SUSE-SU-2025:4457-1

Advisory lineage Upstream: 5 Downstream: 0
Published: 18 Dec 2025, 11:56
Last modified:23 Mar 2026, 04:51

Vulnerability Summary

Overall Risk (default)
minimal
0/100
CVSS Score
No data
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

18 Dec 2025, 11:56
Published
Vulnerability first disclosed
23 Mar 2026, 04:51
Last Modified
Vulnerability information updated

Description

Security update 5.0.6 for Multi-Linux Manager Client Tools This update fixes the following issues: golang-github-prometheus-alertmanager: - Update to version 0.28.1 (jsc#PED-13285): * Improved performance of inhibition rules when using Equal labels. * Improve the documentation on escaping in UTF-8 matchers. * Update alertmanager_config_hash metric help to document the hash is not cryptographically strong. * Fix panic in amtool when using --verbose. * Fix templating of channel field for Rocket.Chat. * Fix rocketchat_configs written as rocket_configs in docs. * Fix usage for --enable-feature flag. * Trim whitespace from OpsGenie API Key. * Fix Jira project template not rendered when searching for existing issues. * Fix subtle bug in JSON/YAML encoding of inhibition rules that would cause Equal labels to be omitted. * Fix header for slack_configs in docs. * Fix weight and wrap of Microsoft Teams notifications. - Upgrade to version 0.28.0: * CVE-2025-47908: Bump github.com/rs/cors (bsc#1247748). * Templating errors in the SNS integration now return an error. * Adopt log/slog, drop go-kit/log. * Add a new Microsoft Teams integration based on Flows. * Add a new Rocket.Chat integration. * Add a new Jira integration. * Add support for GOMEMLIMIT, enable it via the feature flag --enable-feature=auto-gomemlimit. * Add support for GOMAXPROCS, enable it via the feature flag --enable-feature=auto-gomaxprocs. * Add support for limits of silences including the maximum number of active and pending silences, and the maximum size per silence (in bytes). You can use the flags --silences.max-silences and --silences.max-silence-size-bytes to set them accordingly. * Muted alerts now show whether they are suppressed or not in both the /api/v2/alerts endpoint and the Alertmanager UI. - Upgrade to version 0.27.0: * API: Removal of all api/v1/ endpoints. These endpoints now log and return a deprecation message and respond with a status code of 410. * UTF-8 Support: Introduction of support for any UTF-8 character as part of label names and matchers. * Discord Integration: Enforce max length in message. * Metrics: Introduced the experimental feature flag --enable-feature=receiver-name-in-metrics to include the receiver name. * Metrics: Introduced a new gauge named alertmanager_inhibition_rules that counts the number of configured inhibition rules. * Metrics: Introduced a new counter named alertmanager_alerts_supressed_total that tracks muted alerts, it contains a reason label to indicate the source of the mute. * Discord Integration: Introduced support for webhook_url_file. * Microsoft Teams Integration: Introduced support for webhook_url_file. * Microsoft Teams Integration: Add support for summary. * Metrics: Notification metrics now support two new values for the label reason, contextCanceled and contextDeadlineExceeded. * Email Integration: Contents of auth_password_file are now trimmed of prefixed and suffixed whitespace. * amtool: Fixes the error scheme required for webhook url when using amtool with --alertmanager.url. * Mixin: Fix AlertmanagerFailedToSendAlerts, AlertmanagerClusterFailedToSendAlerts, and AlertmanagerClusterFailedToSendAlerts to make sure they ignore the reason label. grafana was updated from version 11.5.5 to 11.5.10: - Security issues fixed: * CVE-2025-47911: Fix parsing HTML documents (bsc#1251454) * CVE-2025-58190: Fix excessive