SUSE-SU-2026:2438-1

Описание

This update for alloy fixes the following issues

Security issues:

• CVE-2026-4427: github.com/jackc/pgproto3/v2: improper validation of field length allows a malicious PostgreSQL server to crash a client application via a DataRow message (bsc#1259919).
• CVE-2026-25934: github.com/go-git/go-git/v5: improper verification of data integrity values for .pack and .idx files can lead to the consumption of corrupted files (bsc#1258099).
• CVE-2026-26958: filippo.io/edwards25519: failure to initialize receiver in MultiScalarMult can produce invalid results and lead to undefined behavior (bsc#1258609).
• CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header (bsc#1260317).
• CVE-2026-34986: github.com/go-jose/go-jose/v4: crafted JWE input with a missing encrypted key can lead to a denial of service (bsc#1262955).
• CVE-2026-41602: github.com/apache/thrift: TFramedTransport frame size headers can lead to a uint32 integer overflow (bsc#1263530).

Non security issue:

• Use systemd tmpfiles.d to create /var/lib/alloy hierarchy (jsc#PED-14815).
• Update to version 1.16.1

• Bug Fixes logging: Fix startup deadlock when components log before logging config is evaluated Update to Beyla 3.9.8 Migrate from Docker to Moby

• Use latest openSUSE Tumbleweed image for building web UI assets
• Install nvm to set node version specified upstream
• update to 1.16.0:

• Features

• Add clustering for loki.source.kubernetes_events (#6027) (3dbf587) (@petewall)
• Add otelcol.auth.google client auth provider (#5526) (da99a66) (@dashpole, @clayton-cornell)
• beyla.ebpf: Bump to v3.7.0 (#5966) (5126c2e) (@marctc)
• database_observability: Add support for GCP Cloud SQL metadata (#5875) (5d23245) (@cristiangreco, @clayton-cornell)
• database_observability: Make targets optional (#5924) (54664b2) (@matthewnolf)
• database_observability: Update default excluded schemas and users (#6080) (b386fff) (@cristiangreco)
• faro.receiver: Add sourcemap fetching from remote locations (#4614) (b6cb5da) (@Oxel40)
• helm: Add support for global.image.pullPolicy (#6069) (2e2ce72) (@petewall)
• helm: Allow configuring image pull policy for config reloader (#5923) (991539b) (@kalleep)
• loki.secretfilter: Add label_timed_out option to mark timed-out log lines (#5898) (2ad8834) (@kleimkuhler)
• loki.secretfilter: Add secrets_redacted_by_category_total metric combining rule and origin (#5855) (053a2f7) (@kleimkuhler)
• loki.secretfilter: Change secretfilter to use go-re2 regex library instead of stdlib (#5909) (c16a660) (@mikefat)
• loki.secretfilter: Remove redundant secrets_redacted_by_rule_total and secrets_redacted_by_origin metrics (#5970) (b16decb) (@kleimkuhler)
• Oracle exporter can scrape more than one DB (#6008) (6fbad38) (@ptodev)
• prometheus.exporter.cloudwatch: Upgrade YACE and drop aws-sdk-go v1 support (#5936) (f1c036d) (@x1unix)
• prometheus.exporter.mysql: Update to mysqld_exporter 0.19.0 (#5836) (4f49b57) (@cristiangreco)
• prometheus.remote_write: Sync WAL with upstream Prometheus (#5907) (e74a91b) (@x1unix)
• pyroscope: Add support for extra async-profiler CLI arguments (#5472) (9251e33) (@ivanape)
• pyroscope: Replace Parca gRPC debuginfo upload with Pyroscope Connect API (#5891) (e7ea34a) (@korniltsev-grafanista)
• pyroscope: Update debuginfo client for HTTP/1.1 upload API (#6037) (879d8e5) (@korniltsev-grafanista)
• Change service stop command from 'sc' to 'net' (#5906) (450973d) (@mateuszdrab)
• database_observability.mysql: Refactor explain plan loop batch size (#5894) (f0fcd6b) (@cristiangreco)
• database_observability.postgres: Cleanup embedded exporter collectors on reconnection (#6079) (f30d9ae) (@cristiangreco)
• database_observability.postgres: Fix EXPLAIN param count when placeholders repeat (#6082) (b612b81) (@rgeyer)
• database_observability: Drop schema_detection from logs (#6076) (b0105cb) (@cristiangreco)
• database_observability: Ensure connection_info_monitor goroutine exits on Stop (#5874) (1e3334b) (@cristiangreco)
• deps: Update module github.com/aws/aws-sdk-go-v2/service/s3 to v1.97.3 [SECURITY] (#6004) (38f4346)
• deps: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (#5934) (a5154af)
• deps: Update module github.com/go-git/go-git/v5 to v5.18.0 [SECURITY] (#6090) (0e59d64)
• deps: Update module github.com/nwaples/rardecode/v2 to v2.2.0 [SECURITY] (b44d51a) (@jharvey10)
• deps: Update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.43.0 [SECURITY] (#6016) (d92c5c0) go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to v1.43.0 [SECURITY] (#6017) (e655bbc)
• deps: Update module go.opentelemetry.io/otel/sdk to v1.43.0 [SECURITY] (#6018) (94006e8)
• deps: Update some minor go dep versions (#5896) (4ddd0ed) (@jharvey10)
• go: Update alloy builder image to Go 1.25.9 (#6012) (d2ae8b8) (@x1unix)
• go: Upgrade to Go 1.25.9 (#6019) (d777ed1) (@x1unix, @kalleep)
• Helm: RBAC template handles empty rule arrays (#4860) (c9430e9) (@naptalie, @dehaansa, @kalleep)
• loki.process: Eliminate per-stream goroutines in multiline stage (#6036) (c089e2e) (@kgeckhart)
• loki.process: Prevent stage.structured_metadata from adding the same metadata several times (#5965) (0ec8a26) (@kalleep, @thampiotr)
• loki.process: Wrap template in a custom type and move validation to syntax.Validator (#5910) (700dd7d) (@kalleep)
• prometheus.exporter.postgres: Close DB connections on update (#6021) (8da97cf) (@kalleep)
• prometheus.scrape: Update scrape_native_histograms to be updated at runtime (#6087) (18b205c) (@kalleep)
• pyroscope.ebpf: Fix deadlock on LRU eviction in irsymcache (#5911) (03ca563) (@luweglarz)
• pyroscope.ebpf: Move Pyroscope ebpf metrics registration after component error handling (#5540) (a3c57c0) (@crbednarz, @marcsanmi)
• pyroscope: Set user agent on debuginfo connect-go client (#6022) (38ad1ef) (@korniltsev-grafanista)
• ui: Large arguments are downloaded as files instead of rendered (#5268) (26c67b3) (@ptodev)
• Update go-m1cpu v0.1.7 -> v0.2.1 to fix M5 chip crash (#6034) (7fa0cbc) (@ymotongpoo)
• windows-installer: Increase service restart on failure delays (#5969) (add15b1) (@rknightion)
• add script to package webassets inside a podman container, to not endanger or pollute the host system with npm
• update to 1.15.1: goroutine exits on Stop

