Bug 255976

Summary: net-mgmt/prometheus2: Update to 2.27.1
Product: Ports & Packages Reporter: David O'Rourke <dor.bsd>
Component: Individual Port(s)Assignee: Guangyuan Yang <ygy>
Status: Closed FIXED    
Severity: Affects Only Me CC: lwhsu, nc, ygy
Priority: --- Keywords: security
Version: LatestFlags: ygy: maintainer-feedback+
ygy: merge-quarterly-
Hardware: Any   
OS: Any   
URL: https://github.com/prometheus/prometheus/releases
Bug Depends on: 256324    
Bug Blocks:    
Attachments:
Description Flags
net-mgmt/prometheus2: Update to 2.27.1
dor.bsd: maintainer-approval+
net-mgmt/prometheus2: Update to 2.27.1
dor.bsd: maintainer-approval+
net-mgmt/prometheus2: Update to 2.27.1 dor.bsd: maintainer-approval+

Description David O'Rourke 2021-05-18 16:31:44 UTC
Created attachment 225069 [details]
net-mgmt/prometheus2: Update to 2.27.1

This patch updates net-mgmt/prometheus2 to v2.27.1, and fixes fixes one security vulnerability along with the usual feature enhancements and bug fixes.

The security vulnerability fixed is:

  - CVE-2021-29622: Fix arbitrary redirects under the /new endpoint

A full changelog can be found at https://github.com/prometheus/prometheus/releases/tag/v2.27.0 and https://github.com/prometheus/prometheus/releases/tag/v2.27.1

-David
Comment 1 Neel Chauhan freebsd_committer freebsd_triage 2021-05-18 16:37:10 UTC
For a security update, you will need to make an entry in security/vuxml.

Information on this can be seen here: https://docs.freebsd.org/en/books/porters-handbook/security/#security-notify
Comment 2 David O'Rourke 2021-05-20 21:06:48 UTC
Apologies for not adding a VuXML entry yet, but I'm currently away. I hope to take care of this before next week.

-David
Comment 3 David O'Rourke 2021-05-24 20:58:41 UTC
Created attachment 225237 [details]
net-mgmt/prometheus2: Update to 2.27.1

Updated diff with VuXML database entry.
Comment 4 commit-hook freebsd_committer freebsd_triage 2021-06-01 03:04:14 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=6890a3c0b215c66ee4ac27745dc8caee73dda7f8

commit 6890a3c0b215c66ee4ac27745dc8caee73dda7f8
Author:     David O'Rourke <dor.bsd@xm0.uk>
AuthorDate: 2021-06-01 03:02:51 +0000
Commit:     Guangyuan Yang <ygy@FreeBSD.org>
CommitDate: 2021-06-01 03:02:51 +0000

    security/vuxml: Document vulnerability in net-mgmt/prometheus2

    PR:             255976
    Security:       CVE-2021-29622
    Approved by:    lwhsu (mentor)

 security/vuxml/vuln.xml | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
Comment 5 Guangyuan Yang freebsd_committer freebsd_triage 2021-06-01 06:25:08 UTC
(In reply to David O'Rourke from comment #3)

Thanks for the patch! I have committed the vuxml part.

I noticed that you host assets on

https://github.com/ports-assets/net-mgmt_prometheus2/releases

and it seems like you skipped v2.26.1. From my understanding, v2.26.1 and v2.27.1 both contain the said bug fix, so IMO v2.26.1 should be the version that we MFH to 2021Q2. I have opened a separate PR https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256324, could you please provide a patch for v2.26.1 there?
Comment 6 David O'Rourke 2021-06-01 08:27:01 UTC
That sounds fair enough. I'll get the v2.26.1 assets committed and get another patch over into the bug you listed.
Comment 7 Guangyuan Yang freebsd_committer freebsd_triage 2021-06-02 02:38:12 UTC
(In reply to David O'Rourke from comment #6)

Thank you, that would be great. Once the other PR closes, we can safely update it to 2.27.1 and close it here.
Comment 8 Guangyuan Yang freebsd_committer freebsd_triage 2021-06-03 10:28:36 UTC
(In reply to David O'Rourke from comment #6)

Now that 2.26.1 is committed, please update the patch against the current HEAD. Thanks!
Comment 9 David O'Rourke 2021-06-03 12:32:05 UTC
Created attachment 225524 [details]
net-mgmt/prometheus2: Update to 2.27.1

Rebases patch against current ports HEAD, and removes the VuXML entry which was committed elsewhere.
Comment 10 commit-hook freebsd_committer freebsd_triage 2021-06-03 12:58:02 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9a67d7de4d74bd2e9a06dfd429c94113f683824b

commit 9a67d7de4d74bd2e9a06dfd429c94113f683824b
Author:     David O'Rourke <dor.bsd@xm0.uk>
AuthorDate: 2021-06-03 12:57:03 +0000
Commit:     Guangyuan Yang <ygy@FreeBSD.org>
CommitDate: 2021-06-03 12:57:03 +0000

    net-mgmt/prometheus2: Update to 2.27.1

    PR:             255976
    Submitted by:   David O'Rourke <dor.bsd@xm0.uk> (maintainer)
    Approved by:    lwhsu (mentor, implicit)

 net-mgmt/prometheus2/Makefile         |   2 +-
 net-mgmt/prometheus2/Makefile.modules |  64 ++++++++--------
 net-mgmt/prometheus2/distinfo         | 138 +++++++++++++++++-----------------
 3 files changed, 102 insertions(+), 102 deletions(-)
Comment 11 Guangyuan Yang freebsd_committer freebsd_triage 2021-06-03 12:58:26 UTC
All committed, thanks again for the changes David!