Sync from SUSE:SLFO:Main golang-github-prometheus-prometheus revision 890417080cc17db0eb78b6fab3289453

0004-Bump-go-net.patch

@@ -0,0 +1,112 @@
+diff --git a/go.mod b/go.mod
+index 8caf80727..67267394e 100644
+--- a/go.mod
++++ b/go.mod
+@@ -1,6 +1,8 @@
+ module github.com/prometheus/prometheus
+ 
+-go 1.21
++go 1.23.0
++
++toolchain go1.24.2
+ 
+ require (
+ 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
+@@ -73,10 +75,10 @@ require (
+ 	go.uber.org/automaxprocs v1.5.3
+ 	go.uber.org/goleak v1.3.0
+ 	go.uber.org/multierr v1.11.0
+-	golang.org/x/net v0.26.0
++	golang.org/x/net v0.39.0
+ 	golang.org/x/oauth2 v0.21.0
+-	golang.org/x/sync v0.7.0
+-	golang.org/x/sys v0.21.0
++	golang.org/x/sync v0.13.0
++	golang.org/x/sys v0.32.0
+ 	golang.org/x/time v0.5.0
+ 	golang.org/x/tools v0.22.0
+ 	google.golang.org/api v0.183.0
+@@ -184,11 +186,11 @@ require (
+ 	go.opencensus.io v0.24.0 // indirect
+ 	go.opentelemetry.io/otel/metric v1.27.0 // indirect
+ 	go.opentelemetry.io/proto/otlp v1.2.0 // indirect
+-	golang.org/x/crypto v0.24.0 // indirect
++	golang.org/x/crypto v0.37.0 // indirect
+ 	golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect
+ 	golang.org/x/mod v0.18.0 // indirect
+-	golang.org/x/term v0.21.0 // indirect
+-	golang.org/x/text v0.16.0 // indirect
++	golang.org/x/term v0.31.0 // indirect
++	golang.org/x/text v0.24.0 // indirect
+ 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
+ 	gopkg.in/inf.v0 v0.9.1 // indirect
+ 	gopkg.in/ini.v1 v1.67.0 // indirect
+diff --git a/go.sum b/go.sum
+index 06db002f5..58711b558 100644
+--- a/go.sum
++++ b/go.sum
+@@ -774,8 +774,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
+ golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+ golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+ golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+-golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+-golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
++golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
++golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+ golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+ golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+ golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+@@ -857,8 +857,8 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+ golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
++golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
++golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+ golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+ golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+@@ -880,8 +880,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
+ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
++golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
++golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+ golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+ golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+@@ -947,16 +947,16 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+ golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
++golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
++golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+ golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+ golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+ golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+-golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
+-golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
++golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
++golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
+ golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+@@ -968,8 +968,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+ golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
++golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
++golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+ golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+ golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+ golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

Makefile

@@ -16,8 +16,19 @@ tar:
 	wd=$$(pwd) && \
 	tmpdir=$$(mktemp -d -p /tmp) && \
 	cd $$tmpdir && \
-	tar -zxf $$wd/$$tar.gz && \
+       gunzip $$wd/$$tar.gz && \
+	tar -xf $$wd/$$tar && \
+	# recreate tarball explicitly in a format that handles long filenames \
+	tar --format=posix -cf $$wd/$$tar $$basename && \
 	cd $$basename && \
+	# Patches for Go modules go after here \
+	patch --no-backup-if-mismatch -p1 -i $$wd/0003-Bump-go-retryablehttp.patch && \
+	patch --no-backup-if-mismatch -p1 -i $$wd/0004-Bump-go-net.patch && \
+	# End of Go modules patches section \
+	go mod download && \
+	go mod verify && \
+	go mod vendor && \
+	tar --format=posix -cf $$wd/vendor.tar vendor && \
         make assets npm_licenses assets-compress && \
 	tar -cf $$wd/$$web_ui web/ui/static/react && \
         find web/ui/static -type f -name '*.gz' -exec tar -rf $$wd/$$web_ui "{}" \; && \
@@ -26,5 +37,7 @@ tar:
 	echo "Creating web assets tarball" && \
 	mv $$basename/npm_licenses.tar.bz2 $$wd && \
 	cd $$wd && \
+	gzip $$tar && \
 	gzip -f $$web_ui && \
+	gzip -f vendor.tar && \
 	rm -rf $$tmpdir

