openSUSE 15.4/15.5 Security Advisory: Important Prometheus Update

opensuse

February 27, 2024

This update for golang-github-prometheus-prometheus fixes the following issues: golang-github-prometheus-prometheus:

This update for golang-github-prometheus-prometheus fixes the following issues:

golang-github-prometheus-prometheus:

* Security issues fixed in this version update to 2.37.6:

* CVE-2022-46146: Fix basic authentication bypass vulnerability (bsc#1208049,

jsc#PED-3576)

* CVE-2022-41715: Update our regexp library to fix upstream (bsc#1204023)

* CVE-2022-41723: Fixed go issue to avoid quadratic complexity in HPACK

decoding (bsc#1208298)

* Other non-security bugs fixed and changes in this version update to 2.37.6:

* [BUGFIX] TSDB: Turn off isolation for Head compaction to fix a memory leak.

* [BUGFIX] TSDB: Fix 'invalid magic number 0' error on Prometheus startup.

* [BUGFIX] Agent: Fix validation of flag options and prevent WAL from growing

more than desired.

* [BUGFIX] Properly close file descriptor when logging unfinished queries.

* [BUGFIX] TSDB: In the WAL watcher metrics, expose the type="exemplar" label

instead of type="unknown" for exemplar records.

* [BUGFIX]...

Topics Covered

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like

YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4

zypper in -t patch openSUSE-SLE-15.4-2023-2598=1

* openSUSE Leap 15.5

zypper in -t patch openSUSE-SLE-15.5-2023-2598=1

* SUSE Package Hub 15 15-SP5

zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-2598=1

* SUSE Manager Proxy 4.2 Module 4.2

zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.2-2023-2598=1

* SUSE Manager Proxy 4.3 Module 4.3

zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2023-2598=1