Index | Thread | Search

From:
Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject:
update prometheus to 3.5.2
To:
ports@openbsd.org
Date:
Wed, 15 Apr 2026 23:08:24 +0200

Download raw body.

Thread

  • Claudio Jeker:

    update prometheus to 3.5.2

This dropped 2 days ago. Mostly a fix for CVE-2026-40179

This release has a fix for a Stored XSS vulnerability that can be
triggered via crafted metric names and label values in Prometheus web UI
tooltips and metrics explorer. Thanks to Duc Anh Nguyen from TinyxLab for
reporting it.

    [SECURITY] UI: Fix stored XSS via unescaped metric names and labels.
	CVE-2026-40179. #18507
    [PERF] Regex: Stop calling Simplify. #17908

I started this on my system, no issues yet.
-- 
:wq Claudio


Index: Makefile
===================================================================
RCS file: /cvs/ports/sysutils/prometheus/Makefile,v
diff -u -p -r1.24 Makefile
--- Makefile	31 Mar 2026 13:42:05 -0000	1.24
+++ Makefile	15 Apr 2026 20:55:45 -0000
@@ -1,6 +1,6 @@
 COMMENT =		systems monitoring and alerting toolkit
 
-V =			3.5.1
+V =			3.5.2
 GH_ACCOUNT =		prometheus
 GH_PROJECT =		prometheus
 GH_TAGNAME =		v${V}
Index: distinfo
===================================================================
RCS file: /cvs/ports/sysutils/prometheus/distinfo,v
diff -u -p -r1.13 distinfo
--- distinfo	31 Mar 2026 13:42:05 -0000	1.13
+++ distinfo	15 Apr 2026 20:55:54 -0000
@@ -1,6 +1,6 @@
-SHA256 (prometheus-3.5.1.tar.gz) = rdZ3162GT87UPBS6CNooIT7+ibHje6WSnu9D1bgvaS8=
-SHA256 (prometheus-vendor-3.5.1.tar.gz) = PJNjvT2VG1mq5hBfAYw/yf6eufDcqoVYH2if9F4cHpE=
-SHA256 (prometheus-web-ui-3.5.1.tar.gz) = 1Cvm4TYLCadGMAKBj6uviDRzawIm6S7guO0SUQwIsgY=
-SIZE (prometheus-3.5.1.tar.gz) = 5129927
-SIZE (prometheus-vendor-3.5.1.tar.gz) = 16513716
-SIZE (prometheus-web-ui-3.5.1.tar.gz) = 3487629
+SHA256 (prometheus-3.5.2.tar.gz) = 7cqtsJsdz1UEtiZ221PIiHRcNC7yevaay9mdWtvHnDM=
+SHA256 (prometheus-vendor-3.5.2.tar.gz) = C3Rv+cViXG+m58PRq4BZAVh0Nv0b5Hz4gmcZQu0zJSY=
+SHA256 (prometheus-web-ui-3.5.2.tar.gz) = I3ow9YQyFs+RHETURVRND9aoZvOb73PmfA5MpaJfVqU=
+SIZE (prometheus-3.5.2.tar.gz) = 5129100
+SIZE (prometheus-vendor-3.5.2.tar.gz) = 16689071
+SIZE (prometheus-web-ui-3.5.2.tar.gz) = 3490735
Index: patches/patch-mmap_openbsd
===================================================================
RCS file: /cvs/ports/sysutils/prometheus/patches/patch-mmap_openbsd,v
diff -u -p -r1.4 patch-mmap_openbsd
--- patches/patch-mmap_openbsd	31 Mar 2026 13:42:05 -0000	1.4
+++ patches/patch-mmap_openbsd	15 Apr 2026 20:53:00 -0000
@@ -4,7 +4,7 @@ and https://github.com/prometheus/promet
 to make tsdb only use mmap and work around missing UBC support.
 
 diff --git go.mod go.mod
-index 7a27951ac..eee4405dd 100644
+index 00bc50070..5dec05223 100644
 --- go.mod
 +++ go.mod
 @@ -17,7 +17,6 @@ require (
@@ -12,11 +12,11 @@ index 7a27951ac..eee4405dd 100644
  	github.com/digitalocean/godo v1.152.0
  	github.com/docker/docker v28.5.2+incompatible
 -	github.com/edsrzf/mmap-go v1.2.0
- 	github.com/envoyproxy/go-control-plane/envoy v1.32.4
- 	github.com/envoyproxy/protoc-gen-validate v1.2.1
+ 	github.com/envoyproxy/go-control-plane/envoy v1.36.0
+ 	github.com/envoyproxy/protoc-gen-validate v1.3.0
  	github.com/facette/natsort v0.0.0-20181210072756-2cd4dd1e2dcb
 diff --git go.sum go.sum
-index 8ed834bcf..00ff455ac 100644
+index 301c10c76..c986e6e90 100644
 --- go.sum
 +++ go.sum
 @@ -122,8 +122,6 @@ github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKoh
@@ -27,7 +27,7 @@ index 8ed834bcf..00ff455ac 100644
 -github.com/edsrzf/mmap-go v1.2.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q=
  github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
  github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
- github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A=
+ github.com/envoyproxy/go-control-plane/envoy v1.36.0 h1:yg/JjO5E7ubRyKX3m07GF3reDNEnfOboJ0QySbH736g=
 diff --git promql/query_logger.go promql/query_logger.go
 index c0a70b66d..8aac517e2 100644
 --- promql/query_logger.go
@@ -230,7 +230,7 @@ index eb06e513e..ef2f85cfd 100644
  
  	f, err := os.Open(fpath)
 diff --git tsdb/chunks/chunks.go tsdb/chunks/chunks.go
-index 034106238..9d9606512 100644
+index 034106238..7e9366d2b 100644
 --- tsdb/chunks/chunks.go
 +++ tsdb/chunks/chunks.go
 @@ -280,7 +280,7 @@ func checkCRC32(data, sum []byte) error {
@@ -341,7 +341,7 @@ index 034106238..9d9606512 100644
  	}
  
  	// Write header metadata for new file.
-@@ -454,29 +445,35 @@ func cutSegmentFile(dirFile *os.File, magicNumber uint32, chunksFormat byte, all
+@@ -454,29 +445,38 @@ func cutSegmentFile(dirFile *os.File, magicNumber uint32, chunksFormat byte, all
  	binary.BigEndian.PutUint32(metab[:MagicChunksSize], magicNumber)
  	metab[4] = chunksFormat
  
@@ -350,10 +350,10 @@ index 034106238..9d9606512 100644
  	if err != nil {
 -		return 0, nil, 0, fmt.Errorf("write header: %w", err)
 +		return 0, nil, nil, 0, fmt.Errorf("write header: %w", err)
-+	}
+ 	}
 +	if err := mw.Close(); err != nil {
 +		return 0, nil, nil, 0, fmt.Errorf("close temp mmap: %w", err)
- 	}
++	}
 +	mw = nil
  	if err := f.Close(); err != nil {
 -		return 0, nil, 0, fmt.Errorf("close temp file: %w", err)
@@ -368,11 +368,14 @@ index 034106238..9d9606512 100644
  
 -	f, err = os.OpenFile(p, os.O_WRONLY, 0o666)
 +	f, err = os.OpenFile(p, os.O_RDWR, 0o666)
++	if err != nil {
++		return 0, nil, nil, 0, fmt.Errorf("open final file: %w", err)
++	}
++	mw, err = fileutil.NewMmapWriterWithSize(f, int(allocSize))
  	if err != nil {
 -		return 0, nil, 0, fmt.Errorf("open final file: %w", err)
-+		return 0, nil, nil, 0, fmt.Errorf("open final file: %w", err)
++		return 0, nil, nil, 0, fmt.Errorf("new writer for final file: %w", err)
  	}
-+	mw, err = fileutil.NewMmapWriterWithSize(f, int(allocSize))
 +
  	// Skip header for further writes.
  	offset := int64(n)