openSUSE-SU-2026:20140-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2026:20140-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2026:20140-1
Upstream
Related
Published
2026-01-30T14:38:31Z
Modified
2026-03-23T04:54:45.845544Z
Summary
Security update for alloy
Details

This update for alloy fixes the following issues:

Update to 1.12.2:

Security fixes:

  • CVE-2025-68156: github.com/expr-lang/expr/builtin: Fixed potential DoS via unbounded recursion (bsc#1255333):
  • CVE-2025-31133, CVE-2025-52565, CVE-2025-52881: github.com/opencontainers/runc: Fixed container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files (bsc#1255074)

Other fixes:

- Add missing configuration parameter
  deployment_name_from_replicaset to k8sattributes processor
  (5b90a9d) (@dehaansa)
- database_observability: Fix schema_details collector to fetch
  column definitions with case sensitive table names (#4872)
  (560dff4) (@jharvey10, @fridgepoet)
- deps: Update jose2go to 1.7.0 (#4858) (dfdd341) (@jharvey10)
- deps: Update npm dependencies [backport] (#5201) (8e06c26)
  (@jharvey10)
- Ensure the squid exporter wrapper properly brackets ipv6
  addresses [backport] (#5205) (e329cc6) (@dehaansa)
- Preserve meta labels in loki.source.podlogs (#5097) (ab4b21e)
  (@kalleep)
- Prevent panic in import.git when update fails [backport]
  (#5204) (c82fbae) (@dehaansa, @jharvey10)
- show correct fallback alloy version instead of v1.13.0
  (#5110) (b72be99) (@dehaansa, @jharvey10)
References

Affected packages

openSUSE:Leap 16.0 / alloy

Package

Name
alloy
Purl
pkg:rpm/opensuse/alloy&distro=openSUSE%20Leap%2016.0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.12.2-160000.1.1

Ecosystem specific 

{
    "binaries": [
        {
            "alloy": "1.12.2-160000.1.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2026:20140-1.json"