Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2025:01990-1

Опубликовано: 18 июн. 2025
Источник: suse-cvrf

Описание

Security update for golang-github-prometheus-prometheus

This update for golang-github-prometheus-prometheus fixes the following issues:

  • Security issues fixed:

    • CVE-2023-45288: Require Go >= 1.23 for building (bsc#1236516)
    • CVE-2025-22870: Bump golang.org/x/net to version 0.39.0 (bsc#1238686)

  • Version was updated to 2.53.4 with the following bug fixes:

    • Runtime: fix GOGC is being set to 0 when installed with empty prometheus.yml file resulting high cpu usage
    • Scrape: fix dropping valid metrics after previous scrape failed

Список пакетов

SUSE Linux Enterprise Module for Package Hub 15 SP6
golang-github-prometheus-prometheus-2.53.4-150100.4.26.2
SUSE Linux Enterprise Module for Package Hub 15 SP7
golang-github-prometheus-prometheus-2.53.4-150100.4.26.2
SUSE Manager Proxy Module 4.3
golang-github-prometheus-prometheus-2.53.4-150100.4.26.2
openSUSE Leap 15.6
firewalld-prometheus-config-0.1-150100.4.26.2
golang-github-prometheus-prometheus-2.53.4-150100.4.26.2

Ссылки

Описание

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Затронутые продукты
SUSE Linux Enterprise Module for Package Hub 15 SP6:golang-github-prometheus-prometheus-2.53.4-150100.4.26.2
SUSE Linux Enterprise Module for Package Hub 15 SP7:golang-github-prometheus-prometheus-2.53.4-150100.4.26.2
SUSE Manager Proxy Module 4.3:golang-github-prometheus-prometheus-2.53.4-150100.4.26.2
openSUSE Leap 15.6:firewalld-prometheus-config-0.1-150100.4.26.2
Ссылки

Описание

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Затронутые продукты
SUSE Linux Enterprise Module for Package Hub 15 SP6:golang-github-prometheus-prometheus-2.53.4-150100.4.26.2
SUSE Linux Enterprise Module for Package Hub 15 SP7:golang-github-prometheus-prometheus-2.53.4-150100.4.26.2
SUSE Manager Proxy Module 4.3:golang-github-prometheus-prometheus-2.53.4-150100.4.26.2
openSUSE Leap 15.6:firewalld-prometheus-config-0.1-150100.4.26.2
Ссылки
Уязвимость SUSE-SU-2025:01990-1