SUSE-SU-2025:01989-1
Vulnerability Summary
Timeline
Description
Security update for Multi-Linux Manager Client Tools This update fixes the following issues: golang-github-prometheus-prometheus was updated to version 2.53.4: - Security issues fixed: * CVE-2023-45288: Require Go >= 1.23 for building (bsc#1236516) * CVE-2025-22870: Bumped golang.org/x/net to version 0.39.0 (bsc#1238686) - Other bugs fixes from version 2.53.4: * Runtime: fixed GOGC being set to 0 when installed with empty prometheus.yml file resulting high cpu usage * Scrape: fixed dropping valid metrics after previous scrape failed prometheus-blackbox_exporter was updated from version 0.24.0 to 0.26.0 (jsc#PED-12872): - Security issues fixed: * CVE-2025-22870: Fixed proxy bypassing using IPv6 zone IDs (bsc#1238680) * CVE-2023-45288: Fixed closing connections when receiving too many headers (bsc#1236515) - Other changes from version 0.26.0: * Changes: + Replace go-kit/log with log/slog module. * Features: + Add metric to record tls ciphersuite negotiated during handshake. + Add a way to export labels with content matched by the probe. Reports Certificate Serial number. * Enhancement: + Add stale workflow to start sync with stale.yaml in Prometheus. * Bug fixes: + Only register grpc TLS metrics on successful handshake. - Other changes from version 0.25.0: * Features: + Allow to get Probe logs by target. + Log errors from probe. * Bug fixes: + Prevent logging confusing error message. + Explicit registration of internal exporter metrics. grafana was updated from version 10.4.15 to 11.5.5 (jsc#PED-12918): - Security issues fixed: * CVE-2025-4123: Fix cross-site scripting vulnerability (bsc#1243714). * CVE-2025-22872: Bump golang.org/x/net/html (bsc#1241809) * CVE-2025-3580: Prevent unauthorized server admin deletion (bsc#1243672). * CVE-2025-29923: Bump github.com/redis/go-redis/v9 to 9.6.3. * CVE-2025-3454: Sanitize paths before evaluating access to route (bsc#1241683). * CVE-2025-2703: Fix built-in XY Chart plugin (bsc#1241687). * CVE-2025-22870: Bump golang.org/x/net (bsc#1238703). * CVE-2024-9476: Fix Migration Assistant issue (bsc#1233343) * CVE-2024-9264: SQL Expressions (bsc#1231844) * CVE-2023-45288: Bump golang.org/x/net (bsc#1236510) * CVE-2025-22870: Bump golang.org/x/net to version 0.37.0 (bsc#1238686) - Potential breaking changes in version 11.5.0: * Loki: Default to /labels API with query param instead of /series API. - Potential breaking changes in version 11.0.1: * If you had selected your language as 'Portugu�s Brasileiro' previously, this will be reset. You have to select it again in your Preferences for the fix to be applied and the translations will then be shown. - Potential breaking changes in version 11.0.0: * AngularJS support is turned off by default. * Legacy alerting is entirely removed. * Subfolders cause very rare issues with folders which have slashes in their names. * The input data source is removed. * Data sources: Responses which are associated with hidden queries will be removed (filtered) by Grafana. * The URL which is generated when viewing an individual repeated panel has changed. * React Router is deprecated. * The grafana/e2e testing tool is deprecated. - This update brings many new features, enhancements and fixes highlighted at: * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v11-5/ * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v11-4/ * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v11-3/ * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v11-2/ * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v11-1/ * https://grafana.com/docs/grafana/next/whatsnew/whats-new-in-v11-0/
Affected Systems
- opensuse•prometheus-blackbox_exporter&distro=openSUSE Leap 15.6
< 0.26.0-150000.1.27.1
- suse•golang-github-prometheus-prometheus&distro=SUSE Manager Client Tools 15
< 2.53.4-150000.3.62.2
- suse•grafana&distro=SUSE Manager Client Tools 15
< 11.5.5-150000.1.79.1
- suse•prometheus-blackbox_exporter&distro=SUSE Manager Client Tools 15
< 0.26.0-150000.1.27.1
- suse•prometheus-blackbox_exporter&distro=SUSE Manager Client Tools for SLE Micro 5
< 0.26.0-150000.1.27.1
- suse•prometheus-blackbox_exporter&distro=SUSE Manager Proxy Module 4.3
< 0.26.0-150000.1.27.1
References (23)
- https://www.suse.com/support/update/announcement/2025/suse-su-202501989-1/
- https://bugzilla.suse.com/1208752
- https://bugzilla.suse.com/1231844
- https://bugzilla.suse.com/1233343
- https://bugzilla.suse.com/1236510
- https://bugzilla.suse.com/1236515
- https://bugzilla.suse.com/1236516
- https://bugzilla.suse.com/1238680
- https://bugzilla.suse.com/1238686
- https://bugzilla.suse.com/1238703
- https://bugzilla.suse.com/1241683
- https://bugzilla.suse.com/1241687
- https://bugzilla.suse.com/1241809
- https://bugzilla.suse.com/1243672
- https://bugzilla.suse.com/1243714
- https://www.suse.com/security/cve/CVE-2023-45288
- https://www.suse.com/security/cve/CVE-2024-9264
- https://www.suse.com/security/cve/CVE-2024-9476
- https://www.suse.com/security/cve/CVE-2025-22870
- https://www.suse.com/security/cve/CVE-2025-22872
- https://www.suse.com/security/cve/CVE-2025-2703
- https://www.suse.com/security/cve/CVE-2025-29923
- https://www.suse.com/security/cve/CVE-2025-3454