openSUSE-SU-2026:20752-1
See a problem?- Import Source
- https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2026:20752-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/openSUSE-SU-2026:20752-1
- Upstream
- Related
- Published
- 2026-05-14T15:05:06Z
- Modified
- 2026-05-19T18:23:46.736033799Z
- Summary
- Security update for alloy
- Details
-
This update for alloy fixes the following issues
Security issues:
- CVE-2026-4427: github.com/jackc/pgproto3/v2: improper validation of field length allows a malicious PostgreSQL server to crash a client application via a DataRow message (bsc#1259919).
- CVE-2026-25934: github.com/go-git/go-git/v5: improper verification of data integrity values for .pack and .idx files can lead to the consumption of corrupted files (bsc#1258099).
- CVE-2026-26958: filippo.io/edwards25519: failure to initialize receiver in MultiScalarMult can produce invalid results and lead to undefined behavior (bsc#1258609).
- CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header (bsc#1260317).
Non security issue:
- Updated to 1.16.0
- Use systemd tmpfiles.d to create /var/lib/alloy hierarchy (jsc#PED-14815)
- References
-
- https://bugzilla.suse.com/1258099
- https://bugzilla.suse.com/1258609
- https://bugzilla.suse.com/1259919
- https://bugzilla.suse.com/1260317
- https://www.suse.com/security/cve/CVE-2026-25934
- https://www.suse.com/security/cve/CVE-2026-26958
- https://www.suse.com/security/cve/CVE-2026-33186
- https://www.suse.com/security/cve/CVE-2026-4427