Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 0 articles for you...
89
security advisoryfedoraimportantFedora 43 alertmanager 0.31.1 Important Updates 2026-efbceeec2f
Initial build after rename and update to 0.31.1. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-efbceeec2f 2026-03-16 00:57:17.182013+00:00 -------------------------------------------------------------------------------- Name : alertmanager Product : Fedora 43 Version : 0.31.1 Release : 2.fc43 URL : https://github.com/prometheus/alertmanager Summary : Prometheus Alertmanager Description : The Alertmanager handles alerts sent by client applications such as the Prometheus server. It takes care of deduplicating, grouping, and routing them to the correct receiver integrations such as email, PagerDuty, or OpsGenie. It also takes care of silencing and inhibition of alerts. -------------------------------------------------------------------------------- Update Information: Initial build after rename and update to 0.31.1 -------------------------------------------------------------------------------- ChangeLog: * Fri Mar 6 2026 Mikel Olasagasti Uranga - 0.31.1-1 - Initial package after rename - Closes rhbz#2444340 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2408246 - CVE-2025-58189 golang-github-prometheus-alertmanager: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2408246 [ 2 ] Bug #2408713 - CVE-2025-61725 golang-github-prometheus-alertmanager: Excessive CPU consumption in ParseAddress in net/mail [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2408713 [ 3 ] Bug #2409717 - CVE-2025-61723 golang-github-prometheus-alertmanager: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2409717 [ 4 ] Bug #2410670 - CVE-2025-58185 golang-github-prometheus-alertmanager: Parsing DER payload can cause memory exhaustion inencoding/asn1 [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2410670 [ 5 ] Bug #2411566 - CVE-2025-58188 golang-github-prometheus-alertmanager: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2411566 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-efbceeec2f' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Mar 16, 2026
•Important
Fedora
89
security advisorydenial of servicefedoraFedora 42 alertmanager Critical Denial Of Service Vulnerability Report
Initial build after rename and update to 0.31.1. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-83937af369 2026-03-15 01:12:21.661907+00:00 -------------------------------------------------------------------------------- Name : alertmanager Product : Fedora 42 Version : 0.31.1 Release : 2.fc42 URL : https://github.com/prometheus/alertmanager Summary : Prometheus Alertmanager Description : The Alertmanager handles alerts sent by client applications such as the Prometheus server. It takes care of deduplicating, grouping, and routing them to the correct receiver integrations such as email, PagerDuty, or OpsGenie. It also takes care of silencing and inhibition of alerts. -------------------------------------------------------------------------------- Update Information: Initial build after rename and update to 0.31.1 -------------------------------------------------------------------------------- ChangeLog: * Fri Mar 6 2026 Mikel Olasagasti Uranga - 0.31.1-1 - Initial package after rename - Closes rhbz#2444340 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2398777 - CVE-2025-47910 golang-github-prometheus-alertmanager: CrossOriginProtection bypass in net/http [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2398777 [ 2 ] Bug #2399448 - CVE-2025-47906 golang-github-prometheus-alertmanager: Unexpected paths returned from LookPath in os/exec [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2399448 [ 3 ] Bug #2407978 - CVE-2025-58189 golang-github-prometheus-alertmanager: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2407978 [ 4 ] Bug #2408653 - CVE-2025-61725 golang-github-prometheus-alertmanager: Excessive CPU consumption in ParseAddress in net/mail [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2408653 [ 5 ] Bug #2409448 - CVE-2025-61723 golang-github-prometheus-alertmanager: Quadratic