SUSE-SU-2025:01987-1

Description

Security update for Multi-Linux Manager Client Tools This update fixes the following issues: golang-github-prometheus-prometheus was updated to version 2.53.4: - Security issues fixed: * CVE-2023-45288: Require Go >= 1.23 for building (bsc#1236516) * CVE-2025-22870: Bumped golang.org/x/net to version 0.39.0 (bsc#1238686) - Other bugs fixes from version 2.53.4: * Runtime: fixed GOGC being set to 0 when installed with empty prometheus.yml file resulting high cpu usage * Scrape: fixed dropping valid metrics after previous scrape failed prometheus-blackbox_exporter was updated from version 0.24.0 to 0.26.0 (jsc#PED-12872): - Security issues fixed: * CVE-2025-22870: Fixed proxy bypassing using IPv6 zone IDs (bsc#1238680) * CVE-2023-45288: Fixed closing connections when receiving too many headers (bsc#1236515) - Other changes from version 0.26.0: * Changes: + Replace go-kit/log with log/slog module. * Features: + Add metric to record tls ciphersuite negotiated during handshake. + Add a way to export labels with content matched by the probe. Reports Certificate Serial number. * Enhancement: + Add stale workflow to start sync with stale.yaml in Prometheus. * Bug fixes: + Only register grpc TLS metrics on successful handshake. - Other changes from version 0.25.0: * Features: + Allow to get Probe logs by target. + Log errors from probe. * Bug fixes: + Prevent logging confusing error message. + Explicit registration of internal exporter metrics. grafana was updated from version 10.4.15 to 11.5.5 (jsc#PED-12918): - Security issues fixed: * CVE-2025-4123: Fix cross-site scripting vulnerability (bsc#1243714). * CVE-2025-22872: Bump golang.org/x/net/html (bsc#1241809) * CVE-2025-3580: Prevent unauthorized server admin deletion (bsc#1243672). * CVE-2025-29923: Bump github.com/redis/go-redis/v9 to 9.6.3. * CVE-2025-3454: Sanitize paths before evaluating access to route (bsc#1241683). * CVE-2025-2703: Fix built-in XY Chart plugin (bsc#1241687). * CVE-2025-22870: Bump golang.org/x/net (bsc#1238703). * CVE-2024-9476: Fix Migration Assistant issue (bsc#1233343) * CVE-2024-9264: SQL Expressions (bsc#1231844) * CVE-2023-45288: Bump golang.org/x/net (bsc#1236510) * CVE-2025-22870: Bump golang.org/x/net to version 0.37.0 (bsc#1238686) - Potential breaking changes in version 11.5.0: * Loki: Default to /labels API with query param instead of /series API. - Potential breaking changes in version 11.0.1: * If you had selected your language as 'Portugu�s Brasileiro' previously, this will be reset. You have to select it again in your Preferences for the fix to be applied and the translations will then be shown. - Potential breaking changes in version 11.0.0: * AngularJS support is turned off by default. * Legacy alerting is entirely removed. * Subfolders cause very rare issues with folders which have slashes in their names. * The input data source is removed. * Data sources: Responses which are associated with hidden queries will be removed (filtered) by Grafana. * The URL which is generated when viewing an individual repeated panel has changed. * React Router is deprecated. * The grafana/e2e testing tool is deprecated. - This update brings many new features, enhancements and fixes highlighted at: * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v11-5/ * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v11-4/ * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v11-3/ * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v11-2/ * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v11-1/ * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v11-0/ golang-github-prometheus-node_exporter was updated to version 1.9.1: - Security issues fixed: * CVE-2025-22870: Bumped golang.org/x/net to version 0.37.0 (bsc#1238686) - Other changes from version 1.9.1: * pressure: Fix missing IRQ on older kernels * Fix Darwin memory leak golang-github-prometheus-alertmanager: - Security issues fixed: * CVE-2025-22870: Fix proxy bypassing using IPv6 zone IDs (bsc#1238686) * CVE-2023-45288: Fix HTTP/2 CONTINUATION flood in net/http (bsc#1236516)

Affected Systems

• suse•golang-github-prometheus-alertmanager&distro=SUSE Manager Client Tools 12

  < 0.26.0-1.31.2

• suse•golang-github-prometheus-node_exporter&distro=SUSE Linux Enterprise Server 12 SP5-LTSS

  < 1.9.1-1.36.2

• suse•golang-github-prometheus-node_exporter&distro=SUSE Linux Enterprise Server LTSS Extended Security 12 SP5

  < 1.9.1-1.36.2

• suse•golang-github-prometheus-node_exporter&distro=SUSE Manager Client Tools 12

  < 1.9.1-1.36.2

• suse•golang-github-prometheus-prometheus&distro=SUSE Manager Client Tools 12

  < 2.53.4-1.60.2

• suse•grafana&distro=SUSE Manager Client Tools 12

  < 11.5.5-1.79.2

• suse•prometheus-blackbox_exporter&distro=SUSE Manager Client Tools 12

  < 0.26.0-1.27.1

References (23)

• https://www.suse.com/support/update/announcement/2025/suse-su-202501987-1/
• https://bugzilla.suse.com/1208752
• https://bugzilla.suse.com/1231844
• https://bugzilla.suse.com/1233343
• https://bugzilla.suse.com/1236510
• https://bugzilla.suse.com/1236515
• https://bugzilla.suse.com/1236516
• https://bugzilla.suse.com/1238680
• https://bugzilla.suse.com/1238686
• https://bugzilla.suse.com/1238703
• https://bugzilla.suse.com/1241683
• https://bugzilla.suse.com/1241687
• https://bugzilla.suse.com/1241809
• https://bugzilla.suse.com/1243672
• https://bugzilla.suse.com/1243714
• https://www.suse.com/security/cve/CVE-2023-45288
• https://www.suse.com/security/cve/CVE-2024-9264
• https://www.suse.com/security/cve/CVE-2024-9476
• https://www.suse.com/security/cve/CVE-2025-22870
• https://www.suse.com/security/cve/CVE-2025-22872
• https://www.suse.com/security/cve/CVE-2025-2703
• https://www.suse.com/security/cve/CVE-2025-29923
• https://www.suse.com/security/cve/CVE-2025-3454