not updating on relabel configs
change. #7073
- Changes from 2.17.2
+ Bug fixes
* Federation: Register federation metrics #7081
* PromQL: Fix panic in parser error handling #7132
* Rules: Fix reloads hanging when deleting a rule group that is being
evaluated #7138
* TSDB: Fix a memory leak when prometheus starts with an empty TSDB
WAL #7135
* TSDB: Make isolation more robust to panics in web handlers #7129
#7136
- Changes from 2.17.1
+ Bug fixes
* TSDB: Fix query performance regression that increased memory and CPU
usage #7051
- Changes from 2.17.0
+ Features
* TSDB: Support isolation #6841
* This release implements isolation in TSDB. API queries and recording
rules are guaranteed to only see full scrapes and full recording
rules. This comes with a certain overhead in resource usage.
Depending on the situation, there might be some increase in memory
usage, CPU usage, or query latency.
+ Enhancements
* PromQL: Allow more keywords as metric names #6933
* React UI: Add normalization of localhost URLs in targets page #6794
* Remote read: Read from remote storage concurrently #6770
* Rules: Mark deleted rule series as stale after a reload #6745
* Scrape: Log scrape append failures as debug rather than warn #6852
* TSDB: Improve query performance for queries that partially hit the
head #6676
* Consul SD: Expose service health as meta label #5313
* EC2 SD: Expose EC2 instance lifecycle as meta label #6914
* Kubernetes SD: Expose service type as meta label for K8s service
role #6684
* Kubernetes SD: Expose label_selector and field_selector #6807
* Openstack SD: Expose hypervisor id as meta label #6962
+ Bug fixes
* PromQL: Do not escape HTML-like chars in query log #6834 #6795
* React UI: Fix data table matrix values #6896
* React UI: Fix new targets page not loading when using non-ASCII
characters #6892
* Remote read: Fix duplication of metrics read from remote storage
with external labels #6967 #7018
* Remote write: Register WAL watcher and live reader metrics for all
remotes, not just the first one #6998
* Scrape: Prevent removal of metric names upon relabeling #6891
* Scrape: Fix 'superfluous response.WriteHeader call' errors
when
scrape fails under some circonstances #6986
* Scrape: Fix crash when reloads are separated by two scrape intervals
#7011
- Changes from 2.16.0
+ Features
* React UI: Support local timezone on /graph #6692
* PromQL: add absent_over_time query function #6490
* Adding optional logging of queries to their own file #6520
+ Enhancements
* React UI: Add support for rules page and "Xs ago" duration
displays
#6503
* React UI: alerts page, replace filtering togglers tabs with
checkboxes #6543
* TSDB: Export metric for WAL write errors #6647
* TSDB: Improve query performance for queries that only touch the most
recent 2h of data. #6651
* PromQL: Refactoring in parser errors to improve error messages #6634
* PromQL: Support trailing commas in grouping opts #6480
* Scrape: Reduce memory usage on reloads by reusing scrape cache #6670
* Scrape: Add metrics to track bytes and entries in the metadata cache
#6675
* promtool: Add support for line-column numbers for invalid rules
output #6533
* Avoid restarting rule groups when it is unnecessary #6450
+ Bug fixes
* React UI: Send cookies on fetch() on older browsers #6553
* React UI: adopt grafana flot fix for stacked graphs #6603
* React UI: broken graph page browser history so that back button
works as expected #6659
* TSDB: ensure compactionsSkipped metric is registered, and log proper
error if one is returned from head.Init #6616
* TSDB: return an error on ingesting series with duplicate labels #6664
* PromQL: Fix unary operator precedence #6579
* PromQL: Respect query.timeout even when we reach
query.max-concurrency #6712
* PromQL: Fix string and parentheses handling in engine, which
affected React UI #6612
* PromQL: Remove output labels returned by absent() if they are
produced by multiple identical label matchers #6493
* Scrape: Validate that OpenMetrics input ends with `# EOF` #6505
* Remote read: return the correct error if configs can't be
marshal'd
to JSON #6622
* Remote write: Make remote client `Store` use passed context, which
can affect shutdown timing #6673
* Remote write: Improve sharding calculation in cases where we would
always be consistently behind by tracking pendingSamples #6511
* Ensure prometheus_rule_group metrics are deleted when a rule group
is removed #6693
- Changes from 2.15.2
+ Bug fixes
* TSDB: Fixed support for TSDB blocks built with Prometheus before
2.1.0. #6564
* TSDB: Fixed block compaction issues on Windows. #6547
- Changes from 2.15.1
+ Bug fixes
* TSDB: Fixed race on concurrent queries against same data. #6512
- Changes from 2.15.0
+ Features
* API: Added new endpoint for exposing per metric metadata
`/metadata`. #6420 #6442
+ Changes
* Discovery: Removed `prometheus_sd_kubernetes_cache_*` metrics.
Additionally `prometheus_sd_kubernetes_workqueue_latency_seconds`