complexity when parsing some invalid inputs in encoding/pem [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2409448 [ 6 ] Bug #2410399 - CVE-2025-58185 golang-github-prometheus-alertmanager: Parsing DER payload can cause memory exhaustion in encoding/asn1 [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2410399 [ 7 ] Bug #2411299 - CVE-2025-58188 golang-github-prometheus-alertmanager: Panic when validating certificates with DSA public keys in crypto/x509 [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2411299 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-83937af369' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Mar 15, 2026
•Critical
Fedora
202
security advisorymoderatedenial of serviceopenSUSE: golang-github-prometheus-alertmanager CVE-2025-47908 Advisory
An update that solves one vulnerability and contains two features can now be installed.. # Security update for golang-github-prometheus-alertmanager Announcement ID: SUSE-SU-2025:4481-1 Release Date: 2025-12-18T12:19:03Z Rating: moderate References: * bsc#1247748 * jsc#MSQA-1034 * jsc#PED-13285 Cross-References: * CVE-2025-47908 CVSS scores: * CVE-2025-47908 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2025-47908 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2025-47908 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * openSUSE Leap 15.3 * openSUSE Leap 15.4 * openSUSE Leap 15.5 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 * SUSE Linux Enterprise Desktop 15 SP1 * SUSE Linux Enterprise Desktop 15 SP2 * SUSE Linux Enterprise Desktop 15 SP3 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise High Performance Computing 15 * SUSE Linux Enterprise High Performance Computing 15 SP1 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Real Time 15 SP1 * SUSE Linux Enterprise Real Time 15 SP2 * SUSE Linux Enterprise Real Time 15 SP3 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 * SUSE Linux Enterprise Server 15 SP1 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 * SUSE Linux Enterprise Server for SAP Applications 15 SP1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * SUSE Manager Client Tools for SLE 15 * SUSE Manager Proxy 4.3 * SUSE Manager Proxy 4.3 LTS * SUSE Manager Retail Branch Server 4.3 * SUSE Package Hub 15 15-SP6 * SUSE Package Hub 15 15-SP7 An update that solves one vulnerability and contains two features can now be installed. ## Description: This update for golang-github-prometheus-alertmanager fixes the following issues: * Update to version 0.28.1 (jsc#PED-13285): * Improved performance of inhibition rules when using Equal labels. * Improve the documentation on escaping in UTF-8 matchers. * Update alertmanager_config_hash metric help to document the hash is not cryptographically strong. * Fix panic in amtool when using --verbose. * Fix templating of channel field for Rocket.Chat. * Fix rocketchat_configs written as rocket_configs in docs. * Fix usage for --enable-feature flag. * Trim whitespace from OpsGenie API Key. * Fix Jira project template not rendered when searching for existing issues. * Fix subtle bug in JSON/YAML encoding of inhibition rules that would cause Equal labels to be omitted. * Fix header for slack_configs in docs. * Fix weight and wrap of Microsoft Teams notifications. * Upgrade to version 0.28.0: * CVE-2025-47908: Bump github.com/rs/cors (bsc#1247748). * Templating errors in the SNS integration now return an error. * Adopt log/slog, drop go-kit/log. * Add a new Microsoft Teams integration based on Flows. * Add a new Rocket.Chat integration. * Add a new Jira integration. * Add support forGOMEMLIMIT, enable it via the feature flag \--enable- feature=auto-gomemlimit. * Add support for GOMAXPROCS, enable it via the feature flag \--enable- feature=auto-gomaxprocs. * Add support for limits of silences including the maximum number of active and pending silences, and the maximum size per silence (in bytes). You can use the flags \--silences.max-silences and --silences.max-silence-size-bytes to set them accordingly. * Muted alerts now show whether they are suppressed or not in both the /api/v2/alerts endpoint and the Alertmanager