Описание
Security update 5.0.8 for Multi-Linux Manager Client Tools
This update fixes the following issues:
golang-github-QubitProducts-exporter_exporter:
-
Security Fixes:
- CVE-2022-21698: Fixed denial of service using InstrumentHandlerCounter (bsc#1248707)
golang-github-prometheus-node_exporter:
-
Backward Compatibility and packaging changes:
- Added compatibility for Go 1.22/1.23 needed in older RHEL toolchains
- Pinned golang.org/x/net to v0.37.0 for Go 1.22 compatibility
-
Version 1.10.2:
- Fixed typo in Zswap metric name (meminfo)
-
Version 1.10.1:
- Fixed mount points being collected multiple times (filesystem)
- Refactored mountinfo parsing (bsc#1261810)
- Added Zswap/Zswapped metrics (meminfo)
-
Version 1.10.0:
- New collectors: PCIe devices, swaps
- Added systemd virtualization metrics, AIX metrics
- WiFi packet metrics, additional PCIe and TLB metrics
- Changed mdadm to use sysfs, added erofs to excluded filesystems
- Fixed bugs: cpufreq collector, ethtool metrics
golang-github-prometheus-prometheus:
-
Security issues fixed:
- CVE-2026-42151: AzureAD remote write: Fixed OAuth client_secret being exposed in plaintext via /-/config endpoint (bsc#1263986)
- CVE-2026-42154: Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit (bsc#1263987).
- CVE-2026-40179: UI: Fixed stored XSS via unescaped le label values in old UI heatmap chart tick labels (bsc#1262222)
- CVE-2026-33186: Fixed authorization bypass due to improper
validation of the HTTP/2 :path pseudo-header (bsc#1260267)
- Bump google.golang.org/grpc to version 1.79.3
- CVE-2026-27606: Fixed arbitrary file write via path traversal in
rollup (bsc#1258893)
- Bump rollup to version 4.59.0
-
Other changes:
- Remote-Write: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit.
- Use systemd tmpfiles.d to create /var/lib/prometheus hierarchy (jsc#PED-14816)
prometheus-postgres_exporter:
-
Security Fixes:
- CVE-2026-42154: Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit (bsc#1263987)
- CVE-2026-42151: AzureAD remote write: Fixed OAuth client_secret being exposed in plaintext via /-/config endpoint (bsc#1263986)
- CVE-2022-21698: Fixed denial of service using InstrumentHandlerCounter (bsc#1248699)
-
Highlights of other changes and bug fixes:
- Use systemd tmpfiles.d to create /var/lib/prometheus hierarchy
grafana was updated from version 11.6.11 to 11.6.14+security01:
-
Security Fixes:
- CVE-2026-34986: Fixed unrecoverable error in JWE decryption that could lead to a denial of service (bsc#1262950)
- CVE-2026-41602: Fixed Integer Overflow or Wraparound vulnerability in Apache Thrift (bsc#1263501)
- CVE-2026-26958: Ensure that MultiScalarMult properly handles initialization and produces correct results (bsc#1258595)
- CVE-2026-21725: Fixed missing UID when deleting datasource by name (bsc#1258873)
- CVE-2026-33375: Fixed denial of Service via out-of-memory exhaustion in MSSQL data source plugin (bsc#1260881)
- CVE-2026-27876: Fixed remote arbitrary code execution via chained SQL Expressions (bsc#1261025)
- CVE-2026-27877: Fixed information disclosure of data-source passwords via public dashboards (bsc#1261026)
- CVE-2026-28375: Fixed denial of service via testdata data-source (bsc#1261029)
- CVE-2026-27879: Fixed denial of service via resample query (bsc#1261027)
- CVE-2026-33186: Fixed authorization bypass due to improper validation of the HTTP/2 :path pseudo-header (bsc#1260263)
- CVE-2026-21724: Fixed authorization bypass allows modification of protected webhook URLs (bsc#1260878)
-
Highlights of other changes and bug fixes:
-
Version 11.6.13:
- Wire the public dashboard service to the HTTP server
-
Version 11.6.12:
- Update authentication redirect logic
- Fixed single panel render with variable references
-
spacecmd:
-
Version 5.0.16-0:
- Update translation strings
uyuni-tools:
-
Version 0.1.39-0:
- mgrpxy ssh tuning should happen before crypto policies (bsc#1254619)
- Fixed default value for helm registry (bsc#1258927).