_service

@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="exclude">.git</param>
     <param name="versionformat">@PARENT_TAG@</param>
-    <param name="revision">v2.53.3</param>
+    <param name="revision">v2.53.4</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="match-tag">v2*</param>
   </service>
@@ -13,6 +13,6 @@
     <param name="compression">gz</param>
   </service>
   <service name="go_modules" mode="manual">
-    <param name="archive">prometheus-2.53.3.tar.gz</param>
+    <param name="archive">prometheus-2.53.4.tar.gz</param>
   </service>
 </services>

golang-github-prometheus-prometheus.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Thu May  8 13:17:36 UTC 2025 - Witek Bedyk <witold.bedyk@suse.com>
+
+- Require Go >= 1.23 for building
+  (CVE-2023-45288, bsc#1236516)
+- Add 0004-Bump-go-net.patch
+- Bump golang.org/x/net to version 0.39.0
+  (CVE-2025-22870, bsc#1238686)
+- Update to 2.53.4:
+  * [BUGFIX] Runtime: fix GOGC is being set to 0 when installed
+    with empty prometheus.yml file resulting high cpu usage.
+  * [BUGFIX] Scrape: fix dropping valid metrics after previous
+    scrape failed.
+
 -------------------------------------------------------------------
 Tue Nov 26 15:36:02 UTC 2024 - Witek Bedyk <witold.bedyk@suse.com> - 2.53.3
 
@@ -5,7 +19,7 @@ Tue Nov 26 15:36:02 UTC 2024 - Witek Bedyk <witold.bedyk@suse.com> - 2.53.3
 - Require Go >= 1.21 for building
 - Rebase 0003-Bump-go-retryablehttp.patch
 - Remove vendor.tar.gz during "make clean"
-- Update to 2.53.3 (jsc#PED-11649):
+- Update to 2.53.3 (jsc#PED-11740):
   * [BUGFIX] Scraping: allow multiple samples on same series, with
     explicit timestamps.
 - Update to 2.53.2:
@@ -919,7 +933,7 @@ Fri Mar 31 13:53:10 UTC 2023 - Witek Bedyk <witold.bedyk@suse.com>
   to version 0.7.3 (CVE-2022-46146, bsc#1208049)
 - Fix uncontrolled resource consumption by updating Go to version
   1.20.1 (CVE-2022-41723, bsc#1208298)
-- Restructure the spec to build web assets online
+- Restructure the spec to build web assets online (boo#1208752)
 - Add:
   * Makefile
   * web-ui-2.32.1.tar.gz

golang-github-prometheus-prometheus.spec

@@ -27,7 +27,7 @@
 %endif
 
 Name:           golang-github-prometheus-prometheus
-Version:        2.53.3
+Version:        2.53.4
 Release:        0
 Summary:        The Prometheus monitoring system and time series database
 License:        Apache-2.0
@@ -49,6 +49,8 @@ Patch1:         0001-Do-not-force-the-pure-Go-name-resolver.patch
 Patch2:         0002-Default-settings.patch
 # https://github.com/prometheus/prometheus/pull/14373
 Patch3:         0003-Bump-go-retryablehttp.patch
+# https://github.com/prometheus/prometheus/pull/16520
+Patch4:         0004-Bump-go-net.patch
 BuildRequires:  fdupes
 %if 0%{?suse_version} == 1500 && 0%{?sle_version} < 150300
 BuildRequires:  firewall-macros
@@ -57,7 +59,7 @@ BuildRequires:  firewall-macros
 # with -buildmode=pie
 BuildRequires:  glibc-devel-static
 BuildRequires:  golang-github-prometheus-promu >= 0.14.0
-BuildRequires:  golang(API) >= 1.21
+BuildRequires:  golang(API) >= 1.23
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if 0%{?suse_version} >= 1500
 Recommends:     firewalld-prometheus-config