Security update for golang-github-prometheus-alertmanager

Announcement ID:	SUSE-SU-2024:0512-1
Rating:	important
References:	bsc#1218838 jsc#MSQA-719 jsc#PED-7353
Cross-References:	CVE-2023-40577
CVSS scores:	CVE-2023-40577 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2023-40577 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:	openSUSE Leap 15.3 openSUSE Leap 15.4 openSUSE Leap 15.5 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise Desktop 15 SP1 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise Desktop 15 SP5 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Real Time 15 SP5 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Manager Client Tools for SLE 15 SUSE Manager Proxy 4.3 SUSE Manager Proxy 4.3 Module 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Package Hub 15 15-SP5

An update that solves one vulnerability and contains two features can now be installed.

Description:

This update for golang-github-prometheus-alertmanager fixes the following issues:

golang-github-prometheus-alertmanager was updated from version 0.23.0 to 0.26.0 (jsc#PED-7353):

• Version 0.26.0:
• Security fixes:
  • CVE-2023-40577: Fix stored XSS via the /api/v1/alerts endpoint in the Alertmanager UI (bsc#1218838)
• Other changes and bugs fixed:
  • Configuration: Fix empty list of receivers and inhibit_rules would cause the alertmanager to crash
  • Templating: Fixed a race condition when using the title function. It is now race-safe
  • API: Fixed duplicate receiver names in the api/v2/receivers API endpoint
  • API: Attempting to delete a silence now returns the correct status code, 404 instead of 500
  • Clustering: Fixes a panic when tls_client_config is empty
  • Webhook: url is now marked as a secret. It will no longer show up in the logs as clear-text
  • Metrics: New label reason for alertmanager_notifications_failed_total metric to indicate the type of error of the alert delivery
  • Clustering: New flag --cluster.label, to help to block any traffic that is not meant for the cluster
  • Integrations: Add Microsoft Teams as a supported integration
• Version 0.25.0:
• Fail configuration loading if api_key and api_key_file are defined at the same time
• Fix the alertmanager_alerts metric to avoid counting resolved alerts as active. Also added a new alertmanager_marked_alerts metric that retain the old behavior
• Trim contents of Slack API URLs when reading from files
• amtool: Avoid panic when the label value matcher is empty
• Fail configuration loading if api_url is empty for OpsGenie
• Fix email template for resolved notifications
• Add proxy_url support for OAuth2 in HTTP client configuration
• Reload TLS certificate and key from disk when updated
• Add Discord integration
• Add Webex integration
• Add min_version support to select the minimum TLS version in HTTP client configuration
• Add max_version support to select the maximum TLS version in HTTP client configuration
• Emit warning logs when truncating messages in notifications
• Support HEAD method for the /-/healty and /-/ready endpoints
• Add support for reading global and local SMTP passwords from files
• UI: Add 'Link' button to alerts in list
• UI: Allow to choose the first day of the week as Sunday or Monday
• Version 0.24.0:
• Fix HTTP client configuration for the SNS receiver
• Fix unclosed file descriptor after reading the silences snapshot file
• Fix field names for mute_time_intervals in JSON marshaling
• Ensure that the root route doesn't have any matchers
• Truncate the message's title to 1024 chars to avoid hitting Slack limits
• Fix the default HTML email template (email.default.html) to match with the canonical source
• Detect SNS FIFO topic based on the rendered value
• Avoid deleting and recreating a silence when an update is possible
• api/v2: Return 200 OK when deleting an expired silence
• amtool: Fix the silence's end date when adding a silence. The end date is (start date + duration) while it used to be (current time + duration). The new behavior is consistent with the update operation
• Add the /api/v2 prefix to all endpoints in the OpenAPI specification and generated client code
• Add --cluster.tls-config experimental flag to secure cluster traffic via mutual TLS
• Add Telegram integration

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Proxy 4.3 Module 4.3
  zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.3-2024-512=1
• openSUSE Leap 15.5
  zypper in -t patch openSUSE-SLE-15.5-2024-512=1
• SUSE Manager Client Tools for SLE 15
  zypper in -t patch SUSE-SLE-Manager-Tools-15-2024-512=1
• SUSE Package Hub 15 15-SP5
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-512=1

Package List:

• SUSE Manager Proxy 4.3 Module 4.3 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-alertmanager-0.26.0-150100.4.19.1
• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-alertmanager-0.26.0-150100.4.19.1
• SUSE Manager Client Tools for SLE 15 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-alertmanager-0.26.0-150100.4.19.1
• SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x x86_64)
  • golang-github-prometheus-alertmanager-0.26.0-150100.4.19.1

References:

• https://www.suse.com/security/cve/CVE-2023-40577.html
• https://bugzilla.suse.com/show_bug.cgi?id=1218838
• https://jira.suse.com/browse/MSQA-719
• https://jira.suse.com/browse/PED-7353