UI. * Upgrade to version 0.27.0: * API: Removal of all api/v1/ endpoints. These endpoints now log and return a deprecation message and respond with a status code of 410. * UTF-8 Support: Introduction of support for any UTF-8 character as part of label names and matchers. * Discord Integration: Enforce max length in message. * Metrics: Introduced the experimental feature flag \--enable- feature=receiver-name-in-metrics to include the receiver name. * Metrics: Introduced a new gauge named alertmanager_inhibition_rules that counts the number of configured inhibition rules. * Metrics: Introduced a new counter named alertmanager_alerts_supressed_total that tracks muted alerts, it contains a reason label to indicate the source of the mute. * Discord Integration: Introduced support for webhook_url_file. * Microsoft Teams Integration: Introduced support for webhook_url_file. * Microsoft Teams Integration: Add support for summary. * Metrics: Notification metrics now support two new values for the label reason, contextCanceled and contextDeadlineExceeded. * Email Integration: Contents of auth_password_file are now trimmed of prefixed and suffixed whitespace. * amtool: Fixes the error scheme required for webhook url when using amtool with --alertmanager.url. * Mixin: Fix AlertmanagerFailedToSendAlerts, AlertmanagerClusterFailedToSendAlerts, and AlertmanagerClusterFailedToSendAlerts tomake sure they ignore the reason label. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Package Hub 15 15-SP7 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-4481=1 * SUSE Manager Proxy 4.3 LTS zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-LTS-2025-4481=1 * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2025-4481=1 * SUSE Manager Client Tools for SLE 15 zypper in -t patch SUSE-SLE-Manager-Tools-15-2025-4481=1 * SUSE Package Hub 15 15-SP6 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-4481=1 ## Package List: * SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64) * golang-github-prometheus-alertmanager-0.28.1-150100.4.28.2 * golang-github-prometheus-alertmanager-debuginfo-0.28.1-150100.4.28.2 * SUSE Manager Proxy 4.3 LTS (x86_64) * golang-github-prometheus-alertmanager-0.28.1-150100.4.28.2 * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * golang-github-prometheus-alertmanager-0.28.1-150100.4.28.2 * golang-github-prometheus-alertmanager-debuginfo-0.28.1-150100.4.28.2 * SUSE Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64) * golang-github-prometheus-alertmanager-0.28.1-150100.4.28.2 * SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64) * golang-github-prometheus-alertmanager-0.28.1-150100.4.28.2 * golang-github-prometheus-alertmanager-debuginfo-0.28.1-150100.4.28.2 ## References: * https://www.suse.com/security/cve/CVE-2025-47908.html * https://bugzilla.suse.com/show_bug.cgi?id=1247748 * https://jira.suse.com/login.jsp?permissionViolation=true&os_destination=https%3A%2F%2Fjira.suse.com%2Fbrowse%2FMSQA-1034 * https://jira.suse.com/login.jsp?permissionViolation=true&os_destination=https%3A%2F%2Fjira.suse.com%2Fbrowse%2FPED-13285 . This update addressesCVE-2025-47908 in openSUSE alertmanager, rated moderate severity, along with new features.. openSUSE Leap, alertmanager, security update, CVE-2025-47908, software vulnerability. . LinuxSecurity.com Team
Dec 18, 2025
OpenSUSE
100
security advisorymoderatesecurity issueSUSE: 2025:01992-1 moderate: golang-github-prometheus-alertmanager
* bsc#1236516 * bsc#1238686 * jsc#MSQA-992 Cross-References: . # Security update for golang-github-prometheus-alertmanager Announcement ID: SUSE-SU-2025:01992-1 Release Date: 2025-06-18T02:13:13Z Rating: moderate References: * bsc#1236516 * bsc#1238686 * jsc#MSQA-992 Cross-References: * CVE-2023-45288 * CVE-2025-22870 CVSS scores: * CVE-2023-45288 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2023-45288 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2025-22870 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N * CVE-2025-22870 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L * CVE-2025-22870 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L Affected Products: * openSUSE Leap 15.3 * openSUSE Leap 15.4 * openSUSE Leap 15.5 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 * SUSE Linux Enterprise Desktop 15 SP1 * SUSE Linux Enterprise Desktop 15 SP2 * SUSE Linux Enterprise Desktop 15 SP3 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise High Performance Computing 15 * SUSE Linux Enterprise High Performance Computing 15 SP1 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Real Time 15 SP1 * SUSE Linux Enterprise Real Time 15 SP2 * SUSE Linux Enterprise Real Time 15 SP3 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 * SUSE Linux Enterprise Server 15 SP1 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux EnterpriseServer 15 SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 * SUSE Linux Enterprise Server for SAP Applications 15 SP1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * SUSE Manager Client Tools for SLE 15 * SUSE Manager Proxy 4.3 * SUSE Manager Proxy 4.3 Module * SUSE Manager Retail Branch Server 4.3 * SUSE Package Hub 15 15-SP6 * SUSE Package Hub 15 15-SP7 An update that solves two vulnerabilities and contains one feature can now be installed. ## Description: This update for golang-github-prometheus-alertmanager fixes the following issues: * Security: * CVE-2025-22870: Fix proxy bypassing using IPv6 zone IDs (bsc#1238686) * CVE-2023-45288: Fix HTTP/2 CONTINUATION flood in net/http (bsc#1236516) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2025-1992=1 * SUSE Manager Client Tools for SLE 15 zypper in -t patch SUSE-SLE-Manager-Tools-15-2025-1992=1 * SUSE Package Hub 15 15-SP6 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-1992=1 * SUSE Package Hub 15 15-SP7 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-1992=1 * SUSE Manager Proxy 4.3 Module zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2025-1992=1 ## Package List: * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) *golang-github-prometheus-alertmanager-debuginfo-0.26.0-150100.4.25.2 * golang-github-prometheus-alertmanager-0.26.0-150100.4.25.2 * SUSE Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64) * golang-github-prometheus-alertmanager-0.26.0-150100.4.25.2 * SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64) * golang-github-prometheus-alertmanager-debuginfo-0.26.0-150100.4.25.2 * golang-github-prometheus-alertmanager-0.26.0-150100.4.25.2 * SUSE Package Hub 15 15-SP7 (aarch64 ppc64le s390x x86_64) * golang-github-prometheus-alertmanager-debuginfo-0.26.0-150100.4.25.2 * golang-github-prometheus-alertmanager-0.26.0-150100.4.25.2 * SUSE Manager Proxy 4.3 Module (aarch64 ppc64le s390x x86_64) * golang-github-prometheus-alertmanager-0.26.0-150100.4.25.2 ## References: * https://www.suse.com/security/cve/CVE-2023-45288.html * https://www.suse.com/security/cve/CVE-2025-22870.html * https://bugzilla.suse.com/show_bug.cgi?id=1236516 * https://bugzilla.suse.com/show_bug.cgi?id=1238686 * https://jira.suse.com/login.jsp?permissionViolation=true&os_destination=%2Fbrowse%2FMSQA-992&page_caps=&user_role= . Address medium security vulnerabilities in golang-github-prometheus-alertmanager for SUSE distributions with this patch.. SUSE, alertmanager, golang, update, security fix. . LinuxSecurity.com Team
Jun 18, 2025
SuSE
100
security advisorysecurity updateimportantSUSE: 2024:0512-1 Important: Golang Alertmanager XSS Issue Fix
* bsc#1218838 * jsc#MSQA-719 * jsc#PED-7353 Cross-References: . # Security update for golang-github-prometheus-alertmanager Announcement ID: SUSE-SU-2024:0512-1 Rating: important References: * bsc#1218838 * jsc#MSQA-719 * jsc#PED-7353 Cross-References: * CVE-2023-40577 CVSS scores: * CVE-2023-40577 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2023-40577 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: * openSUSE Leap 15.3 * openSUSE Leap 15.4 * openSUSE Leap 15.5 * SUSE Linux Enterprise Desktop 15 * SUSE Linux Enterprise Desktop 15 SP1 * SUSE Linux Enterprise Desktop 15 SP2 * SUSE Linux Enterprise Desktop 15 SP3 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise High Performance Computing 15 * SUSE Linux Enterprise High Performance Computing 15 SP1 