Prometheus now offers a distroless Docker image variant alongside the default busybox image. The distroless variant provides enhanced security with a minimal base image, uses UID/GID 65532 (nonroot) instead of nobody, and removes the VOLUME declaration. Both variants are available with -busybox and -distroless tag suffixes (e.g., prom/prometheus:latest-busybox, prom/prometheus:latest-distroless). The busybox image remains the default with no suffix for backwards compatibility (e.g., prom/prometheus:latest points to the busybox variant).

For users migrating existing named volumes from the busybox image to the distroless variant, the ownership can be adjusted with:

docker run --rm -v prometheus-data:/prometheus alpine chown -R 65532:65532 /prometheus

Then, the container can be started with the old volume with:

docker run -v prometheus-data:/prometheus prom/prometheus:latest-distroless

User migrating from bind mounts might need to ajust permissions too, depending on their setup.

• [CHANGE] Alerting: Add alertmanager dimension to following metrics: prometheus_notifications_dropped_total, prometheus_notifications_queue_capacity, prometheus_notifications_queue_length. #16355
• [CHANGE] UI: Hide expanded alert annotations by default, enabling more information density on the /alerts page. #17611
• [FEATURE] AWS SD: Add MSK Role. #17600
• [FEATURE] PromQL: Add fill() / fill_left() / fill_right() binop modifiers for specifying default values for missing series. #17644
• [FEATURE] Web: Add OpenAPI 3.2 specification for the HTTP API at /api/v1/openapi.yaml. #17825
• [FEATURE] Dockerfile: Add distroless image variant using UID/GID 65532 and no VOLUME declaration. Busybox image remains default. #17876
• [FEATURE] Web: Add on-demand wall time profiling under <URL>/debug/pprof/fgprof. #18027
• [ENHANCEMENT] PromQL: Add more detail to histogram quantile monotonicity info annotations. #15578
• [ENHANCEMENT] Alerting: Independent alertmanager sendloops. #16355
• [ENHANCEMENT] TSDB: Experimental support for early compaction of stale series in the memory with configurable threshold stale_series_compaction_threshold in the config file. #16929
• [ENHANCEMENT] Service Discovery: Service discoveries are now removable from the Prometheus binary through the Go build tag remove_all_sd and individual service discoveries can be re-added with the build tags enable_<sd name>_sd. Users can build a custom Prometheus with only the necessary SDs for a smaller binary size. #17736
• [ENHANCEMENT] Promtool: Support promql syntax features promql-duration-expr and promql-extended-range-selectors. #17926
• [PERF] PromQL: Avoid unnecessary label extraction in PromQL functions. #17676
• [PERF] PromQL: Improve performance of regex matchers like .*-.*-.*. #17707
• [PERF] OTLP: Add label caching for OTLP-to-Prometheus conversion to reduce allocations and improve latency. #17860
• [PERF] API: Compute /api/v1/targets/relabel_steps in a single pass instead of re-running relabeling for each prefix. #17969
• [PERF] tsdb: Optimize LabelValues intersection performance for matchers. #18069
• [BUGFIX] PromQL: Prevent query strings containing only UTF-8 continuation bytes from crashing Prometheus. #17735
• [BUGFIX] Web: Fix missing X-Prometheus-Stopping header for /-/ready endpoint in NotReady state. #17795
• [BUGFIX] PromQL: Fix PromQL info() function returning empty results when filtering by a label that exists on both the input metric and target_info. #17817
• [BUGFIX] TSDB: Fix a bug during exemplar buffer grow/shrink that could cause exemplars to be incorrectly discarded. #17863
• [BUGFIX] UI: Fix broken graph display after page reload, due to broken Y axis min encoding/decoding. #17869
• [BUGFIX] TSDB: Fix memory leaks in buffer pools by clearing reference fields (Labels, Histogram pointers, metadata strings) before returning buffers to pools. #17879
• [BUGFIX] PromQL: info function: fix series without identifying labels not being returned. #17898
• [BUGFIX] OTLP: Filter __name__ from OTLP attributes to prevent duplicate labels. #17917
• [BUGFIX] TSDB: Fix division by zero when computing stale series ratio with empty head. #17952
• [BUGFIX] OTLP: Fix potential silent data loss for sum metrics. #17954
• [BUGFIX] PromQL: Fix smoothed interpolation across counter resets. #17988
• [BUGFIX] PromQL: Fix panic with @ modifier on empty ranges. #18020
• [BUGFIX] PromQL: Fix avg_over_time for a single native histogram. #18058

• Documentation
• Commit Log
• Maintenance Policy
• Release Policy
• Release Schedule
• Changelog: RC1 RC2

Special thanks to the following individuals for their excellent contributions:

