Upgrade Prometheus container to v3.11.2 on demo server

[josecelano]

Summary

The demo server is running prom/prometheus:v3.5.1, which contains 2 CRITICAL
CVEs in its upstream binary dependencies. The fix is available in
prom/prometheus:v3.11.2 (released 2026-04-13), which eliminates all CRITICAL
vulnerabilities.

torrust/torrust-tracker-deployer PR #454
updates the deployer's default Prometheus image to v3.11.2 for future deployments,
but the already-running demo server must be updated separately by pulling the new
image and restarting the container.

Background — CVE analysis

Scanned with Trivy 0.69.3 (DB updated 2026-04-14).

Version	HIGH	CRITICAL
v3.5.0	16	4
v3.5.1	6	2
v3.11.2	4	0 ✅

Remaining CVEs in v3.11.2 (all HIGH, no remote attack path)

CVE	Library	Fix	Notes
CVE-2026-32285	buger/jsonparser	1.1.2	DoS via malformed JSON; internal use only
CVE-2026-34040	moby/docker	29.3.1	Auth bypass; Docker-client code path
CVE-2026-39883	otel/sdk	1.43.0	Local PATH hijack; no remote path

No OS layer — pure Go binaries, no Alpine/Debian base. All remaining HIGH findings
are in upstream Prometheus binary dependencies with no remote attack path.

Steps to upgrade on the demo server

SSH into the demo server and run:

cd /opt/torrust
docker compose pull prometheus
docker compose up -d prometheus
docker compose ps prometheus

Verify the new version:

docker inspect prometheus --format '{{.Config.Image}}'
# Expected: prom/prometheus:v3.11.2

Check Prometheus is healthy:

curl -s http://localhost:9090/-/healthy
# Expected: Prometheus Server is Healthy.

References

• Deployer PR that updates the default image: chore: [#433] upgrade Prometheus to v3.11.2 and document CVE analysis torrust-tracker-deployer#454
• Deployer issue with full CVE analysis: Investigate unresolved Prometheus CVEs after upgrade to v3.5.1 torrust-tracker-deployer#433