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP6 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP1 * SUSE Linux Enterprise Real Time 15 SP2 * SUSE Linux Enterprise Real Time 15 SP3 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 * SUSE Linux Enterprise Server 15 SP1 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 * SUSE Linux Enterprise Server for SAP Applications 15 SP1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE LinuxEnterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Manager Client Tools for SLE 15 * SUSE Manager Proxy 4.3 * SUSE Manager Proxy 4.3 Module 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Package Hub 15 15-SP5 An update that solves one vulnerability and contains two features can now be installed. ## Description: This update for golang-github-prometheus-alertmanager fixes the following issues: golang-github-prometheus-alertmanager was updated from version 0.23.0 to 0.26.0 (jsc#PED-7353): * Version 0.26.0: * Security fixes: * CVE-2023-40577: Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI (bsc#1218838) * Other changes and bugs fixed: * Configuration: Fix empty list of receivers and inhibit_rules would cause the alertmanager to crash * Templating: Fixed a race condition when using the title function. It is now race-safe * API: Fixed duplicate receiver names in the api/v2/receivers API endpoint * API: Attempting to delete a silence now returns the correct status code, 404 instead of 500 * Clustering: Fixes a panic when tls_client_config is empty * Webhook: url is now marked as a secret. It will no longer show up in the logs as clear-text * Metrics: New label reason for alertmanager_notifications_failed_total metric to indicate the type of error of the alert delivery * Clustering: New flag --cluster.label, to help to block any traffic that is not meant for the cluster * Integrations: Add Microsoft Teams as a supported integration * Version 0.25.0: * Fail configuration loading if api_key and api_key_file are defined at the same time * Fix the alertmanager_alerts metric to avoid counting resolved alerts as active. Also added a new alertmanager_marked_alerts metric that retain the old behavior * Trim contents of Slack API URLs when reading from files * amtool: Avoid panic when the label value matcher is empty * Fail configuration loading if api_url is empty for OpsGenie * Fix email template forresolved notifications * Add proxy_url support for OAuth2 in HTTP client configuration * Reload TLS certificate and key from disk when updated * Add Discord integration * Add Webex integration * Add min_version support to select the minimum TLS version in HTTP client configuration * Add max_version support to select the maximum TLS version in HTTP client configuration * Emit warning logs when truncating messages in notifications * Support HEAD method for the /-/healty and /-/ready endpoints * Add support for reading global and local SMTP passwords from files * UI: Add 'Link' button to alerts in list * UI: Allow to choose the first day of the week as Sunday or Monday * Version 0.24.0: * Fix HTTP client configuration for the SNS receiver * Fix unclosed file descriptor after reading the silences snapshot file * Fix field names for mute_time_intervals in JSON marshaling * Ensure that the root route doesn't have any matchers * Truncate the message's title to 1024 chars to avoid hitting Slack limits * Fix the default HTML email template (email.default.html) to match with the canonical source * Detect SNS FIFO topic based on the rendered value * Avoid deleting and recreating a silence when an update is possible * api/v2: Return 200 OK when deleting an expired silence * amtool: Fix the silence's end date when adding a silence. The end date is (start date + duration) while it used to be (current time + duration). The new behavior is consistent with the update operation * Add the /api/v2 prefix to all endpoints in the OpenAPI specification and generated client code * Add --cluster.tls-config experimental flag to secure cluster traffic via mutual TLS * Add Telegram integration ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Manager Proxy 4.3 Module 4.3 zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-512=1 *openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-512=1 * SUSE Manager Client Tools for SLE 15 zypper in -t patch SUSE-SLE-Manager-Tools-15-2024-512=1 * SUSE Package Hub 15 15-SP5 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-512=1 ## Package List: * SUSE Manager Proxy 4.3 Module 4.3 (aarch64 ppc64le s390x x86_64) * golang-github-prometheus-alertmanager-0.26.0-150100.4.19.