• CVE-2026-34986: Fix panic in JWE decryption (bsc#1262955)

• update to 1.15.0:

• BREAKING CHANGES

• otelcol: Upgrade to OTel Collector v0.147.0
• Renamed undocumented metrics that was previously prefixed with <component_id><metric_name> to loki_source_awsfirehose<metric_name>

• Security CVE-2026-26958: Update filippo.io/edwards25519 to version 1.1.1 (bsc#1258609).

• alloy-mixin: Add filters, groupBy, and multi-select dashboard variables
• beyla.ebpf: Add support for Prometheus native histograms
• beyla.ebpf: Bump Beyla to v3.6
• converters: Support converting Promtail limits_config
• database_observability.mysql: Add filtering of query samples and wait events by minimum duration
• database_observability.mysql: Embed prometheus exporter within db-o11y component
• database_observability.postgres: Add configurable limit to pg_stat_statements query
• database_observability.postgres: Embed prometheus exporter
• database_observability: Promote components to stable
• Expose Functionality to Handle syslogs with Empty MSG Field
• loki.process: Support structured metadata as source type of stage.labels for loki.process
• loki.secretfilter: Add sampling for secretfilter entries
• loki.source.gcplog: Add alloy config for MaxOutstandingBytes and MaxOutstandingMessages
• loki.write: Add loki pipeline latency metric
• mixin: Update loki dashboard
• otelcol.receiver.datadog: Expose intake proxy and trace_id_cache_size settings
• prometheus.exporter.cloudwatch: Use aws-sdk-go-v2 by default
• pyroscope.ebpf: Add comm, pid labels and kernel frame options
• update to 1.14.1:
• Correctly handle the deprecated topic field in otelcol.receiver.kafka configuration
• loki.process: Protect against json that does not look like docker json format
• loki.source.file: Keep positions for compressed files when reading is finished
• prometheus.scrape: Update arguments and targets even if scrape_native_histograms and extra_metrics are updated
• update to 1.14.0:
• loki.secretfilter: Some config options are removed entirely: partial_mask (replaced with redact_percent), allowlist (now controlled with custom gitleaks config), enable_entropy, include_generic, types (now controlled with custom gitleaks config).
• otelcol.receiver.prometheus: otelcol.receiver.prometheus no longer sets start times of OTLP metrics.

• Security:

• update to 1.13.2:
• Expose missing otelcol.processor.tail_sampling options
• mixin: Add zipped dashboards as a release artifact
• profiler: Backport Go 1.26 gopclntab textStart fix
• prometheus.exporter.postgres: Update version of the exporter fork to fix pg_settings
• pyroscope.ebpf: Backport dotnet nibble map fix
• update to 1.13.1:
• timeout before starting new ones
• update to 1.13.0:
• otelcol: Upgrade to OTel Collector v0.142.0
• otelcol.receiver.kafka: The global topic attribute has been deleted; use the topics attributes inside the logs, metrics, and traces blocks instead.
• otelcol.exporter > sending_queue > batch > min_size changed from 8192 to 2000 and max_size changed from 0 to 3000
• Add a virtual_node_peer_attributes and virtual_node_extra_label arguments to otelcol.connector.servicegraph
• Add an otelcol.processor.metric_start_time component
• Add job level period, length, and add_cloudwatch_timestamp options and labels_snake_case to CW exporter
• Add missing configuration parameter deployment_name_from_replicaset to k8sattributes processor
• Add parcas symbols upload to pyroscope.ebpf
• Add sharding for loki.write
• Add unexposed otel engine and extension to codebase and change build structure
• beyla.ebpf: Add meta_cache_address to beyla.ebpf.attributes.kubernetes
• beyla.ebpf: Upgrade Beyla to v2.8.5
• Change the defaults for sending_queue > batch block inside otelcol.exporter components
• cluster: Support DNS discovery mode prefixes in --cluster.join-addresses flag
• converter: Update promtail converter to use file_match block for loki.source.file
• database_observability: Add health check collector for postgres component
• database_observability: Expose exclude_schemas and exclude_databases settings
• database_observability: Support Azure cloud provider config data
• database_observability.mysql: Support excluding schemas in all collectors
• database_observability.postgres: Support excluding DBs in all collectors