and `prometheus_sd_kubernetes_workqueue_work_duration_seconds`
metrics now show correct values in seconds. #6393
* Remote write: Changed `query` label on `prometheus_remote_storage_*`
metrics to `remote_name` and `url`. #6043
+ Enhancements
* TSDB: Significantly reduced memory footprint of loaded TSDB blocks.
#6418 #6461
* TSDB: Significantly optimized what we buffer during compaction which
should result in lower memory footprint during compaction. #6422
#6452 #6468 #6475
* TSDB: Improve replay latency. #6230
* TSDB: WAL size is now used for size based retention calculation.
#5886
* Remote read: Added query grouping and range hints to the remote read
request #6401
* Remote write: Added `prometheus_remote_storage_sent_bytes_total`
counter per queue. #6344
* promql: Improved PromQL parser performance. #6356
* React UI: Implemented missing pages like `/targets` #6276, TSDB
status page #6281 #6267 and many other fixes and performance
improvements.
* promql: Prometheus now accepts spaces between time range and square
bracket. e.g `[ 5m]` #6065
+ Bug fixes
* Config: Fixed alertmanager configuration to not miss targets when
configurations are similar. #6455
* Remote write: Value of `prometheus_remote_storage_shards_desired`
gauge shows raw value of desired shards and it's updated
correctly.
#6378
* Rules: Prometheus now fails the evaluation of rules and alerts where
metric results collide with labels specified in `labels` field. #6469
* API: Targets Metadata API `/targets/metadata` now accepts empty
`match_targets` parameter as in the spec. #6303
- Changes from 2.14.0
+ Features
* API: `/api/v1/status/runtimeinfo` and `/api/v1/status/buildinfo`
endpoints added for use by the React UI. #6243
* React UI: implement the new experimental React based UI. #5694 and
many more
* Can be found by under `/new`.
* Not all pages are implemented yet.
* Status: Cardinality statistics added to the Runtime & Build
Information page. #6125
+ Enhancements
* Remote write: fix delays in remote write after a compaction. #6021
* UI: Alerts can be filtered by state. #5758
+ Bug fixes
* Ensure warnings from the API are escaped. #6279
* API: lifecycle endpoints return 403 when not enabled. #6057
* Build: Fix Solaris build. #6149
* Promtool: Remove false duplicate rule warnings when checking rule
files with alerts. #6270
* Remote write: restore use of deduplicating logger in remote write.
#6113
* Remote write: do not reshard when unable to send samples. #6111
* Service discovery: errors are no longer logged on context
cancellation. #6116, #6133
* UI: handle null response from API properly. #6071
- Changes from 2.13.1
+ Bug fixes
* Fix panic in ARM builds of Prometheus. #6110
* promql: fix potential panic in the query logger. #6094
* Multiple errors of http: superfluous response.WriteHeader call in
the logs. #6145
- Changes from 2.13.0
+ Enhancements
* Metrics: renamed prometheus_sd_configs_failed_total to
prometheus_sd_failed_configs and changed to Gauge #5254
* Include the tsdb tool in builds. #6089
* Service discovery: add new node address types for kubernetes. #5902
* UI: show warnings if query have returned some warnings. #5964
* Remote write: reduce memory usage of the series cache. #5849
* Remote read: use remote read streaming to reduce memory usage. #5703
* Metrics: added metrics for remote write max/min/desired shards to
queue manager. #5787
* Promtool: show the warnings during label query. #5924
* Promtool: improve error messages when parsing bad rules. #5965
* Promtool: more promlint rules. #5515
+ Bug fixes
* UI: Fix a Stored DOM XSS vulnerability with query history
[CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-102
15). #6098
* Promtool: fix recording inconsistency due to duplicate labels. #6026
* UI: fixes service-discovery view when accessed from unhealthy
targets. #5915
* Metrics format: OpenMetrics parser crashes on short input. #5939
* UI: avoid truncated Y-axis values. #6014
- Changes from 2.12.0
+ Features
* Track currently active PromQL queries in a log file. #5794
* Enable and provide binaries for `mips64` / `mips64le` architectures.
#5792
+ Enhancements
* Improve responsiveness of targets web UI and API endpoint. #5740
* Improve remote write desired shards calculation. #5763
* Flush TSDB pages more precisely. tsdb#660
* Add `prometheus_tsdb_retention_limit_bytes` metric. tsdb#667
* Add logging during TSDB WAL replay on startup. tsdb#662
* Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654, tsdb#642,
tsdb#627
+ Bug fixes
* Check for duplicate label names in remote read. #5829
* Mark deleted rules' series as stale on next evaluation. #5759
* Fix JavaScript error when showing warning about out-of-sync server
time. #5833
* Fix `promtool test rules` panic when providing empty `exp_labels`.
#5774
* Only check last directory when discovering checkpoint number. #5756
* Fix error propagation in WAL watcher helper functions. #5741
* Correctly handle empty labels from alert templates. #5845