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * golang-github-prometheus-alertmanager-0.26.0-150100.4.19.1 * SUSE Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64) * golang-github-prometheus-alertmanager-0.26.0-150100.4.19.1 * SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64) * golang-github-prometheus-alertmanager-0.26.0-150100.4.19.1 ## References: * https://www.suse.com/security/cve/CVE-2023-40577.html * https://bugzilla.suse.com/show_bug.cgi?id=1218838 * * . Essential SUSE enhancement for golang-github-prometheus-alertmanager tackling a significant XSS vulnerability through an updated version.. SUSE Update, Golang Security, Prometheus Alertmanager, XSS Fix. . Severity: Important. LinuxSecurity.com Team
Feb 15, 2024
•Important
SuSE
197
security advisorydebianxssDebian LTS: DLA-3609-1 Critical: Prometheus Alertmanager XSS Risk
prometheus-alertmanager package, a component of Prometheus, an application used for event monitoring and alerting, was vulnerable to stored XSS type attack. . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3609-1
Oct 08, 2023
•Critical
Debian LTS
100
security advisorysecurity updateimportantSUSE: 2023:1845-2 Critical: Grafana Security Patch Released
The container ses/7.1/ceph/prometheus-alertmanager was updated. The following patches have been included in this update:. SUSE Container Update Advisory: ses/7.1/ceph/prometheus-alertmanager ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:1845-1 Container Tags : ses/7.1/ceph/prometheus-alertmanager:0.23.0 , ses/7.1/ceph/prometheus-alertmanager:0.23.0.3.2.452 , ses/7.1/ceph/prometheus-alertmanager:latest , ses/7.1/ceph/prometheus-alertmanager:sle15.3.pacific Container Release : 3.2.452 Severity : important Type : security References : 1127591 1195633 1197284 1203185 1206513 1208051 1208060 1208064 1208329 1208965 1209406 1210164 1210593 1210870 1211231 1211232 1211233 1211339 1211430 1211795 CVE-2022-27191 CVE-2022-27664 CVE-2022-46146 CVE-2022-46146 CVE-2023-2650 CVE-2023-28320 CVE-2023-28321 CVE-2023-28322 CVE-2023-2953 ----------------------------------------------------------------- The container ses/7.1/ceph/prometheus-alertmanager was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2133-1 Released: Tue May 9 13:37:10 2023 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1206513 This update for zlib fixes the following issues: - Add DFLTCC support for using inflate() with a small window (bsc#1206513) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2181-1 Released: Thu May 11 18:49:16 2023 Summary: Security update for SUSE Manager 4.3: Server Type: security Severity: important References: 1208060,1208965,CVE-2022-46146 Security update for SUSE Manager 4.3: Server This is a codestream only update ----------------------------------------------------------------- Advisory ID:SUSE-SU-2023:2187-1 Released: Thu May 11 18:59:16 2023 Summary: Security update for Prometheus Golang clients Type: security Severity: moderate References: 1197284,1203185,1208051,1208064,CVE-2022-27191,CVE-2022-27664,CVE-2022-46146 This update for golang-github-prometheus-alertmanager and golang-github-prometheus-node_exporter fixes the following issues: golang-github-prometheus-alertmanager: - Security issues fixed: * CVE-2022-46146: Fix authentication bypass via cache poisoning (bsc#1208051) golang-github-prometheus-node_exporter: - Security issues fixed in this version update to version 1.5.0 (jsc#PED-3578): * CVE-2022-27191: Update go/x/crypto (bsc#1197284) * CVE-2022-27664: Update go/x/net (bsc#1203185) * CVE-2022-46146: Update exporter-toolkit (bsc#1208064) - Other non-security bug fixes and changes in this version update to 1.5.0 (jsc#PED-3578): * NOTE: This changes the Go runtime 'GOMAXPROCS' to 1. This is done to limit the concurrency of the exporter to 1 CPU thread at a time in order to avoid a race condition problem in the Linux kernel and parallel IO issues on nodes with high numbers of CPUs/CPU threads. * [BUGFIX] Fix hwmon label sanitizer * [BUGFIX] Use native endianness when encoding InetDiagMsg * [BUGFIX] Fix btrfs device stats always being zero * [BUGFIX] Fix diskstats exclude flags * [BUGFIX] [node-mixin] Fix fsSpaceAvailableCriticalThreshold and fsSpaceAvailableWarning * [BUGFIX] Fix concurrency issue in ethtool collector * [BUGFIX] Fix concurrency issue in netdev collector * [BUGFIX] Fix diskstat reads and write metrics for disks with different sector sizes * [BUGFIX] Fix iostat on macos broken by deprecation warning * [BUGFIX] Fix NodeFileDescriptorLimit alerts * [BUGFIX] Sanitize rapl zone names * [BUGFIX] Add file descriptor close safely in test * [BUGFIX] Fix race condition in os_release.go * [BUGFIX] Skip ZFS IO metrics if their paths are missing * [BUGFIX] Handle nil CPU thermal power status on M1 * [BUGFIX]bsd: Ignore filesystems flagged as MNT_IGNORE * [BUGFIX] Sanitize UTF-8 in dmi collector * [CHANGE] Merge metrics descriptions in textfile collector * [FEATURE] Add multiple listeners and systemd socket listener activation * [FEATURE] [node-mixin] Add darwin dashboard to mixin * [FEATURE] Add 'isolated' metric on cpu collector on linux * [FEATURE] Add cgroup summary collector * [FEATURE] Add selinux collector * [FEATURE] Add slab info collector * [FEATURE] Add sysctl collector * [FEATURE] Also track the CPU Spin time for OpenBSD systems * [FEATURE] Add support for MacOS version * [ENHANCEMENT] Add RTNL version of netclass collector * [ENHANCEMENT] [node-mixin] Add missing selectors * [ENHANCEMENT] [node-mixin] Change current datasource to grafana's default * [ENHANCEMENT] [node-mixin] Change disk graph to disk table * [ENHANCEMENT] [node-mixin] Change io time units to %util * [ENHANCEMENT] Ad user_wired_bytes and laundry_bytes on *bsd * [ENHANCEMENT] Add additional vm_stat memory metrics for darwin * [ENHANCEMENT] Add device filter flags to arp collector * [ENHANCEMENT] Add diskstats include and exclude device flags * [ENHANCEMENT] Add node_softirqs_total metric * [ENHANCEMENT] Add rapl zone name label option * [ENHANCEMENT] Add slabinfo collector * [ENHANCEMENT] Allow user to select port on NTP server to query * [ENHANCEMENT] collector/diskstats: Add labels and metrics from udev * [ENHANCEMENT] Enable builds against older macOS SDK * [ENHANCEMENT] qdisk-linux: Add exclude and include flags for interface name * [ENHANCEMENT] systemd: Expose systemd minor version * [ENHANCEMENT] Use netlink for tcpstat collector * [ENHANCEMENT] Use netlink to get netdev stats * [ENHANCEMENT] Add additional perf counters for stalled frontend/backend cycles * [ENHANCEMENT] Add btrfs device error stats - Change build requirement to go1.18 or higher (previously this was fixed to version 1.14) ----------------------------------------------------------------- Advisory ID:SUSE-SU-2023:2227-1 Released: Wed May 17 09:57:41 2023 Summary: Security update for curl Type: security Severity: important References: 1211231,1211232,1211233,1211339,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322 This update for curl fixes the following issues: - CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231). - CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232). - CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2247-1 Released: Thu May 18 17:04:38 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1127591,1195633,1208329,1209406,1210870 This update for libzypp, zypper fixes the following issues: - Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633) - multicurl: propagate ssl settings stored in repo url (bsc#1127591) - MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870) - zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329) - Teach MediaNetwork to retry on HTTP2 errors. - Fix selecting installed patterns from picklist (bsc#1209406) - man: better explanation of --priority ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2333-1 Released: Wed May 31 09:01:28 2023 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1210593 This update for zlib fixes the following issue: - Fix function calling order to avoid crashes (bsc#1210593) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2343-1 Released: Thu Jun 1 11:35:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1211430,CVE-2023-2650 This update for openssl-1_1 fixes the following issues: - CVE-2023-2650: Fixed possible denial of service translating ASN.1 objectidentifiers (bsc#1211430). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2365-1 Released: Mon Jun 5 09:22:46 2023 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1210164 This update for util-linux fixes the following issues: - Add upstream patches (bsc#1210164, bsc#1210164, bsc#1210164) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2484-1 Released: Mon Jun 12 08:49:58 2023 Summary: Security update for openldap2 Type: security Severity: moderate References: 1211795,CVE-2023-2953 This update for openldap2 fixes the following issues: - CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795). The following package changes have been done: - golang-github-prometheus-alertmanager-0.23.0-150100.4.13.2 updated - libblkid1-2.36.2-150300.4.35.1 updated - libcurl4-7.66.0-150200.4.57.1 updated - libfdisk1-2.36.2-150300.4.35.1 updated - libldap-2_4-2-2.4.46-150200.14.14.1 updated - libldap-data-2.4.46-150200.14.14.1 updated - libmount1-2.36.2-150300.4.35.1 updated - libopenssl1_1-hmac-1.1.1d-150200.11.65.1 updated - libopenssl1_1-1.1.1d-150200.11.65.1 updated - libsmartcols1-2.36.2-150300.4.35.1 updated - libsolv-tools-0.7.24-150200.18.1 updated - libuuid1-2.36.2-150300.4.35.1 updated - libz1-1.2.11-150000.3.45.1 updated - libzypp-17.31.11-150200.61.1 updated - openssl-1_1-1.1.1d-150200.11.65.1 updated - system-user-prometheus-1.0.0-150000.8.4 updated - util-linux-2.36.2-150300.4.35.1 updated - zypper-1.14.60-150200.51.1 updated - container:sles15-image-15.0.0-17.20.146 updated . SUSE Container Patch Notification for ses/7.1/ceph/prometheus-operator features essential enhancements and security fixes.. Prometheus Alertmanager Security Update, Ceph Container Update, SUSE Important Update, Security Patches, Container Advisory. . Severity: Important. LinuxSecurity.com Team
Jun 13, 2023
•Important
SuSE
89
security advisorymoderatesoftware updateFedora 37: FEDORA-2023-15ad2ff582 High: Notifier Updated
Rebuild for CVE-2022-27191 ---- Fix FTBFS Close: rhbz#2045471. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2022-08ae2dd481 2022-05-07 04:08:14.315797 --------------------------------------------------------------------------------Name : golang-github-prometheus-alertmanager Product : Fedora 36 Version : 0.23.0 Release : 8.fc36 URL : https://github.com/prometheus/alertmanager Summary : Prometheus Alertmanager Description : The Alertmanager handles alerts sent by client applications such as the Prometheus server. It takes care of deduplicating, grouping, and routing them to the correct receiver integrations such as email, PagerDuty, or OpsGenie. It also takes care of silencing and inhibition of alerts. --------------------------------------------------------------------------------Update Information: Rebuild for CVE-2022-27191 ---- Fix FTBFS Close: rhbz#2045471 --------------------------------------------------------------------------------ChangeLog: * Sat Apr 16 2022 Fabio Alessandro Locati 0.23.0-8 - Rebuilt for CVE-2022-27191 --------------------------------------------------------------------------------References: [ 1 ] Bug #2045471 - golang-github-appc-goaci: FTBFS in Fedora rawhide/f36 https://bugzilla.redhat.com/show_bug.cgi?id=2045471 [ 2 ] Bug #2074262 - CVE-2022-27191 golang-x-crypto: golang: crash in a golang.org/x/crypto/ssh server [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2074262 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-08ae2dd481' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the FedoraProject can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
May 07, 2022
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!