• @mmoayyed
• @leleuj
• @ilgrosso
• @marcinroman
• @liujed

Cherry-picked changes

Cherry-picked changes

https://fluentbit.io/announcements/v4.2.3.1/

Full Changelog: https://github.com/fluent/fluent-bit/compare/v4.2.3...v4.2.3.1

Apache Superset is a modern, enterprise-ready business intelligence web application

Release 2.4.0.Beta1 Fixes CVE-2024-3884 CVE-2024-4027 CVE-2025-12543 Full list of Jiras: view in Jira

    Release Notes - Undertow - Version 2.4.0.Beta1

• [UNDERTOW-2464] - Create a default constant for UndertowOptions.DECODE_URL
• [UNDERTOW-2465] - Fix UndertowOptions.URL_CHARSET Javadoc
• [UNDERTOW-2466] - Create a default constant for UndertowOptions.ALWAYS_SET_KEEP_ALIVE
• [UNDERTOW-2467] - Create a default constant for UndertowOptions.ALWAYS_SET_DATE
• [UNDERTOW-2484] - Create a default constant for UndertowOptions.HTTP2_PADDING_SIZE
• [UNDERTOW-2491] - Create a default constant for UndertowOptions.SSL_USER_CIPHER_SUITES_ORDER
• [UNDERTOW-2492] - Create a default constant for UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL
• [UNDERTOW-2494] - Create a default constant for UndertowOptions.QUEUED_FRAMES_HIGH_WATER_MARK
• [UNDERTOW-2495] - Create a default constant for UndertowOptions.QUEUED_FRAMES_LOW_WATER_MARK

• [UNDERTOW-1881] - Add a new exchange attribute for SSL/TLS protocol version
• [UNDERTOW-2010] - Provide method to invalidate all paths in CachingResourceManager
• [UNDERTOW-2242] - Add UndertowOptions.ALLOW_ID_LESS_MATRIX_PARAMETERS
• [UNDERTOW-2319] - Move io.undertow.multipart.minsize property to UndertowOptions
• [UNDERTOW-2553] - Add rewriteHostHeader to ModCluster
• [UNDERTOW-2580] - Support SameSite and custom cookie attributes
• [UNDERTOW-2696] - Allow PathHandler to check for registered prefixes
• [UNDERTOW-2706] - Add UndertowOptions_WEB_SOCKETS_READ_TIMEOUT

• [UNDERTOW-1794] - DefaultAccessLogReceiver violates Closeable contract
• [UNDERTOW-2157] - UndertowOutputStream.transferFrom appears to have a broken signature
• [UNDERTOW-2194] - Cookie parsing/assembling does not work 100% correctly.
• [UNDERTOW-2269] - Encode Query string on forward/include and properly handle merging
• [UNDERTOW-2377] - CVE-2024-3884 CVE-2024-4027 OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded
• [UNDERTOW-2421] - ServletSessionConfig is missing support for arbitrary cookie attributes
• [UNDERTOW-2582] - ServerWebSocketContainer keeps reference to CLs
• [UNDERTOW-2588] - Undertow response can still break in case of Java 17 TLSv1.3 NewSessionTicket
• [UNDERTOW-2590] - Support "rspauth" in Digest auth header
• [UNDERTOW-2605] - FixedLengthStreamSourceConduit does not clean up ReadTimeoutStreamSourceConduit after an exact Content-Length read
• [UNDERTOW-2609] - Previous fixes in the handling of decoded characters in query requests reflect in getQueryString of APIs
• [UNDERTOW-2656] - CVE-2025-12543 Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF
• [UNDERTOW-2662] - Quoted cookie versions cannot be parsed correctly
• [UNDERTOW-2674] - Wrong codes sent on WebSocket connection close
• [UNDERTOW-2676] - Do not set merged query parameters for includes and forwards on the exchange, only the request
• [UNDERTOW-2677] - MultipartParserDefinition overrides max entity size already set and configured from other sources
• [UNDERTOW-2686] - HttpSession.Accessor can throw ISE if session identifier has since changed
• [UNDERTOW-2710] - Some pom.xml files reference the removed undertow-servlet and undertow-websockets-jsr modules

• [UNDERTOW-2103] - Enable open ssl building in CI
• [UNDERTOW-2684] - Add SessionManager.isDistributed()

• [UNDERTOW-2690] - Update MULTIPART_MAX_ENTITY_SIZE javadoc to reflect current default behavior

• [UNDERTOW-2644] - Upgrade wildfly openssl to 2.2.5.Final

• [UNDERTOW-2231] - Test Flakiness occurs for io.undertow.server.handlers.proxy.LoadBalancingProxyTestCase#testLoadSharedWithServerShutdown
• [UNDERTOW-2335] - Add an example of the PredicatesHandler and specifically the predicate handler parser

• Update netty to 4.2.10.Final by @gavinbunney in https://github.com/Netflix/zuul/pull/2073

Full Changelog: https://github.com/Netflix/zuul/compare/v3.3.8...v3.3.9