- Update to Prometheus 2.11.2

+ Fixes crashes when systems have no FQDN
+ Adds Parallel calls to Uyuni API, meaningful performance increase
+ Adds Support for system group labels

- Build with PIE

- Only package required files (reduces rpm size by 4 MB)
- Add sysconfig file
- Add firewall config file
- Use variables for defining user and group

- Add support for Uyuni/SUSE Manager service discovery

- readded _service file removed in error.
- Update to 2.11.1
+ Bug Fix:
* Fix potential panic when prometheus is watching multiple zookeeper
paths.
- Update to 2.11.0
+ Bug Fix:
* resolve race condition in maxGauge.
* Fix ZooKeeper connection leak.
* Improved atomicity of .tmp block replacement during compaction for
usual case.
* Fix "unknown series references" after clean shutdown.
* Re-calculate block size when calling block.Delete.
* Fix unsafe snapshots with head block.
* prometheus_tsdb_compactions_failed_total is now incremented on any
compaction failure.
+ Changes:
* Remove max_retries from queue_config (it has been unused since
rewriting remote-write to utilize the write-ahead-log)
* The meta file BlockStats no longer holds size information. This is
now dynamically calculated and kept in memory. It also includes the
meta file size which was not included before
* Renamed metric from prometheus_tsdb_wal_reader_corruption_errors to
prometheus_tsdb_wal_reader_corruption_errors_total
+ Features:
* Add option to use Alertmanager API v2.
* Added humanizePercentage function for templates.
* Include InitContainers in Kubernetes Service Discovery.
* Provide option to compress WAL records using Snappy.
+ Enhancements:
* Create new clean segment when starting the WAL.
* Reduce allocations in PromQL aggregations.
* Add storage warnings to LabelValues and LabelNames API results.
* Add prometheus_http_requests_total metric.
* Enable openbsd/arm build.
* Remote-write allocation improvements.
* Query performance improvement: Efficient iteration and search in
HashForLabels and HashWithoutLabels.
* Allow injection of arbitrary headers in promtool.
* Allow passing external_labels in alert unit tests groups.
* Allows globs for rules when unit testing.
* Improved postings intersection matching.
* Reduced disk usage for WAL for small setups.
* Optimize queries using regexp for set lookups.

