Описание
Security update for Prometheus
This update for Prometheus fixes the following issues:
golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter:
- Internal changes to fix build issues with no impact for customers
golang-github-prometheus-prometheus:
-
Security issues fixed:
- CVE-2026-27606: Fixed arbitrary file write via path traversal in rollup (bsc#1258893)
- CVE-2026-25547: Fixed unbounded brace range expansion leading to excessive CPU and memory consumption (bsc#1257841)
- CVE-2026-1615, CVE-2025-61140 The old web UI is no longer built due to security issues (bsc#1257897, bsc#1257442)
- CVE-2025-13465: Bump lodash package to version 4.17.23 to fix prototype pollution vulnerability (bsc#1257329)
- CVE-2025-12816: Interpretation conflict vulnerability allowing bypassing cryptographic verifications (bsc#1255588)
-
Version update from 2.53.4 to 3.5.0 with the following highlighted changes (jsc#PED-13824):
- Modernized Interface: Introduced a brand-new UI
- Enhanced Cloud and Auth: Added unified AWS service discovery (EC2, ECS, Lightsail) and Azure Workload Identity support for more secure, native cloudauthentication.
- Performance Standards: Fully integrated OpenTelemetry (OTLP) ingestion and moved Native Histograms from experimental to a stable feature.
- Advanced Data Export: Rolled out Remote Write 2.0, offering better performance and metadata handling when sending data to external systems.
- Query Power: Added new PromQL functions (like first_over_time and last_over_time) and optimization for grouping operations.
- Better Visibility: The UI now displays detailed relabeling steps, scrape intervals, and timeouts, making it easier to troubleshoot why targets aren't reporting correctly.
- Critical Fixes: Resolved significant memory leaks related to query logging and fixed bugs where targets were accidentally being scraped multiple times.
Список пакетов
Container suse/manager/5.0/x86_64/server:latest
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS
SUSE Linux Enterprise Module for Basesystem 15 SP7
SUSE Linux Enterprise Module for Package Hub 15 SP7
SUSE Linux Enterprise Server 15 SP4-LTSS
SUSE Linux Enterprise Server 15 SP5-LTSS
SUSE Linux Enterprise Server 15 SP6-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP5
SUSE Linux Enterprise Server for SAP Applications 15 SP6
SUSE Manager Client Tools 15
SUSE Manager Client Tools for SLE Micro 5
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2026:1008-1
- E-Mail link for SUSE-SU-2026:1008-1
- SUSE Security Ratings
- SUSE Bug 1255588
- SUSE Bug 1257329
- SUSE Bug 1257442
- SUSE Bug 1257841
- SUSE Bug 1257897
- SUSE CVE CVE-2025-12816 page
- SUSE CVE CVE-2025-13465 page
- SUSE CVE CVE-2025-61140 page
- SUSE CVE CVE-2026-1615 page
- SUSE CVE CVE-2026-25547 page
Описание
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Затронутые продукты
Ссылки
- CVE-2025-12816
- SUSE Bug 1255584
Описание
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23
Затронутые продукты
Ссылки
- CVE-2025-13465
- SUSE Bug 1257321
Описание
The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.
Затронутые продукты
Ссылки
- CVE-2025-61140
- SUSE Bug 1257442
Описание
Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
Затронутые продукты
Ссылки
- CVE-2026-1615
- SUSE Bug 1257897
Описание
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
Затронутые продукты
Ссылки
- CVE-2026-25547
- SUSE Bug 1257834