SUSE-SU-2024:0512-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:0512-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2024:0512-1
Related
Published
2024-02-15T13:43:08Z
Modified
2024-02-15T13:43:08Z
Summary
Security update for golang-github-prometheus-alertmanager
Details

This update for golang-github-prometheus-alertmanager fixes the following issues:

golang-github-prometheus-alertmanager was updated from version 0.23.0 to 0.26.0 (jsc#PED-7353):

  • Version 0.26.0:
    • Security fixes:
      • CVE-2023-40577: Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI (bsc#1218838)
    • Other changes and bugs fixed:
      • Configuration: Fix empty list of receivers and inhibitrules would cause the alertmanager to crash
      • Templating: Fixed a race condition when using the title function. It is now race-safe
      • API: Fixed duplicate receiver names in the api/v2/receivers API endpoint
      • API: Attempting to delete a silence now returns the correct status code, 404 instead of 500
      • Clustering: Fixes a panic when tlsclientconfig is empty
      • Webhook: url is now marked as a secret. It will no longer show up in the logs as clear-text
      • Metrics: New label reason for alertmanagernotificationsfailedtotal metric to indicate the type of error of the alert delivery
      • Clustering: New flag --cluster.label, to help to block any traffic that is not meant for the cluster
      • Integrations: Add Microsoft Teams as a supported integration
  • Version 0.25.0:
    • Fail configuration loading if apikey and apikeyfile are defined at the same time
    • Fix the alertmanageralerts metric to avoid counting resolved alerts as active. Also added a new alertmanagermarkedalerts metric that retain the old behavior
    • Trim contents of Slack API URLs when reading from files
    • amtool: Avoid panic when the label value matcher is empty
    • Fail configuration loading if apiurl is empty for OpsGenie
    • Fix email template for resolved notifications
    • Add proxyurl support for OAuth2 in HTTP client configuration
    • Reload TLS certificate and key from disk when updated
    • Add Discord integration
    • Add Webex integration
    • Add minversion support to select the minimum TLS version in HTTP client configuration
    • Add maxversion support to select the maximum TLS version in HTTP client configuration
    • Emit warning logs when truncating messages in notifications
    • Support HEAD method for the /-/healty and /-/ready endpoints
    • Add support for reading global and local SMTP passwords from files
    • UI: Add 'Link' button to alerts in list
    • UI: Allow to choose the first day of the week as Sunday or Monday
  • Version 0.24.0:
    • Fix HTTP client configuration for the SNS receiver
    • Fix unclosed file descriptor after reading the silences snapshot file
    • Fix field names for mutetimeintervals in JSON marshaling
    • Ensure that the root route doesn't have any matchers
    • Truncate the message's title to 1024 chars to avoid hitting Slack limits
    • Fix the default HTML email template (email.default.html) to match with the canonical source
    • Detect SNS FIFO topic based on the rendered value
    • Avoid deleting and recreating a silence when an update is possible
    • api/v2: Return 200 OK when deleting an expired silence
    • amtool: Fix the silence's end date when adding a silence. The end date is (start date + duration) while it used to be (current time + duration). The new behavior is consistent with the update operation
    • Add the /api/v2 prefix to all endpoints in the OpenAPI specification and generated client code
    • Add --cluster.tls-config experimental flag to secure cluster traffic via mutual TLS
    • Add Telegram integration
References

Affected packages

SUSE:Manager Tools 15 / golang-github-prometheus-alertmanager

Package

Name
golang-github-prometheus-alertmanager
Purl
purl:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Tools%2015

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.26.0-150100.4.19.1

Ecosystem specific

{
    "binaries": [
        {
            "golang-github-prometheus-alertmanager": "0.26.0-150100.4.19.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Package Hub 15 SP5 / golang-github-prometheus-alertmanager

Package

Name
golang-github-prometheus-alertmanager
Purl
purl:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.26.0-150100.4.19.1

Ecosystem specific

{
    "binaries": [
        {
            "golang-github-prometheus-alertmanager": "0.26.0-150100.4.19.1"
        }
    ]
}

SUSE:Manager Proxy Module 4.3 / golang-github-prometheus-alertmanager

Package

Name
golang-github-prometheus-alertmanager
Purl
purl:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Proxy%20Module%204.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.26.0-150100.4.19.1

Ecosystem specific

{
    "binaries": [
        {
            "golang-github-prometheus-alertmanager": "0.26.0-150100.4.19.1"
        }
    ]
}

openSUSE:Leap 15.5 / golang-github-prometheus-alertmanager

Package

Name
golang-github-prometheus-alertmanager
Purl
purl:rpm/suse/golang-github-prometheus-alertmanager&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.26.0-150100.4.19.1

Ecosystem specific

{
    "binaries": [
        {
            "golang-github-prometheus-alertmanager": "0.26.0-150100.4.19.1"
        }
    ]
}