openSUSE: 2024:0512-1 Important: XSS Fix for Alertmanager
opensuse
February 15, 2024
This update for golang-github-prometheus-alertmanager fixes the following issues: golang-github-prometheus-alertmanager was updated from version 0.23.0 to 0.26.0
Description
This update for golang-github-prometheus-alertmanager fixes the following
issues:
golang-github-prometheus-alertmanager was updated from version 0.23.0 to 0.26.0
(jsc#PED-7353):
* Version 0.26.0:
* Security fixes:
* CVE-2023-40577: Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI (bsc#1218838)
* Other changes and bugs fixed:
* Configuration: Fix empty list of receivers and inhibit_rules would cause the alertmanager to crash
* Templating: Fixed a race condition when using the title function. It is now race-safe
* API: Fixed duplicate receiver names in the api/v2/receivers API endpoint
* API: Attempting to delete a silence now returns the correct status code, 404 instead of 500
* Clustering: Fixes a panic when tls_client_config is empty
* Webhook: url is now marked as a secret. It will no longer show up in the logs as clear-text
* Metrics: New label reason for alertmanager_notifications_failed_total metric to indicate the type of error of the alert...
Read the Full Advisory
Topics Covered
Patch
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Manager Proxy 4.3 Module 4.3
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-512=1
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-512=1
* SUSE Manager Client Tools for SLE 15
zypper in -t patch SUSE-SLE-Manager-Tools-15-2024-512=1
* SUSE Package Hub 15 15-SP5
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-512=1
Package List
* SUSE Manager Proxy 4.3 Module 4.3 (aarch64 ppc64le s390x x86_64)
* golang-github-prometheus-alertmanager-0.26.0-150100.4.19.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* golang-github-prometheus-alertmanager-0.26.0-150100.4.19.1
* SUSE Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64)
* golang-github-prometheus-alertmanager-0.26.0-150100.4.19.1
* SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
* golang-github-prometheus-alertmanager-0.26.0-150100.4.19.1
References
* bsc#1218838
* jsc#MSQA-719
* jsc#PED-7353
## References:
* https://www.suse.com/security/cve/CVE-2023-40577.html
* https://bugzilla.suse.com/show_bug.cgi?id=1218838
*
*
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Announcement ID: SUSE-SU-2024:0512-1
Rating: important
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!