Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2026:2241-1

Опубликовано: 03 июн. 2026
Источник: suse-cvrf

Описание

Security update 5.0.8 for Multi-Linux Manager Client Tools

This update fixes the following issues:

prometheus-postgres_exporter:

  • Security Fixes:

    • CVE-2022-21698: Fixed denial of service using InstrumentHandlerCounter (bsc#1248699)

golang-github-QubitProducts-exporter_exporter:

  • Security Fixes:

    • CVE-2022-21698: Fixed denial of service using InstrumentHandlerCounter (bsc#1248707)

golang-github-prometheus-node_exporter:

  • Highlights of changes and bug fixes:

    • Packaging changes:

      • Pinned golang.org/x/net to v0.37.0 for Go 1.22 compatibility

    • Version 1.10.2:

      • Fixed typo in Zswap metric name (meminfo)

    • Version 1.10.1:

      • Fixed mount points being collected multiple times (filesystem)
      • Refactored mountinfo parsing (bsc#1261810)
      • Added Zswap/Zswapped metrics (meminfo)

    • Version 1.10.0:

      • New collectors: PCIe devices, swaps
      • Added systemd virtualization metrics, AIX metrics
      • WiFi packet metrics, additional PCIe and TLB metrics
      • Changed mdadm to use sysfs, added erofs to excluded filesystems
      • Fixed bugs: cpufreq collector, ethtool metrics

spacecmd:

  • Version 5.0.16-0:

    • Update translation strings

uyuni-tools:

  • Version 0.1.39-0:

    • mgrpxy ssh tuning should happen before crypto policies (bsc#1254619)
    • Fix default value for helm registry (bsc#1258927).
    • Use static supportconfig name to avoid dynamic search (bsc#1257941)
    • Do not nest multiple tarball files and instead collect all files into one tarball (bsc#1252964)
    • Show where final tarball was generated (bsc#1259208)

Список пакетов

SUSE Linux Enterprise Server 12 SP5-LTSS
golang-github-prometheus-node_exporter-1.10.2-1.42.3
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5
golang-github-prometheus-node_exporter-1.10.2-1.42.3
SUSE Manager Client Tools 12
golang-github-QubitProducts-exporter_exporter-0.4.0-1.18.1
golang-github-prometheus-node_exporter-1.10.2-1.42.3
mgrctl-0.1.39-1.33.2
mgrctl-bash-completion-0.1.39-1.33.2
mgrctl-zsh-completion-0.1.39-1.33.2
prometheus-postgres_exporter-0.10.1-1.20.1
spacecmd-5.0.16-38.168.2

Ссылки

Описание

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

Затронутые продукты
SUSE Linux Enterprise Server 12 SP5-LTSS:golang-github-prometheus-node_exporter-1.10.2-1.42.3
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:golang-github-prometheus-node_exporter-1.10.2-1.42.3
SUSE Manager Client Tools 12:golang-github-QubitProducts-exporter_exporter-0.4.0-1.18.1
SUSE Manager Client Tools 12:golang-github-prometheus-node_exporter-1.10.2-1.42.3
Ссылки