- Use static supportconfig name to avoid dynamic search (bsc#1257941)
- Do not nest multiple tarball files and instead collect all files into one tarball (bsc#1252964)
- Show where final tarball was generated (bsc#1259208)
Список пакетов
Container suse/manager/5.0/x86_64/server:latest
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS
SUSE Linux Enterprise Module for Basesystem 15 SP7
SUSE Linux Enterprise Server 15 SP4-LTSS
SUSE Linux Enterprise Server 15 SP5-LTSS
SUSE Linux Enterprise Server 15 SP6-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP5
SUSE Linux Enterprise Server for SAP Applications 15 SP6
SUSE Manager Client Tools 15
SUSE Manager Client Tools for SLE Micro 5
Ссылки
- Link for SUSE-SU-2026:2243-1
- E-Mail link for SUSE-SU-2026:2243-1
- SUSE Security Ratings
- SUSE Bug 1248699
- SUSE Bug 1248707
- SUSE Bug 1252964
- SUSE Bug 1254619
- SUSE Bug 1257941
- SUSE Bug 1258595
- SUSE Bug 1258873
- SUSE Bug 1258893
- SUSE Bug 1258927
- SUSE Bug 1259208
- SUSE Bug 1259999
- SUSE Bug 1260263
- SUSE Bug 1260267
- SUSE Bug 1260878
- SUSE Bug 1260881
- SUSE Bug 1261025
- SUSE Bug 1261026
Описание
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
Затронутые продукты
Ссылки
- CVE-2022-21698
- SUSE Bug 1196338
- SUSE Bug 1248689
Описание
go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit its identity, there are network connectivity issues, or the client was configured with aggressive timeouts. The problem occurs for multiple use cases. For sticky connections, you receive persistent out-of-order responses for the lifetime of the connection. All commands in the pipeline receive incorrect responses. When used with the default ConnPool once a connection is returned after use with ConnPool#Put the read buffer will be checked and the connection will be marked as bad due to the unread data. This means that at most one out-of-order response before the connection is discarded. This issue is fixed in 9.5.5, 9.6.3, and 9.7.3. You can prevent the vulnerability by setting the flag DisableIndentity to true when constructing the client instance.
Затронутые продукты
Ссылки
- CVE-2025-29923
- SUSE Bug 1241152
Описание
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Затронутые продукты
Ссылки
- CVE-2026-21724
- SUSE Bug 1260878
Описание
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion. - Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana. - The attacker must delete the datasource, then someone must recreate it. - The new datasource must not have the attacker as an admin. - The new datasource must have the same UID as the prior datasource. These are randomised by default. - The datasource can now be re-deleted by the attacker. - Once 30 seconds are up, the attack is spent and cannot be repeated. - No datasource with any other UID can be attacked.
Затронутые продукты
Ссылки
- CVE-2026-21725
- SUSE Bug 1258873
Описание
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 only through github.com/go-sql-driver/mysql are not affected. This issue has been fixed in version 1.1.1.
Затронутые продукты
Ссылки
- CVE-2026-26958
- SUSE Bug 1258570
Описание
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. Versions 2.80.0, 3.30.0, and 4.59.0 contain a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2026-27606
- SUSE Bug 1258846
Описание
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path. Only instances with the sqlExpressions feature toggle enabled are vulnerable. Only instances in the following version ranges are affected: - 11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected. - 12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life. - 12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix. - 12.3.0 (inclusive) to 12.3.6 (exclusive): 12.3.6 has the fix. - 12.4.0 (inclusive) to 12.4.2 (exclusive): 12.4.2 has the fix. 13.0.0 and above also have the fix: no v13 release is affected.
Затронутые продукты
Ссылки
- CVE-2026-27876
- SUSE Bug 1261025
Описание
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Затронутые продукты
Ссылки
- CVE-2026-27877
- SUSE Bug 1261026
Описание
A resample query can be used to trigger out-of-memory crashes in Grafana.
Затронутые продукты
Ссылки
- CVE-2026-27879
- SUSE Bug 1261027
Описание
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
Затронутые продукты
Ссылки
- CVE-2026-28375
- SUSE Bug 1261029
Описание
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Затронутые продукты
Ссылки
- CVE-2026-33186
- SUSE Bug 1260085
Описание
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
Затронутые продукты
Ссылки
- CVE-2026-33375
- SUSE Bug 1260881
Описание
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. This vulnerability is fixed in 4.1.4 and 3.0.5.
Затронутые продукты
Ссылки
- CVE-2026-34986
- SUSE Bug 1262805
Описание
Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart tooltips on the Graph page render metric names containing HTML/JavaScript without sanitization. In the old React UI, the Metric Explorer fuzzy search results use dangerouslySetInnerHTML without escaping, and heatmap cell tooltips interpolate le label values without sanitization. With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like <, >, and " are now valid in metric names and labels. An attacker who can inject metrics via a compromised scrape target, remote write, or OTLP receiver endpoint can execute arbitrary JavaScript in the browser of any Prometheus user who views the metric in the Graph UI, potentially enabling configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. This issue has been fixed in versions 3.5.2 and 3.11.2. If developers are unable to immediately update, the following workarounds are recommended: ensure that the remote write receiver (--web.enable-remote-write-receiver) and the OTLP receiver (--web.enable-otlp-receiver) are not exposed to untrusted sources; verify that all scrape targets are trusted and not under attacker control; avoid enabling admin or mutating API endpoints (e.g., --web.enable-admin-api or --web.enable-lifecycle) in environments where untrusted data may be ingested; and refrain from clicking untrusted links, particularly those containing functions such as label_replace, as they may generate poisoned label names and values.
Затронутые продукты
Ссылки
- CVE-2026-40179
- SUSE Bug 1262222
Описание
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Затронутые продукты
Ссылки
- CVE-2026-41602
- SUSE Bug 1263496
Описание
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
Затронутые продукты
Ссылки
- CVE-2026-42151
- SUSE Bug 1263986
Описание
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
Затронутые продукты
Ссылки
- CVE-2026-42154
- SUSE Bug 1263987