- Update to 2.10.0:
+ Bug Fixes:
* TSDB: Don't panic when running out of disk space and recover
nicely
from the condition
* TSDB: Correctly handle empty labels.
* TSDB: Don't crash on an unknown tombstone reference.
* Storage/remote: Remove queue-manager specific metrics if queue no
longer exists.
* PromQL: Correctly display {__name__="a"}.
* Discovery/kubernetes: Use service rather than ingress as the name
for the service workqueue.
* Discovery/azure: Don't panic on a VM with a public IP.
* Web: Fixed Content-Type for js and css instead of using
/etc/mime.types.
* API: Encode alert values as string to correctly represent Inf/NaN.
+ Features:
* Template expansion: Make external labels available as
$externalLabels in alert and console template expansion.
* TSDB: Add prometheus_tsdb_wal_segment_current metric for the WAL
segment index that TSDB is currently writing to. tsdb
* Scrape: Add scrape_series_added per-scrape metric. #5546
+ Enhancements
* Discovery/kubernetes: Add labels
__meta_kubernetes_endpoint_node_name and
__meta_kubernetes_endpoint_hostname.
* Discovery/azure: Add label __meta_azure_machine_public_ip.
* TSDB: Simplify mergedPostings.Seek, resulting in better performance
if there are many posting lists. tsdb
* Log filesystem type on startup.
* Cmd/promtool: Use POST requests for Query and QueryRange.
client_golang
* Web: Sort alerts by group name.
* Console templates: Add convenience variables $rawParams, $params,
$path.
- Upadte to 2.9.2
+ Bug Fixes:
* Make sure subquery range is taken into account for selection
* Exhaust every request body before closing it
* Cmd/promtool: return errors from rule evaluations
* Remote Storage: string interner should not panic in release
* Fix memory allocation regression in mergedPostings.Seek tsdb
- Update to 2.9.1
+ Bug Fixes:
* Discovery/kubernetes: fix missing label sanitization
* Remote_write: Prevent reshard concurrent with calling stop
- Update to 2.9.0
+ Feature:
* Add honor_timestamps scrape option.
+ Enhancements:
* Update Consul to support catalog.ServiceMultipleTags.
* Discovery/kubernetes: add present labels for labels/annotations.
* OpenStack SD: Add ProjectID and UserID meta labels.
* Add GODEBUG and retention to the runtime page.
* Add support for POSTing to /series endpoint.
* Support PUT methods for Lifecycle and Admin APIs.
* Scrape: Add global jitter for HA server.
* Check for cancellation on every step of a range evaluation.
* String interning for labels & values in the remote_write path.
* Don't lose the scrape cache on a failed scrape.
* Reload cert files from disk automatically. common
* Use fixed length millisecond timestamp format for logs. common
* Performance improvements for postings. Bug Fixes:
* Remote Write: fix checkpoint reading.
* Check if label value is valid when unmarshaling external labels from
YAML.
* Promparse: sort all labels when parsing.
* Reload rules: copy state on both name and labels.
* Exponentation operator to drop metric name in result of operation.
* Config: resolve more file paths.
* Promtool: resolve relative paths in alert test files.
* Set TLSHandshakeTimeout in HTTP transport. common
* Use fsync to be more resilient to machine crashes.
* Keep series that are still in WAL in checkpoints.
- Update to 2.8.1
+ Bug Fixes
* Display the job labels in /targets which was removed accidentally
- Update to 2.8.0
+ Change:
* This release uses Write-Ahead Logging (WAL) for the remote_write
API. This currently causes a slight increase in memory usage, which
will be addressed in future releases.
* Default time retention is used only when no size based retention is
specified. These are flags where time retention is specified by the
flag --storage.tsdb.retention and size retention by
--storage.tsdb.retention.size.
* prometheus_tsdb_storage_blocks_bytes_total is now
prometheus_tsdb_storage_blocks_bytes.
+ Feature:
* (EXPERIMENTAL) Time overlapping blocks are now allowed; vertical
compaction and vertical query merge. It is an optional feature which
is controlled by the --storage.tsdb.allow-overlapping-blocks flag,
disabled by default.
+ Enhancements:
* Use the WAL for remote_write API.
* Query performance improvements.
* UI enhancements with upgrade to Bootstrap 4.
* Reduce time that Alertmanagers are in flux when reloaded.
* Limit number of metrics displayed on UI to 10000.
* (1) Remember All/Unhealthy choice on target-overview when reloading
page. (2) Resize text-input area on Graph page on mouseclick.
* In histogram_quantile merge buckets with equivalent le values.
* Show list of offending labels in the error message in many-to-many
scenarios.
* Show Storage Retention criteria in effect on /status page.
+ Bug Fixes:
+ Fix sorting of rule groups.
+ Fix support for password_file and bearer_token_file in Kubernetes SD.
+ Scrape: catch errors when creating HTTP clients
+ Adds new metrics: prometheus_target_scrape_pools_total
prometheus_target_scrape_pools_failed_total
prometheus_target_scrape_pool_reloads_total
prometheus_target_scrape_pool_reloads_failed_total
+ Fix panic when aggregator param is not a literal.


Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE Enterprise Storage 6:

zypper in -t patch SUSE-Storage-6-2020-2606=1



Package List:

- SUSE Enterprise Storage 6 (aarch64 x86_64):

golang-github-prometheus-prometheus-2.18.0-3.3.1


References:

https://www.suse.com/security/cve/CVE-2019-10215.html
https://bugzilla.suse.com/1143913
https://bugzilla.suse.com/1175478

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung