From: Claudio Jeker Subject: update prometheus to 3.5.2 To: ports@openbsd.org Date: Wed, 15 Apr 2026 23:08:24 +0200 This dropped 2 days ago. Mostly a fix for CVE-2026-40179 This release has a fix for a Stored XSS vulnerability that can be triggered via crafted metric names and label values in Prometheus web UI tooltips and metrics explorer. Thanks to Duc Anh Nguyen from TinyxLab for reporting it. [SECURITY] UI: Fix stored XSS via unescaped metric names and labels. CVE-2026-40179. #18507 [PERF] Regex: Stop calling Simplify. #17908 I started this on my system, no issues yet. -- :wq Claudio Index: Makefile =================================================================== RCS file: /cvs/ports/sysutils/prometheus/Makefile,v diff -u -p -r1.24 Makefile --- Makefile 31 Mar 2026 13:42:05 -0000 1.24 +++ Makefile 15 Apr 2026 20:55:45 -0000 @@ -1,6 +1,6 @@ COMMENT = systems monitoring and alerting toolkit -V = 3.5.1 +V = 3.5.2 GH_ACCOUNT = prometheus GH_PROJECT = prometheus GH_TAGNAME = v${V} Index: distinfo =================================================================== RCS file: /cvs/ports/sysutils/prometheus/distinfo,v diff -u -p -r1.13 distinfo --- distinfo 31 Mar 2026 13:42:05 -0000 1.13 +++ distinfo 15 Apr 2026 20:55:54 -0000 @@ -1,6 +1,6 @@ -SHA256 (prometheus-3.5.1.tar.gz) = rdZ3162GT87UPBS6CNooIT7+ibHje6WSnu9D1bgvaS8= -SHA256 (prometheus-vendor-3.5.1.tar.gz) = PJNjvT2VG1mq5hBfAYw/yf6eufDcqoVYH2if9F4cHpE= -SHA256 (prometheus-web-ui-3.5.1.tar.gz) = 1Cvm4TYLCadGMAKBj6uviDRzawIm6S7guO0SUQwIsgY= -SIZE (prometheus-3.5.1.tar.gz) = 5129927 -SIZE (prometheus-vendor-3.5.1.tar.gz) = 16513716 -SIZE (prometheus-web-ui-3.5.1.tar.gz) = 3487629 +SHA256 (prometheus-3.5.2.tar.gz) = 7cqtsJsdz1UEtiZ221PIiHRcNC7yevaay9mdWtvHnDM= +SHA256 (prometheus-vendor-3.5.2.tar.gz) = C3Rv+cViXG+m58PRq4BZAVh0Nv0b5Hz4gmcZQu0zJSY= +SHA256 (prometheus-web-ui-3.5.2.tar.gz) = I3ow9YQyFs+RHETURVRND9aoZvOb73PmfA5MpaJfVqU= +SIZE (prometheus-3.5.2.tar.gz) = 5129100 +SIZE (prometheus-vendor-3.5.2.tar.gz) = 16689071 +SIZE (prometheus-web-ui-3.5.2.tar.gz) = 3490735 Index: patches/patch-mmap_openbsd =================================================================== RCS file: /cvs/ports/sysutils/prometheus/patches/patch-mmap_openbsd,v diff -u -p -r1.4 patch-mmap_openbsd --- patches/patch-mmap_openbsd 31 Mar 2026 13:42:05 -0000 1.4 +++ patches/patch-mmap_openbsd 15 Apr 2026 20:53:00 -0000 @@ -4,7 +4,7 @@ and https://github.com/prometheus/promet to make tsdb only use mmap and work around missing UBC support. diff --git go.mod go.mod -index 7a27951ac..eee4405dd 100644 +index 00bc50070..5dec05223 100644 --- go.mod +++ go.mod @@ -17,7 +17,6 @@ require ( @@ -12,11 +12,11 @@ index 7a27951ac..eee4405dd 100644 github.com/digitalocean/godo v1.152.0 github.com/docker/docker v28.5.2+incompatible - github.com/edsrzf/mmap-go v1.2.0 - github.com/envoyproxy/go-control-plane/envoy v1.32.4 - github.com/envoyproxy/protoc-gen-validate v1.2.1 + github.com/envoyproxy/go-control-plane/envoy v1.36.0 + github.com/envoyproxy/protoc-gen-validate v1.3.0 github.com/facette/natsort v0.0.0-20181210072756-2cd4dd1e2dcb diff --git go.sum go.sum -index 8ed834bcf..00ff455ac 100644 +index 301c10c76..c986e6e90 100644 --- go.sum +++ go.sum @@ -122,8 +122,6 @@ github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKoh @@ -27,7 +27,7 @@ index 8ed834bcf..00ff455ac 100644 -github.com/edsrzf/mmap-go v1.2.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= - github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A= + github.com/envoyproxy/go-control-plane/envoy v1.36.0 h1:yg/JjO5E7ubRyKX3m07GF3reDNEnfOboJ0QySbH736g= diff --git promql/query_logger.go promql/query_logger.go index c0a70b66d..8aac517e2 100644 --- promql/query_logger.go @@ -230,7 +230,7 @@ index eb06e513e..ef2f85cfd 100644 f, err := os.Open(fpath) diff --git tsdb/chunks/chunks.go tsdb/chunks/chunks.go -index 034106238..9d9606512 100644 +index 034106238..7e9366d2b 100644 --- tsdb/chunks/chunks.go +++ tsdb/chunks/chunks.go @@ -280,7 +280,7 @@ func checkCRC32(data, sum []byte) error { @@ -341,7 +341,7 @@ index 034106238..9d9606512 100644 } // Write header metadata for new file. -@@ -454,29 +445,35 @@ func cutSegmentFile(dirFile *os.File, magicNumber uint32, chunksFormat byte, all +@@ -454,29 +445,38 @@ func cutSegmentFile(dirFile *os.File, magicNumber uint32, chunksFormat byte, all binary.BigEndian.PutUint32(metab[:MagicChunksSize], magicNumber) metab[4] = chunksFormat @@ -350,10 +350,10 @@ index 034106238..9d9606512 100644 if err != nil { - return 0, nil, 0, fmt.Errorf("write header: %w", err) + return 0, nil, nil, 0, fmt.Errorf("write header: %w", err) -+ } + } + if err := mw.Close(); err != nil { + return 0, nil, nil, 0, fmt.Errorf("close temp mmap: %w", err) - } ++ } + mw = nil if err := f.Close(); err != nil { - return 0, nil, 0, fmt.Errorf("close temp file: %w", err) @@ -368,11 +368,14 @@ index 034106238..9d9606512 100644 - f, err = os.OpenFile(p, os.O_WRONLY, 0o666) + f, err = os.OpenFile(p, os.O_RDWR, 0o666) ++ if err != nil { ++ return 0, nil, nil, 0, fmt.Errorf("open final file: %w", err) ++ } ++ mw, err = fileutil.NewMmapWriterWithSize(f, int(allocSize)) if err != nil { - return 0, nil, 0, fmt.Errorf("open final file: %w", err) -+ return 0, nil, nil, 0, fmt.Errorf("open final file: %w", err) ++ return 0, nil, nil, 0, fmt.Errorf("new writer for final file: %w", err) } -+ mw, err = fileutil.NewMmapWriterWithSize(f, int(allocSize)) + // Skip header for further writes. offset := int64(n)