memory consumption (bsc#1251657) * CVE-2025-64751: Drop experimental implementation of authorization Zanzana server/client (bsc#1254113) * CVE-2025-11065: Fixed sensitive information leak in logs (version 11.5.9) (bsc#1250616) * CVE-2025-6023: Fixed cross-site-scripting via scripted dashboards (version 11.5.7) (bsc#1246735) * CVE-2025-6197: Fixed open redirect in organization switching (version 11.5.7) (bsc#1246736) * CVE-2025-3415: Fixed exposure of DingDing alerting integration URL to Viewer level users (version 11.5.6) (bsc#1245302) - Other changes, new features and bugs fixed: * Version 11.5.10: + Update to Go 1.25 + Update to golang.org/x/net v0.45.0 + Auth: Fix render user OAuth passthrough + LDAP Authentication: Fix URL to propagate username context as parameter * Version 11.5.9: + Auditing: Document new options for recording datasource query request/response body. + Login: Fixed redirection after login when Grafana is served from subpath. * Version 11.5.7: + Azure: Fixed legend formatting and resource name determination in template variable queries. mgr-push: - Version 5.0.3-0 * Fixed syntax error in changelog rhnlib: - Version 5.0.6-0 * Use more secure defusedxml parser (bsc#1227577) spacecmd: - Version 5.0.14-0: * Fixed installation of python lib files on Ubuntu 24.04 (bsc#1246586) * Use JSON instead of pickle for spacecmd cache (bsc#1227579) * Make spacecmd to work with Python 3.12 and higher * Call print statements properly in Python 3 supportutils-plugin-susemanager-client: - Version 5.0.5-0 * Fix syntax error in changelog uyuni-tools: - Version 0.1.37-0 * Handle CA files with symlinks during migration (bsc#1251044) * Add a lowercase version of --logLevel (bsc#1243611) * Adjust traefik exposed configuration for chart v27+ (bsc#1247721) * Stop executing scripts in temporary folder (bsc#1243704) * Convert the traefik install time to local time (bsc#1251138) * Run smdba and reindex only during migration (bsc#1244534) * Support config: collect podman inspect for hub container (bsc#1245099) * Add --registry-host, --registry-user and --registry-password to pull images from an authenticate registry * Deprecate --registry * Use new dedicated path for Cobbler settings (bsc#1244027) * Migrate custom auto installation snippets (bsc#1246320) * Add SLE15SP7 to buildin productmap * Fix loading product map from mgradm configuration file (bsc#1246068) * Fix channel override for distro copy * Do not use sudo when running as a root user (bsc#1246882) * Do not require backups to be at the same location for restoring (bsc#1246906) * Check for restorecon presence before calling (bsc#1246925) * Automatically get up-to-date systemid file on salt based proxy hosts (bsc#1246789) * Fix recomputing proxy images when installing a ptf or test (bsc#1246553) * Add migration for server monitoring configuration (bsc#1247688) - Version 0.1.36-0 * Bump the default image tag - Version 0.1.35-0 * Restore SELinux contexts for restored backup volumes (bsc#1244127) - Version 0.1.34-0 * Fix mgradm backup create handling of images and systemd files (bsc#1246738) - Version 0.1.33-0 * Restore volumes using tar instead of podman import (bsc#1244127)

Affected Systems

  • susegolang-github-prometheus-alertmanager&distro=SUSE Manager Client Tools 12

    < 0.28.1-1.34.1

  • susegrafana&distro=SUSE Manager Client Tools 12

    < 11.5.10-1.87.1

  • susemgr-push&distro=SUSE Manager Client Tools 12

    < 5.0.3-1.30.3

  • suserhnlib&distro=SUSE Manager Client Tools 12

    < 5.0.6-21.55.1

  • susespacecmd&distro=SUSE Manager Client Tools 12

    < 5.0.14-38.162.1

  • susesupportutils-plugin-susemanager-client&distro=SUSE Manager Client Tools 12

    < 5.0.5-6.36.1

  • suseuyuni-tools&distro=SUSE Manager Client Tools 12

    < 0.1.37-1.27.1

References (33)