Security update for golang-github-prometheus-alertmanager
Details
This update for golang-github-prometheus-alertmanager fixes the following issues:
golang-github-prometheus-alertmanager was updated from version 0.23.0 to 0.26.0 (jsc#PED-7353):
Version 0.26.0:
Security fixes:
CVE-2023-40577: Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI (bsc#1218838)
Other changes and bugs fixed:
Configuration: Fix empty list of receivers and inhibitrules would cause the alertmanager to crash
Templating: Fixed a race condition when using the title function. It is now race-safe
API: Fixed duplicate receiver names in the api/v2/receivers API endpoint
API: Attempting to delete a silence now returns the correct status code, 404 instead of 500
Clustering: Fixes a panic when tlsclientconfig is empty
Webhook: url is now marked as a secret. It will no longer show up in the logs as clear-text
Metrics: New label reason for alertmanagernotificationsfailedtotal metric to indicate the type of error of the
alert delivery
Clustering: New flag --cluster.label, to help to block any traffic that is not meant for the cluster
Integrations: Add Microsoft Teams as a supported integration
Version 0.25.0:
Fail configuration loading if apikey and apikeyfile are defined at the same time
Fix the alertmanageralerts metric to avoid counting resolved alerts as active. Also added a new
alertmanagermarkedalerts metric that retain the old behavior
Trim contents of Slack API URLs when reading from files
amtool: Avoid panic when the label value matcher is empty
Fail configuration loading if apiurl is empty for OpsGenie
Fix email template for resolved notifications
Add proxyurl support for OAuth2 in HTTP client configuration
Reload TLS certificate and key from disk when updated
Add Discord integration
Add Webex integration
Add minversion support to select the minimum TLS version in HTTP client configuration
Add maxversion support to select the maximum TLS version in HTTP client configuration
Emit warning logs when truncating messages in notifications
Support HEAD method for the /-/healty and /-/ready endpoints
Add support for reading global and local SMTP passwords from files
UI: Add 'Link' button to alerts in list
UI: Allow to choose the first day of the week as Sunday or Monday
Version 0.24.0:
Fix HTTP client configuration for the SNS receiver
Fix unclosed file descriptor after reading the silences snapshot file
Fix field names for mutetimeintervals in JSON marshaling
Ensure that the root route doesn't have any matchers
Truncate the message's title to 1024 chars to avoid hitting Slack limits
Fix the default HTML email template (email.default.html) to match with the canonical source
Detect SNS FIFO topic based on the rendered value
Avoid deleting and recreating a silence when an update is possible
api/v2: Return 200 OK when deleting an expired silence
amtool: Fix the silence's end date when adding a silence. The end date is (start date + duration) while it used to
be (current time + duration). The new behavior is consistent with the update operation
Add the /api/v2 prefix to all endpoints in the OpenAPI specification and generated client code
Add --cluster.tls-config experimental flag to secure cluster traffic via mutual TLS