From 2b776c3cabc2053a113fbd32dfe0ca78cd73767f110be1232ec043800fc1b1b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 27 Jun 2025 15:27:18 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main golang-github-prometheus-prometheus revision 890417080cc17db0eb78b6fab3289453 --- 0004-Bump-go-net.patch | 112 ++++++++++++++++++++ Makefile | 15 ++- _service | 4 +- golang-github-prometheus-prometheus.changes | 18 +++- golang-github-prometheus-prometheus.spec | 6 +- npm_licenses.tar.bz2 | 4 +- prometheus-2.53.3.tar.gz | 3 - prometheus-2.53.4.tar.gz | 3 + vendor.tar.gz | 4 +- web-ui-2.53.3.tar.gz | 3 - web-ui-2.53.4.tar.gz | 3 + 11 files changed, 158 insertions(+), 17 deletions(-) create mode 100644 0004-Bump-go-net.patch delete mode 100644 prometheus-2.53.3.tar.gz create mode 100644 prometheus-2.53.4.tar.gz delete mode 100644 web-ui-2.53.3.tar.gz create mode 100644 web-ui-2.53.4.tar.gz diff --git a/0004-Bump-go-net.patch b/0004-Bump-go-net.patch new file mode 100644 index 0000000..1f17efa --- /dev/null +++ b/0004-Bump-go-net.patch @@ -0,0 +1,112 @@ +diff --git a/go.mod b/go.mod +index 8caf80727..67267394e 100644 +--- a/go.mod ++++ b/go.mod +@@ -1,6 +1,8 @@ + module github.com/prometheus/prometheus + +-go 1.21 ++go 1.23.0 ++ ++toolchain go1.24.2 + + require ( + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 +@@ -73,10 +75,10 @@ require ( + go.uber.org/automaxprocs v1.5.3 + go.uber.org/goleak v1.3.0 + go.uber.org/multierr v1.11.0 +- golang.org/x/net v0.26.0 ++ golang.org/x/net v0.39.0 + golang.org/x/oauth2 v0.21.0 +- golang.org/x/sync v0.7.0 +- golang.org/x/sys v0.21.0 ++ golang.org/x/sync v0.13.0 ++ golang.org/x/sys v0.32.0 + golang.org/x/time v0.5.0 + golang.org/x/tools v0.22.0 + google.golang.org/api v0.183.0 +@@ -184,11 +186,11 @@ require ( + go.opencensus.io v0.24.0 // indirect + go.opentelemetry.io/otel/metric v1.27.0 // indirect + go.opentelemetry.io/proto/otlp v1.2.0 // indirect +- golang.org/x/crypto v0.24.0 // indirect ++ golang.org/x/crypto v0.37.0 // indirect + golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect + golang.org/x/mod v0.18.0 // indirect +- golang.org/x/term v0.21.0 // indirect +- golang.org/x/text v0.16.0 // indirect ++ golang.org/x/term v0.31.0 // indirect ++ golang.org/x/text v0.24.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/ini.v1 v1.67.0 // indirect +diff --git a/go.sum b/go.sum +index 06db002f5..58711b558 100644 +--- a/go.sum ++++ b/go.sum +@@ -774,8 +774,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y + golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= + golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= + golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +-golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= +-golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= ++golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE= ++golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc= + golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= + golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +@@ -857,8 +857,8 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= + golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= + golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= + golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= +-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= +-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= ++golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY= ++golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E= + golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= + golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= + golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +@@ -880,8 +880,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ + golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= + golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= ++golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610= ++golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= + golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= + golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +@@ -947,16 +947,16 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= + golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= + golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= +-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= ++golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20= ++golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= + golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= + golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= + golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= + golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= + golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= + golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= +-golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= +-golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= ++golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o= ++golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw= + golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= + golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +@@ -968,8 +968,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= + golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= + golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= + golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= ++golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0= ++golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU= + golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= + golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/Makefile b/Makefile index 44161f3..deeae6e 100644 --- a/Makefile +++ b/Makefile @@ -16,8 +16,19 @@ tar: wd=$$(pwd) && \ tmpdir=$$(mktemp -d -p /tmp) && \ cd $$tmpdir && \ - tar -zxf $$wd/$$tar.gz && \ + gunzip $$wd/$$tar.gz && \ + tar -xf $$wd/$$tar && \ + # recreate tarball explicitly in a format that handles long filenames \ + tar --format=posix -cf $$wd/$$tar $$basename && \ cd $$basename && \ + # Patches for Go modules go after here \ + patch --no-backup-if-mismatch -p1 -i $$wd/0003-Bump-go-retryablehttp.patch && \ + patch --no-backup-if-mismatch -p1 -i $$wd/0004-Bump-go-net.patch && \ + # End of Go modules patches section \ + go mod download && \ + go mod verify && \ + go mod vendor && \ + tar --format=posix -cf $$wd/vendor.tar vendor && \ make assets npm_licenses assets-compress && \ tar -cf $$wd/$$web_ui web/ui/static/react && \ find web/ui/static -type f -name '*.gz' -exec tar -rf $$wd/$$web_ui "{}" \; && \ @@ -26,5 +37,7 @@ tar: echo "Creating web assets tarball" && \ mv $$basename/npm_licenses.tar.bz2 $$wd && \ cd $$wd && \ + gzip $$tar && \ gzip -f $$web_ui && \ + gzip -f vendor.tar && \ rm -rf $$tmpdir diff --git a/_service b/_service index 0e694aa..07d7998 100644 --- a/_service +++ b/_service @@ -4,7 +4,7 @@ git .git @PARENT_TAG@ - v2.53.3 + v2.53.4 v(.*) v2* @@ -13,6 +13,6 @@ gz - prometheus-2.53.3.tar.gz + prometheus-2.53.4.tar.gz diff --git a/golang-github-prometheus-prometheus.changes b/golang-github-prometheus-prometheus.changes index 6808ced..4e119b7 100644 --- a/golang-github-prometheus-prometheus.changes +++ b/golang-github-prometheus-prometheus.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Thu May 8 13:17:36 UTC 2025 - Witek Bedyk + +- Require Go >= 1.23 for building + (CVE-2023-45288, bsc#1236516) +- Add 0004-Bump-go-net.patch +- Bump golang.org/x/net to version 0.39.0 + (CVE-2025-22870, bsc#1238686) +- Update to 2.53.4: + * [BUGFIX] Runtime: fix GOGC is being set to 0 when installed + with empty prometheus.yml file resulting high cpu usage. + * [BUGFIX] Scrape: fix dropping valid metrics after previous + scrape failed. + ------------------------------------------------------------------- Tue Nov 26 15:36:02 UTC 2024 - Witek Bedyk - 2.53.3 @@ -5,7 +19,7 @@ Tue Nov 26 15:36:02 UTC 2024 - Witek Bedyk - 2.53.3 - Require Go >= 1.21 for building - Rebase 0003-Bump-go-retryablehttp.patch - Remove vendor.tar.gz during "make clean" -- Update to 2.53.3 (jsc#PED-11649): +- Update to 2.53.3 (jsc#PED-11740): * [BUGFIX] Scraping: allow multiple samples on same series, with explicit timestamps. - Update to 2.53.2: @@ -919,7 +933,7 @@ Fri Mar 31 13:53:10 UTC 2023 - Witek Bedyk to version 0.7.3 (CVE-2022-46146, bsc#1208049) - Fix uncontrolled resource consumption by updating Go to version 1.20.1 (CVE-2022-41723, bsc#1208298) -- Restructure the spec to build web assets online +- Restructure the spec to build web assets online (boo#1208752) - Add: * Makefile * web-ui-2.32.1.tar.gz diff --git a/golang-github-prometheus-prometheus.spec b/golang-github-prometheus-prometheus.spec index 46b8ab5..ffd924d 100644 --- a/golang-github-prometheus-prometheus.spec +++ b/golang-github-prometheus-prometheus.spec @@ -27,7 +27,7 @@ %endif Name: golang-github-prometheus-prometheus -Version: 2.53.3 +Version: 2.53.4 Release: 0 Summary: The Prometheus monitoring system and time series database License: Apache-2.0 @@ -49,6 +49,8 @@ Patch1: 0001-Do-not-force-the-pure-Go-name-resolver.patch Patch2: 0002-Default-settings.patch # https://github.com/prometheus/prometheus/pull/14373 Patch3: 0003-Bump-go-retryablehttp.patch +# https://github.com/prometheus/prometheus/pull/16520 +Patch4: 0004-Bump-go-net.patch BuildRequires: fdupes %if 0%{?suse_version} == 1500 && 0%{?sle_version} < 150300 BuildRequires: firewall-macros @@ -57,7 +59,7 @@ BuildRequires: firewall-macros # with -buildmode=pie BuildRequires: glibc-devel-static BuildRequires: golang-github-prometheus-promu >= 0.14.0 -BuildRequires: golang(API) >= 1.21 +BuildRequires: golang(API) >= 1.23 BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} >= 1500 Recommends: firewalld-prometheus-config diff --git a/npm_licenses.tar.bz2 b/npm_licenses.tar.bz2 index 506bf6c..4525b05 100644 --- a/npm_licenses.tar.bz2 +++ b/npm_licenses.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:28c7bbab7f499a58c33980eff270364f4d98727629c7678cf19374aa1fe8e668 -size 161912 +oid sha256:75df25d5dad5f85ebb412ae14fb927e90e179a4d860399bdb536de6b9d567c40 +size 163029 diff --git a/prometheus-2.53.3.tar.gz b/prometheus-2.53.3.tar.gz deleted file mode 100644 index 53a7478..0000000 --- a/prometheus-2.53.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:652861e3c598ec6b85ff43f8826b14f0e18a9862cf7d3dabc721a404b8c48af0 -size 21462465 diff --git a/prometheus-2.53.4.tar.gz b/prometheus-2.53.4.tar.gz new file mode 100644 index 0000000..364d4a2 --- /dev/null +++ b/prometheus-2.53.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a25f2cb459ff4d6925bcb310b02130e982b0a04fbbab7696f8a188c8a5f68340 +size 6268226 diff --git a/vendor.tar.gz b/vendor.tar.gz index f537f2f..979d603 100644 --- a/vendor.tar.gz +++ b/vendor.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:b1f94556bb4c3160150ce2dd913f7d487f8643b768893b931e778c5246a98f0b -size 15122627 +oid sha256:bec6a189939715575b9e8a1fbdfff1f5f921ada3edeffbaf4219066adf7ec3d9 +size 15127270 diff --git a/web-ui-2.53.3.tar.gz b/web-ui-2.53.3.tar.gz deleted file mode 100644 index 6eb84e9..0000000 --- a/web-ui-2.53.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:82e05449a15b0f68e99a7da37bb56d8ff908f3c6ad98e2d320bdc082b4887d26 -size 3603428 diff --git a/web-ui-2.53.4.tar.gz b/web-ui-2.53.4.tar.gz new file mode 100644 index 0000000..8ffd228 --- /dev/null +++ b/web-ui-2.53.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eca681146b19f7f8d85de72d72b50f8e74df13a62263704e80857abe189734b0 +size 3603334